Chunghwa Telecom eCA Root Inclusion Request

2018-05-18 Thread Wayne Thayer via dev-security-policy
This request is for inclusion of the Chunghwa Telecom eCA as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1341604 * BR Self Assessment is here: https://bugzilla.mozilla.org/attachment.cgi?id=8963172 * Summary of Information Gathered and Verified:

Re: Root Store Policy 2.6

2018-05-18 Thread Wayne Thayer via dev-security-policy
I have incorporated the final changes from our policy discussions, as well as some corrections and clarifications that Kathleen and I found during our review, into the latest draft of the policy: https://github.com/mozilla/pkipolicy/compare/master...2.6 I would encourage everyone to review the

Re: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-18 Thread jacob.hoffmanandrews--- via dev-security-policy
On Friday, May 18, 2018 at 10:52:25 AM UTC-7, Tim Hollebeek wrote: > > Our logging of the CAA records processed does not provide the case > > information we need to determine whether other issuances were affected by > > this bug. > > We put a requirement in the BRs specifically so this problem

Incident Report - Domain validation by CNAME with omitted underscore

2018-05-18 Thread Robin Alden via dev-security-policy
This same information has also been posted to https://bugzilla.mozilla.org/show_bug.cgi?id=1461391 Andrew Ayer reported this problem report to mailto:sslab...@comodoca.com: <<< I was able to obtain a certificate from Comodo that was not properly validated under the Baseline Requirements, as

RE: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-18 Thread Tim Hollebeek via dev-security-policy
> Our logging of the CAA records processed does not provide the case > information we need to determine whether other issuances were affected by > this bug. We put a requirement in the BRs specifically so this problem could not occur: "The CA SHALL log all actions taken, if any, consistent with

Re: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-18 Thread Jonathan Rudenberg via dev-security-policy
Oops, I missed item 1, disregard :) On Fri, May 18, 2018, at 13:45, Jonathan Rudenberg via dev-security-policy wrote: > On Fri, May 18, 2018, at 13:00, josh--- via dev-security-policy wrote: > > 2. Performing a scan of current CAA records for the domain names we have > > issued for in the past

Re: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-18 Thread Jonathan Rudenberg via dev-security-policy
On Fri, May 18, 2018, at 13:00, josh--- via dev-security-policy wrote: > 2. Performing a scan of current CAA records for the domain names we have > issued for in the past 90 days, specifically looking for tags in CAA > records with non-lowercase characters. We’ll examine such instances on a >

2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-18 Thread josh--- via dev-security-policy
At 12:45 UTC we received a report to our cert-prob-repo...@letsencrypt.org contact address that Let’s Encrypt was improperly handling CAA records with mixed case tags, resulting in mis-issuance under the baseline requirements. Thanks to Corey Bonnell of TrustWave for the report. RFC 6844