Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

On 3/18/20 5:16 PM, Ryan Sleevi wrote: Suggestions: 1) Rename "Audit Delay" to [audit-delay] and rename "Audit Delay COVID-19" to [audit-delay] [covid-19] or [audit-delay-covid-19], depending Rationale: In general, our filters work on word searches, so the brackets brackets help distinguish the

Re: DFN-Verein: CPS/CP link in CCADB not in English

On Thu, Mar 19, 2020 at 7:06 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Mar 19, 2020 at 12:33:29PM -0400, Ryan Sleevi wrote: > > I'm not sure an incident report is necessary. The CCADB policy allows > both > > to be provided, and the

Re: DFN-Verein: CPS/CP link in CCADB not in English

On Thu, Mar 19, 2020 at 12:33:29PM -0400, Ryan Sleevi wrote: > I'm not sure an incident report is necessary. The CCADB policy allows both > to be provided, and the mechanisms that CCADB uses (both for CAs and for > Root Stores) permit a host of expressiveness (and further changes are being >

Re: DFN-Verein: CPS/CP link in CCADB not in English

Matt, I'm not sure an incident report is necessary. The CCADB policy allows both to be provided, and the mechanisms that CCADB uses (both for CAs and for Root Stores) permit a host of expressiveness (and further changes are being made). While there is certainly benefit in highlighting the

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thu, Mar 19, 2020 at 9:58 AM Wojtek Porczyk wrote: > On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi via > dev-security-policy wrote: > > [...] but given that some negligent and > > irresponsible CAs kept agitating to reduce revocation requirements than > > protect users, the ballot was

Re: Microsec: Issuance of 2 IVCP precertificates without givenName, surName, localityName fields

> > - Microsec will check all the issued IVCP certificates looking for similar > issues - deadline 2020-03-20 > Microsec has finished the detailed investigation on the issued TLS IVCP certificates looking for similar issues. The findings are the following: Microsec issued altogether 9 test

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi via dev-security-policy wrote: > [...] but given that some negligent and > irresponsible CAs kept agitating to reduce revocation requirements than > protect users, the ballot was kept simple. > [...] I worry the same set of negligent and

RE: Is issuing a certificate for a previously-reported compromised private key misissuance?

Has anyone worked with a site/service like this that could help convey compromised keys between CAs? https://pwnedkeys.com/submit.html -Original Message- From: dev-security-policy On Behalf Of Matt Palmer via dev-security-policy Sent: Thursday, March 19, 2020 7:05 AM To:

Re: DFN-Verein: CPS/CP link in CCADB not in English

On Thu, Mar 19, 2020 at 11:10:05AM +, arnold.ess...@t-systems.com wrote: > Thanks for pointing it out. We changed the links so that they now refer > to the English version of the CP and CPS. Thanks for the quick update. Do you have an ETA for the preliminary incident report? - Matt

AW: DFN-Verein: CPS/CP link in CCADB not in English

Thanks for pointing it out. We changed the links so that they now refer to the English version of the CP and CPS. -Ursprüngliche Nachricht- Von: dev-security-policy Im Auftrag von Matt Palmer via dev-security-policy Gesendet: Donnerstag, 19. März 2020 10:56 An:

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi wrote: > On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > 2. If there are not explicit prohibitions already in place, *should* there > >be? If so, should it be a BR

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Since I started requesting revocation for certificates with > known-compromised private keys, I've noticed a rather disturbing pattern > emerging in a few cases: > > 1. I find a

DFN-Verein: CPS/CP link in CCADB not in English

As I understand the CCADB Policy (which is included by reference in the Mozilla Root Store Policy), CAs are required to provide an English translation of their CP/CPS documents, and link to them in the CCADB. At the time of writing, the "AllCertificateRecordsReport" CSV shows the link for the

Re: Is issuing a certificate for a previously-reported compromised private key misissuance?

On 2020-03-19 07:02, Matt Palmer wrote: 2. If there are not explicit prohibitions already in place, *should* there be? If so, should it be a BR thing, or a Policy thing? I think there should be. I expect them to publish a CRL that says the reason for revocation is a key compromise. I

Is issuing a certificate for a previously-reported compromised private key misissuance?

Since I started requesting revocation for certificates with known-compromised private keys, I've noticed a rather disturbing pattern emerging in a few cases: 1. I find a private key on the Internet. 2. I request revocation from the CA on the basis that the private key is compromised, and