Re: TLS certificates for ECIES keys

2020-11-04 Thread Jacob Hoffman-Andrews via dev-security-policy
Thanks to all here for the useful feedback. We've decided not to issue publicly trusted TLS certificates carrying keys for use in ECIES. On Thu, Oct 29, 2020 at 11:06 AM Jacob Hoffman-Andrews wrote: > Hi all, > > ISRG is working with Apple and Google to deploy Prio, a > "privacy-preserving syste

TLS certificates for ECIES keys

2020-10-29 Thread Jacob Hoffman-Andrews via dev-security-policy
Hi all, ISRG is working with Apple and Google to deploy Prio, a "privacy-preserving system for the collection of aggregate statistics:" https://crypto.stanford.edu/prio/. Mozilla has previously demonstrated Prio for use with telemetry data: https://hacks.mozilla.org/2018/10/testing-privacy-preserv

Re: Let's Encrypt: 302 total OCSP responses served beyond acceptable timelines

2020-10-06 Thread Jacob Hoffman-Andrews via dev-security-policy
On Sat, Sep 26, 2020 at 9:09 PM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Let's Encrypt provides a community mutual assistance site (with > contributions from staff) on which a large volume of messages are > posted each day. > > https://community.letsencry

Re: Plans for new ECDSA root and new intermediates from Let's Encrypt

2020-09-01 Thread Jacob Hoffman-Andrews via dev-security-policy
Update on this: Thanks to the excellent zmap/zlint tool, we realized we were missing the digitalSignature keyUsage on our planned new intermediates. We've updated the demo repo and our forum post ( https://community.letsencrypt.org/t/detailed-2020-hierarchy/131019) to indicate that we plan to inclu

Plans for new ECDSA root and new intermediates from Let's Encrypt

2020-08-25 Thread Jacob Hoffman-Andrews via dev-security-policy
Let’s Encrypt is planning to issue a new root and new intermediates soon. The new root will be an ECDSA one, to augment our existing RSA root. The new intermediates will be part of our regular replacement of intermediates. Our RSA root will cross-sign the ECDSA root. We’re sharing our detailed iss

Re: 2020.02.29 Let's Encrypt CAA Rechecking Bug

2020-03-03 Thread Jacob Hoffman-Andrews via dev-security-policy
We've posted our Incident Report at https://bugzilla.mozilla.org/show_bug.cgi?id=1619047#c1. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: 2020.02.29 Let's Encrypt CAA Rechecking Bug

2020-02-29 Thread Jacob Hoffman-Andrews via dev-security-policy
On Saturday, February 29, 2020 at 4:10:40 AM UTC-8, Nick Lamb wrote: > Hi Jacob, was there a reason not to use the ordinary incident reporting > format ? This is pretty good for ensuring you cover all the questions > we're otherwise likely to ask anyway. Thanks for the reminder. My goal here was t

2020.02.29 Let's Encrypt CAA Rechecking Bug

2020-02-28 Thread Jacob Hoffman-Andrews via dev-security-policy
Also posted to https://bugzilla.mozilla.org/show_bug.cgi?id=1619047 On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediat

2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

2019-08-29 Thread Jacob Hoffman-Andrews via dev-security-policy
Also filed at https://bugzilla.mozilla.org/show_bug.cgi?id=1577652 On 2019.08.28 we read Apple’s bug report at https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 about DigiCert’s OCSP responder returning incorrect results for a precertificate. This prompted us to run our own investigation. We