Re: Certinomis Issues

On Tue, May 28, 2019 at 1:03 PM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > If they shove an valid but nonsensical policy OID into a cert I don't know > what Mozilla policy about that would be, but certainly the browser and > common TLS clients will just

Re: Certinomis Issues

PSD2 is the Payment Services Directive 2 a Directive from the European Union. Directives aren't legislation per se, but tell the member states to write their own legislation to achieve some agreed outcome. Many things you think of as EU laws are actually Directives, as a citizen the broad effect

Re: Certinomis Issues

Hi, I just saw this on twitter: https://twitter.com/sam280/status/1133008218677022722 And later in the thread: https://twitter.com/sam280/status/1133112699385257985 The first tweet points out that Certinomis seems to use wrong OIDs in their certs (quote "Of course the first invalid #PSD2 #QWAC

Re: Certinomis Issues

On 5/16/19 4:39 PM, Wayne Thayer wrote: On Thu, May 16, 2019 at 4:23 PM Wayne Thayer wrote: I will soon file a bug requesting removal of the “Certinomis - Root CA” from NSS. This is https://bugzilla.mozilla.org/show_bug.cgi?id=1552374 Thank you to Wayne and all of you who have

Re: Certinomis Issues

On 17/05/2019 07:21, Jakob Bohm wrote: > On 17/05/2019 01:39, Wayne Thayer wrote: >> On Thu, May 16, 2019 at 4:23 PM Wayne Thayer wrote: >> >> I will soon file a bug requesting removal of the “Certinomis - Root CA” >>> from NSS. >>> >> >> This is

Re: Certinomis Issues

On Fri, May 17, 2019 at 1:21 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 17/05/2019 01:39, Wayne Thayer wrote: > > On Thu, May 16, 2019 at 4:23 PM Wayne Thayer > wrote: > > > > I will soon file a bug requesting removal of the “Certinomis - Root CA”

Re: Certinomis Issues

On 17/05/2019 01:39, Wayne Thayer wrote: On Thu, May 16, 2019 at 4:23 PM Wayne Thayer wrote: I will soon file a bug requesting removal of the “Certinomis - Root CA” from NSS. This is https://bugzilla.mozilla.org/show_bug.cgi?id=1552374 To more accurately assess the impact of distrust,

Re: Certinomis Issues

On Thu, May 16, 2019 at 4:23 PM Wayne Thayer wrote: I will soon file a bug requesting removal of the “Certinomis - Root CA” > from NSS. > This is https://bugzilla.mozilla.org/show_bug.cgi?id=1552374 ___ dev-security-policy mailing list

Re: Certinomis Issues

I would like to thank everyone for your constructive input during this discussion. Since my post last week suggesting two options for distrusting the existing Certinomis root, a number of events have occurred, including the following: * Certinomis confirmed that they have implemented pre-issuance

Re: Certinomis Issues

I would like to highlight the many examples of Certinomis' poor incident response. Sometimes Certinomis ignores problems entirely - for example, in , a misissued certificate is still unrevoked and unacknowledged three months after being

Re: Certinomis Issues

On Mon, May 13, 2019 at 02:35:51PM -0700, fchassery--- via dev-security-policy wrote: > Issue A found its source in the good relationships between Franck and > Iñigo, who both are no more in charge; Is the only change to address Issue A the removal of Franck from a position of leadership within

Re: Certinomis Issues

e C: there is now a team (not a single man) in charge of audits. Issue D: the CP is currently under revision, and later in translation, in response of the Certinomis’ Issues page; and afterwards it will be followed by the contact person and controlled by the audit team, that will maintain the qualit

Re: Certinomis Issues

On Friday, 10 May 2019 19:00:11 UTC+2, Wayne Thayer wrote: ... > I share the concern that option #2 sends a confusing message. As Jonathan > stated, why should we distrust a CA for all but the most important websites > they secure? I'd say that both "too big to fail" and "too important to

Re: Certinomis Issues

On Fri, May 10, 2019 at 09:59:48AM -0700, Wayne Thayer via dev-security-policy wrote: > > On Tue, May 7, 2019 at 7:48 PM Wayne Thayer via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > >> To continue to participate in the Mozilla CA program, I recommend that we > >>

Re: Certinomis Issues

On Wed, May 8, 2019 at 10:32 AM Ryan Sleevi wrote: > > On Tue, May 7, 2019 at 7:48 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> To continue to participate in the Mozilla CA program, I recommend that we >> require Certinomis to create a new

Re: Certinomis Issues

On Fri, May 10, 2019 at 8:09 AM fchassery--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Dear Wayne, > > I’m not arguing that signing the new Startom root was a mistake.In fact, > as soon as we were told, we backed off. > Our understanding at that time was that the

Re: Certinomis Issues

Le vendredi 10 mai 2019 06:37:11 UTC+2, Wayne Thayer a écrit : > On Thu, May 9, 2019 at 8:56 PM Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On 10/05/2019 02:22, Wayne Thayer wrote: > > > Thank you for this response Francois. I have added it to the

Re: Certinomis Issues

On Thu, May 9, 2019 at 8:56 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 10/05/2019 02:22, Wayne Thayer wrote: > > Thank you for this response Francois. I have added it to the issues list > > [1]. Because the response is not structures the same as the

Re: Certinomis Issues

On 10/05/2019 02:22, Wayne Thayer wrote: Thank you for this response Francois. I have added it to the issues list [1]. Because the response is not structures the same as the issues list, I did not attempt to associate parts of the response with specific issues. I added the complete response to

Re: Certinomis Issues

Thank you for this response Francois. I have added it to the issues list [1]. Because the response is not structures the same as the issues list, I did not attempt to associate parts of the response with specific issues. I added the complete response to the bottom of the page. On Thu, May 9, 2019

Re: Certinomis Issues

seriously: since February the management of Certinomis was directly involved in the exchanges with the Mozilla community, decisions were made and are implemented. I acknowledge that I was surprised by the multiple topics that were grouped by Wayne THAYER on the CA/Certinomis issues page. I would

Re: Certinomis Issues

On Tue, May 7, 2019 at 7:48 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > To continue to participate in the Mozilla CA program, I recommend that we > require Certinomis to create a new hierarchy and demonstrate their ability > to competently operate

Re: Certinomis Issues

On Tue, May 7, 2019, at 19:48, Wayne Thayer via dev-security-policy wrote: >2. > >Constrain it to use for gouv.fr domains in an upcoming Firefox release. > > > While there are only a few thousand unexpired TLS certificates (the root is > not trusted for email) known to chain to this

Re: Certinomis Issues

Since I began this discussion, additional recent misissuances by Certinomis have been discovered and reported. [1] [2] [3] One investigation [1] led us to suspect that Certinomis had continued to employ BR domain validation method 3.2.2.4.5 after it was banned [4]. A former Certinomis employee

Re: Certinomis Issues

> But does EN 319 401, as it existed in 2016/2017 incorporate a clause to > apply all "future" updates to the CAB/F regulations or otherwise cover > all BRs applicable to the 2016/2017 timespan? Interesting question. Would it have to explicitly claim to incorporate any future updates? Or would

Re: Certinomis Issues

On Thursday, May 2, 2019 at 1:11:20 AM UTC+2, Wayne Thayer wrote: > Correct - 319 411 was (and still is) the Mozilla audit requirement. > > [1] https://bug937589.bmoattachments.org/attachment.cgi?id=8898169 Thanks for the clarification Wayne. ___

Re: Certinomis Issues

On Wed, May 1, 2019 at 3:25 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 01/05/2019 22:29, mono.r...@gmail.com wrote: > >> 2017 assessment report > >> LSTI didn't issue to Certinomis any "audit attestation" for the > browsers in 2017. The document

Re: Certinomis Issues

On 01/05/2019 22:29, mono.r...@gmail.com wrote: 2017 assessment report LSTI didn't issue to Certinomis any "audit attestation" for the browsers in 2017. The document Wayne references is a "Conformity Assessment Report" for the eIDAS regulation. I had a look at the 2017 report, and unless I

Re: Certinomis Issues

> 2017 assessment report > LSTI didn't issue to Certinomis any "audit attestation" for the browsers in > 2017. The document Wayne references is a "Conformity Assessment Report" for > the eIDAS regulation. I had a look at the 2017 report, and unless I misread, it implies conformity to ETSI EN

Re: Certinomis Issues

Le jeudi 25 avril 2019 21:19:34 UTC+2, Wayne Thayer a écrit : > Since this is a separate, serious issue, I filed a new bug and requested an > incident report: https://bugzilla.mozilla.org/show_bug.cgi?id=1547072 > > I added this to the issues list as Issue G: >

Re: Certinomis Issues

Since this is a separate, serious issue, I filed a new bug and requested an incident report: https://bugzilla.mozilla.org/show_bug.cgi?id=1547072 I added this to the issues list as Issue G: https://wiki.mozilla.org/CA/Certinomis_Issues I also added a summary of the response received yesterday

Re: Certinomis Issues

On Wed, Apr 17, 2019 at 5:22 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Yesterday, Andrew Ayer filed a bug [1] identifying 14 pre-certificates > issued by Certinomis in February 2019 containing an unregistered domain > name. Since the cause described

Re: Certinomis Issues

On Thu, Apr 18, 2019 at 12:29:05PM -0700, Wayne Thayer via dev-security-policy wrote: > Yesterday, Andrew Ayer reported two additional misissued certificates: > > * Space in SAN, issued yesterday: > https://bugzilla.mozilla.org/show_bug.cgi?id=1539531#c7 I'm starting to think Certnomis really

Re: Certinomis Issues

Yesterday, Andrew Ayer reported two additional misissued certificates: * Space in SAN, issued yesterday: https://bugzilla.mozilla.org/show_bug.cgi?id=1539531#c7 * O=Entreprise TEST, issued in January: https://bugzilla.mozilla.org/show_bug.cgi?id=1496088#c20 I've added these to the issues list.

Re: Certinomis Issues

A publicly trusted CA is expected to demonstrate technical competence around validation, issuance, and security of their infrastructure. When non-compliant issuance occurs the community should expect any well operated CA to rapidly detect, remediate the issue, and perform a root cause analysis

Re: Certinomis Issues

Yesterday, Andrew Ayer filed a bug [1] identifying 14 pre-certificates issued by Certinomis in February 2019 containing an unregistered domain name. Since the cause described in the incident report is similar, I added this under issue F.1. On Tue, Apr 16, 2019 at 11:44 AM Wayne Thayer wrote: >

Certinomis Issues

Mozilla has decided that there is sufficient concern [1] about the activities and operations of the CA Certinomis to collect together a list of issues. That list can be found here: https://wiki.mozilla.org/CA/Certinomis_Issues Note that this list may expand or contract over time as issues are