All,
Obviously this is not the message we would like to read and will try to explain
and rebate as much as possible some of the comments posted here.
>
> The Mozilla CA Certificates team has been considering what the appropriate
> next steps are for the inclusion request from the CA "StartCom".
On Thursday, 14 September 2017 16:00:35 UTC+1, Inigo Barreira wrote:
> Well, finally this is a business and I don´t think none on this list is
> working for free. At the end everyone has his/her salary, etc. But that was
> not the main reason because getting included in the root programs takes t
On 14/09/2017 17:05, Inigo Barreira wrote:
All,
...
We should add the existing Certnomis cross-signs to OneCRL to revoke all the
existing certificates. As of 10th August (now a month ago) StartCom said they
have 5 outstanding SSL certs which are valid due to the Certnomis cross-
sign.
I´
2017 1:22
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: FW: StartCom inclusion request: next steps
>
> On Thursday, 14 September 2017 16:00:35 UTC+1, Inigo Barreira wrote:
> > Well, finally this is a business and I don´t think none on this list is
> >
> On 14/09/2017 17:05, Inigo Barreira wrote:
> > All,
> >
> > ...
> >>
> >> We should add the existing Certnomis cross-signs to OneCRL to revoke
> >> all the existing certificates. As of 10th August (now a month ago)
> >> StartCom said they have 5 outstanding SSL certs which are valid
> >> due
> Those tests were done to check the CT behaviour, there was any other testing
> of the new systems, just for the CT. Those certs were under control all the
> time and were lived for some minutes because were revoked inmediately after
> checking the certs were logged correctly in the CTs. It´s n
>
> > Those tests were done to check the CT behaviour, there was any other
> testing of the new systems, just for the CT. Those certs were under control
> all
> the time and were lived for some minutes because were revoked inmediately
> after checking the certs were logged correctly in the CTs. I
On Friday, September 15, 2017 at 10:56:11 AM UTC+1, Inigo Barreira wrote:
> >
> > > Those tests were done to check the CT behaviour, there was any other
> > testing of the new systems, just for the CT. Those certs were under control
> > all
> > the time and were lived for some minutes because wer
On Friday, September 15, 2017 at 12:30:00 PM UTC+1, James Burton wrote:
> On Friday, September 15, 2017 at 10:56:11 AM UTC+1, Inigo Barreira wrote:
> > >
> > > > Those tests were done to check the CT behaviour, there was any other
> > > testing of the new systems, just for the CT. Those certs were
> > >
> > > > Those tests were done to check the CT behaviour, there was any
> > > > other
> > > testing of the new systems, just for the CT. Those certs were under
> > > control all the time and were lived for some minutes because were
> > > revoked inmediately after checking the certs were logged
> Hi Inigo,
>
> To add from the last post.
>
> I know this is unwelcome news to you but I feel that with all these incidents
> happening right now with Symantec and the incidents before, we can't really
> take any more chances. Every incident is eroding trust in this system and if
> we
> want mo
Hi Inigo,
On 14/09/17 16:05, Inigo Barreira wrote:
> Those tests were done to check the CT behaviour, there was any other testing
> of the new systems, just for the CT.
Is there any reason those tests could not have been done using a
parallel testing hierarchy (other than the fact that you hadn
On 15/09/17 09:24, Inigo Barreira wrote:
> AFAIK, Certinomis only disclosed in the CCADB
That means it's published and available. As noted in my other reply,
information as to exactly what this cross-sign enables trust for would
be most helpful, as I may have misunderstood previous statements on
On 15/09/17 11:01, Inigo Barreira wrote:
> Considering that we were distrusted, that we didn´t reapply for
> inclussion, that CT is only required by Chrome and it´s not included
> in the Mozilla policy (even we were requested that all of our certs
> had to be CT logged) nor required by Firefox, tha
> On 15/09/17 11:01, Inigo Barreira wrote:
> > Considering that we were distrusted, that we didn´t reapply for
> > inclussion, that CT is only required by Chrome and it´s not included
> > in the Mozilla policy (even we were requested that all of our certs
> > had to be CT logged) nor required by Fi
I'm fairly confused by your answers, if the only thing you tested in
production was CT, why was the system issuing non-compliant certs? Why did
production CT testing come before having established, tested, and verified
a compliant certificate profile?
Alex
On Fri, Sep 15, 2017 at 10:35 AM, Inigo
; James Burton ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: FW: StartCom inclusion request: next steps
I'm fairly confused by your answers, if the only thing you tested in production
was CT, why was the system issuing non-compliant certs? Why did production CT
testing
>
> Hi Inigo,
>
> On 14/09/17 16:05, Inigo Barreira wrote:
> > Those tests were done to check the CT behaviour, there was any other
> testing of the new systems, just for the CT.
>
> Is there any reason those tests could not have been done using a parallel
> testing hierarchy (other than the fac
On Fri, Sep 15, 2017 at 12:30 PM, Inigo Barreira via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> >
> > Hi Inigo,
> >
> > On 14/09/17 16:05, Inigo Barreira wrote:
> > > Those tests were done to check the CT behaviour, there was any other
> > testing of the new systems, jus
I didn't understand the original below comment by StartCom very well about
the cross-sign, but after Ryan's message I understand it better in
retrospect:
> On Thu, Sep 14, 2017 at 11:05 AM, Inigo Barreira via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> I´ve never said t
On Mon, Sep 18, 2017 at 8:12 AM, Inigo Barreira
wrote:
>
> We are not seeking to identify personal blame. We are seeking to
> understand what, if any, improvements have been made to address such
> issues. In reading this thread, I have difficulty finding any discussion
> about the steps that Start
Le lundi 18 septembre 2017 14:52:27 UTC+2, Ryan Sleevi a écrit :
> On Mon, Sep 18, 2017 at 8:12 AM, Inigo Barreira <>
> wrote:
> Then they misissued a CA certificate and failed to disclose it, and we
> should start an incident report into it.
Hello
In April 2017 the mozilla policy in force (v2.4)
On Monday, 18 September 2017 15:50:16 UTC+1, Franck Leroy wrote:
> This control that StartCom was not allowed to use our path was technical in
> place by the fact that I was the only one to have the intermediate cross
> signed certificates, stored (retained) in my personal safe.
I see. Three (g
On 15/09/17 15:35, Inigo Barreira wrote:
> No, those weren´t tests. We allowed the use of curves permitted by the BRs
> but this issue came up in the mozilla policy (I think Arkadiusz posted) and I
> also asked about it in the last CABF F2F (I asked Ryan about it) and then,
> with that outcome a
Hi Franck,
On 18/09/17 15:49, Franck Leroy wrote:
> Our understanding in April was that as long as StartCom is not
> allowed by Certinomis to issue EE certs, the disclosure was not
> mandated immediately.
I think that we need to establish a timeline of the exact events
involved here.
But I would
Hi Inigo,
On 15/09/17 17:30, Inigo Barreira wrote:
> There wasn´t a lack of integrity and monitoring, of course not. All PKI logs
> were and are signed, it´s just the auditors wanted to add the integrity to
> other systems which is not so clear that should have this enabled. For
> example, if y
Hi Gerv
>
> But once the cross-signed cert is publicly available (and it is; it's in CT,
> however it got there), all of those certificates become trusted (or
> potentially
> trusted, if the owner reconfigures their webserver to serve the intermediate,
> or if Firefox has already encountered it
Le lundi 18 septembre 2017 17:28:44 UTC+2, Nick Lamb a écrit :
> On Monday, 18 September 2017 15:50:16 UTC+1, Franck Leroy wrote:
> > This control that StartCom was not allowed to use our path was technical in
> > place by the fact that I was the only one to have the intermediate cross
> > signe
On Tuesday, September 19, 2017 at 3:46:09 PM UTC+1, Franck Leroy wrote:
> Le lundi 18 septembre 2017 17:28:44 UTC+2, Nick Lamb a écrit :
> > On Monday, 18 September 2017 15:50:16 UTC+1, Franck Leroy wrote:
> > > This control that StartCom was not allowed to use our path was technical
> > > in pla
On Tuesday, 19 September 2017 15:46:09 UTC+1, Franck Leroy wrote:
> 1/ When we use our root, we produce a key ceremony report.
> 2/ The signature value doesn’t appears in the report so it is not possible to
> reproduce the certificate.
> 3/ My safe is in a closet which I don’t have the key, so I
On Tue, Sep 19, 2017 at 3:09 PM, Nick Lamb via dev-security-policy
wrote:
> I have no doubt that this was obvious to people who have worked for a public
> CA, but it wasn't obvious to me, so thank you for answering. I think these
> answers give us good reason to be confident that a cross-signed
31 matches
Mail list logo
