Re: Incident report D-TRUST: syntax error in one tls certificate

Hello, D-TRUST will removed in the future or is this the last Chinese warning? :) Andrew. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

On Wed, Dec 5, 2018 at 2:36 AM Fotis Loukos via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 4/12/18 8:30 μ.μ., Ryan Sleevi via dev-security-policy wrote: > > On Tue, Dec 4, 2018 at 5:02 AM Fotis Loukos < > me+mozdevsecpol...@fotisl.com> > > As far as I can tell, if no

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

On Wed, Dec 5, 2018 at 3:48 AM Dimitris Zacharopoulos via dev-security-policy wrote: > On 5/12/2018 10:02 π.μ., Fotis Loukos wrote: > > > The proposal was apparently to further restrict the ability of CAs to > > make exceptions on their own, by requiring all such exceptions to go > > through the

Re: Incident report D-TRUST: syntax error in one tls certificate

On 05/12/2018 01:05, Nick Lamb wrote: > On Tue, 4 Dec 2018 14:55:47 +0100 > Jakob Bohm via dev-security-policy > wrote: > >> Oh, so you meant "CA issuance systems and protocols with explicit >> automation features" (as opposed to e.g. web server systems or >> operating systems or site specific

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

On 5/12/2018 10:02 π.μ., Fotis Loukos wrote: On 4/12/18 8:29 μ.μ., Dimitris Zacharopoulos via dev-security-policy wrote: Fotis, You have quoted only one part of my message which doesn't capture the entire concept. I would appreciate it if you mentioned how exactly did I distort your proposal

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

On 4/12/18 8:29 μ.μ., Dimitris Zacharopoulos via dev-security-policy wrote: > Fotis, > > You have quoted only one part of my message which doesn't capture the > entire concept. I would appreciate it if you mentioned how exactly did I distort your proposal and which parts that change the meaning

Re: Incident report D-TRUST: syntax error in one tls certificate

On Tue, 4 Dec 2018 14:55:47 +0100 Jakob Bohm via dev-security-policy wrote: > Oh, so you meant "CA issuance systems and protocols with explicit > automation features" (as opposed to e.g. web server systems or > operating systems or site specific subscriber automation systems). > That's why I

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

On Tue, Dec 4, 2018 at 1:29 PM Dimitris Zacharopoulos via dev-security-policy wrote: > I tried to highlight in this discussion that there were real cases in > m.d.s.p. where the revocation was delayed in practice. However, the > circumstances of these extended revocations remain unclear. Yet,

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

On Tue, Dec 4, 2018 at 5:02 AM Fotis Loukos wrote: > An initial comment is that statements such as "I disagree that CAs are > "doing their best" to comply with the rules." because some CAs are > indeed not doing their best is simply a fallacy in Ryan's argumentation, > the fallacy of

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

Fotis, You have quoted only one part of my message which doesn't capture the entire concept. CAs that mis-issue and must revoke these mis-issued certificates, already violated the BRs. Delaying revocation for more than what the BRs require, is also a violation. There was never doubt about

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

Hello, On 4/12/18 4:30 μ.μ., Jakob Bohm via dev-security-policy wrote: > Hello to you too. > > It seems that you are both misunderstanding what the proposal was. > > The proposal was apparently to further restrict the ability of CAs to > make exceptions on their own, by requiring all such

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

Hello to you too. It seems that you are both misunderstanding what the proposal was. The proposal was apparently to further restrict the ability of CAs to make exceptions on their own, by requiring all such exceptions to go through the public forums where the root programs can challenge or

Re: Incident report D-TRUST: syntax error in one tls certificate

On 04/12/2018 13:36, Nick Lamb wrote: On Tue, 4 Dec 2018 07:56:12 +0100 Jakob Bohm via dev-security-policy wrote: Which systems? As far as I'm aware, any of the automated certificate issuance technologies can be used here, ACME is the one I'm most familiar with because it is going through

Re: Incident report D-TRUST: syntax error in one tls certificate

On Tue, 4 Dec 2018 07:56:12 +0100 Jakob Bohm via dev-security-policy wrote: > Which systems? As far as I'm aware, any of the automated certificate issuance technologies can be used here, ACME is the one I'm most familiar with because it is going through IETF standardisation and so we get to see

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

Hello everybody, First of all, I would like to note that I am writing as an individual and my opinion does not necessarily represent the opinion of my employer. An initial comment is that statements such as "I disagree that CAs are "doing their best" to comply with the rules." because some CAs

Re: Incident report D-TRUST: syntax error in one tls certificate

On 04/12/2018 05:38, Nick Lamb wrote: > On Tue, 4 Dec 2018 01:39:05 +0100 > Jakob Bohm via dev-security-policy > wrote: > >> A few clarifications below >> Interesting. What is that hole? > > I had assumed that you weren't aware that you could just use these > systems as designed. Your

Re: Incident report D-TRUST: syntax error in one tls certificate

On Tue, 4 Dec 2018 01:39:05 +0100 Jakob Bohm via dev-security-policy wrote: > A few clarifications below > Interesting. What is that hole? I had assumed that you weren't aware that you could just use these systems as designed. Your follow-up clarifies that you believe doing this is unsafe. I

Re: Incident report D-TRUST: syntax error in one tls certificate

A few clarifications below On 30/11/2018 10:48, Nick Lamb wrote: > On Wed, 28 Nov 2018 22:41:37 +0100 > Jakob Bohm via dev-security-policy > wrote: > >> I blame those standards for forcing every site to choose between two >> unfortunate risks, in this case either the risks prevented by those >>

Re: Incident report D-TRUST: syntax error in one tls certificate

On Wed, Nov 28, 2018 at 4:41 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 27/11/2018 00:54, Ryan Sleevi wrote: > > On Mon, Nov 26, 2018 at 12:12 PM Jakob Bohm via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> 2.

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

On Fri, Nov 30, 2018 at 4:24 AM Dimitris Zacharopoulos wrote: > > > On 30/11/2018 1:49 π.μ., Ryan Sleevi wrote: > > > > On Thu, Nov 29, 2018 at 4:03 PM Dimitris Zacharopoulos via > dev-security-policy wrote: > >> I didn't want to hijack the thread so here's a new one. >> >> >> Times and

Re: Incident report D-TRUST: syntax error in one tls certificate

On Wed, 28 Nov 2018 22:41:37 +0100 Jakob Bohm via dev-security-policy wrote: > I blame those standards for forcing every site to choose between two > unfortunate risks, in this case either the risks prevented by those > "pinning" mechanisms and the risks associated with having only one >

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

On 30/11/2018 1:49 π.μ., Ryan Sleevi wrote: On Thu, Nov 29, 2018 at 4:03 PM Dimitris Zacharopoulos via dev-security-policy > wrote: I didn't want to hijack the thread so here's a new one. Times and circumstances change. You have to

Re: CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

On Thu, Nov 29, 2018 at 4:03 PM Dimitris Zacharopoulos via dev-security-policy wrote: > I didn't want to hijack the thread so here's a new one. > > > Times and circumstances change. You have to demonstrate that. When I brought this up at the Server > Certificate Working Group of the CA/B

CA disclosure of revocations that exceed 5 days [Was: Re: Incident report D-TRUST: syntax error in one tls certificate]

I didn't want to hijack the thread so here's a new one. On 29/11/2018 6:39 μ.μ., Ryan Sleevi wrote: On Thu, Nov 29, 2018 at 2:16 AM Dimitris Zacharopoulos mailto:ji...@it.auth.gr>> wrote: Mandating that CAs disclose revocation situations that exceed the 5-day requirement with

Re: Incident report D-TRUST: syntax error in one tls certificate

On Thu, Nov 29, 2018 at 2:16 AM Dimitris Zacharopoulos wrote: > Mandating that CAs disclose revocation situations that exceed the 5-day > requirement with some risk analysis information, might be a good place > to start. This was proposed several times by Google in the Forum, and consistently

Re: Incident report D-TRUST: syntax error in one tls certificate

On 29/11/2018 12:14 π.μ., Wayne Thayer via dev-security-policy wrote: The way that we currently handle these types of issues is about as good as we're going to get. We have a [recently relaxed but still] fairly stringent set of rules around revocation in the BRs. This is necessary and proper

Re: Incident report D-TRUST: syntax error in one tls certificate

The way that we currently handle these types of issues is about as good as we're going to get. We have a [recently relaxed but still] fairly stringent set of rules around revocation in the BRs. This is necessary and proper because slow/delayed revocation can clearly harm our users. It was

Re: Incident report D-TRUST: syntax error in one tls certificate

On 27/11/2018 00:54, Ryan Sleevi wrote: > On Mon, Nov 26, 2018 at 12:12 PM Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> 1. Having a spare certificate ready (if done with proper security, e.g. >> a separate key) from a different CA may unfortunately

Re: Incident report D-TRUST: syntax error in one tls certificate

rsprüngliche Nachricht- > > Von: dev-security-policy Im > > Auftrag von Enrico Entschew via dev-security-policy > > Gesendet: Dienstag, 27. November 2018 18:17 > > An: mozilla-dev-security-pol...@lists.mozilla.org > > Betreff: Re: Incident report D-TRUST: syntax

AW: Incident report D-TRUST: syntax error in one tls certificate

w via dev-security-policy > Gesendet: Dienstag, 27. November 2018 18:17 > An: mozilla-dev-security-pol...@lists.mozilla.org > Betreff: Re: Incident report D-TRUST: syntax error in one tls certificate > > Am Montag, 26. November 2018 18:34:38 UTC+1 schrieb Jakob Bohm: > > > I

Re: Incident report D-TRUST: syntax error in one tls certificate

Am Montag, 26. November 2018 18:34:38 UTC+1 schrieb Jakob Bohm: > In addition to this, would you add the following: > > - Daily checks of crt.sh (or some other existing tool) if > additional such certificates are erroneously issued before > the automated countermeasures are in place? Thank

Re: Incident report D-TRUST: syntax error in one tls certificate

On Mon, Nov 26, 2018 at 12:12 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > 1. Having a spare certificate ready (if done with proper security, e.g. >a separate key) from a different CA may unfortunately conflict with >badly thought out parts of

Re: Incident report D-TRUST: syntax error in one tls certificate

On Mon, Nov 26, 2018 at 10:31 AM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > CA/B is the right place for CAs to make the case for a general rule about > giving themselves more time to handle technical non-compliances whose > correct resolution will annoy

Re: Incident report D-TRUST: syntax error in one tls certificate

On 23/11/2018 16:24, Enrico Entschew wrote: > This post links to https://bugzilla.mozilla.org/show_bug.cgi?id=1509512 > > syntax error in one tls certificate > > 1. How your CA first became aware of the problem (e.g. via a problem report > submitted to your Problem Reporting Mechanism, a

Re: Incident report D-TRUST: syntax error in one tls certificate

On 26/11/2018 16:31, Nick Lamb wrote: In common with others who've responded to this report I am very skeptical about the contrast between the supposed importance of this customer's systems versus their, frankly, lackadaisical technical response. This might all seem harmless but it ends up as

Re: Incident report D-TRUST: syntax error in one tls certificate

In common with others who've responded to this report I am very skeptical about the contrast between the supposed importance of this customer's systems versus their, frankly, lackadaisical technical response.This might all seem harmless but it ends up as "the boy who cried wolf". If you relay

Re: Incident report D-TRUST: syntax error in one tls certificate

(for the avoidance of doubt: posting in a personal capacity) On 23/11/2018 15:24, Enrico Entschew wrote: Timeline: 2018-11-12, 10:30 UTC Customer was contacted the first time. Customer runs an international critical trade platform for emissions. Immediate revocation of the certificate would

Re: Incident report D-TRUST: syntax error in one tls certificate

> 2018-11-12, 09:01 UTC CA became aware via https://crt.sh/ of a syntax error > in one tls certificate issued on 2018-06-02. The PrintableString of OBJECT > IDENTIFIER serialNumber (2 5 4 5) contains an invalid character. For more > details see https://crt.sh/?id=514472818 > 2018-11-12, 10:30

Incident report D-TRUST: syntax error in one tls certificate

This post links to https://bugzilla.mozilla.org/show_bug.cgi?id=1509512 syntax error in one tls certificate 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or