On Monday, October 9, 2017 at 7:57:31 PM UTC+1, Kathleen Wilson wrote:
> Here's what is currently in the bug...
> https://bugzilla.mozilla.org/show_bug.cgi?id=1405862
> ~~
> As per Bug #1403549 the PSCProcert certificate will be removed from Mozilla’s
> Root Store due to a long list of problems an
On Monday, October 9, 2017 at 7:57:31 PM UTC+1, Kathleen Wilson wrote:
> Here's what is currently in the bug...
> https://bugzilla.mozilla.org/show_bug.cgi?id=1405862
> ~~
> As per Bug #1403549 the PSCProcert certificate will be removed from Mozilla’s
> Root Store due to a long list of problems an
Here's what is currently in the bug...
https://bugzilla.mozilla.org/show_bug.cgi?id=1405862
~~
As per Bug #1403549 the PSCProcert certificate will be removed from Mozilla’s
Root Store due to a long list of problems and the way that PROCERT responded to
those problems (and to previous CA Communica
On Thursday, 5 October 2017 13:55:02 UTC+2, Inigo Barreira wrote:
> Has this been asked ever? Has any other CA published it? It´s just to know.
> And, is there a "default" scope for this kind of security audits?
Grin. ;-)
Does it matter? Or perhaps more important, do you want to recover from lo
On 05/10/17 20:00, Inigo Barreira wrote:
> Has this been asked ever? Has any other CA published it? It´s just to know.
> And, is there a "default" scope for this kind of security audits?
Well, you indicated your willingness to publish them in an email to me,
if I remember correctly. And it would
This whole discussion is very interesting, but as an ordinary user of your root
storage I would like to say that I deleted all root certificates of WoSign,
StartCom/Camerfirma A.S, also root certificates of Certinomis and Certum CA
from all my of their root stores, as they are cross for StartCom
olicy-
> bounces+inigo=startcomca@lists.mozilla.org] On Behalf Of Gervase
> Markham via dev-security-policy
> Sent: jueves, 5 de octubre de 2017 11:48
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: PROCERT issues
>
> On 05/10/17 15:32, Inigo Barreira wrote:
On 05/10/17 15:32, Inigo Barreira wrote:
> I know this reply is not related to the email thread but wouldn´t like to
> leave the feeling that the code we are using is bad, or not secure, etc.
Perhaps now might be a good time to publish the security audits that
were done on the code, then?
Gerv
_
>
> For example, I think there is wisdom in what Ryan says about setting an
> amount of time before a company can re-apply. In the case of StartCom we
> did not set such a time, because I had thought they might do what I
> recommended, which was to switch back from the new WoSign infra that we
> d
On Thu, Oct 05, 2017 at 11:05:07AM +0800, Gervase Markham via
dev-security-policy wrote:
> In addition, we do need to address the question of how we can ascertain
> that the organization has acquired the technical competence and
> management rigour which seems to be lacking. I know you have placed
On 05/10/17 05:57, Kathleen Wilson wrote:
> Bug Filed regarding PROCERT Action Items:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1405862
Hi Kathleen,
I know you have already filed the bug, but I think that perhaps the list
of action items might need to be a bit more detailed and/or rigorous
t
Bug Filed regarding PROCERT Action Items:
https://bugzilla.mozilla.org/show_bug.cgi?id=1405862
Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Hi Kathleen,
With respect to providing a list - is there any requirement to ensure
Mozilla accepts that as a reasonable remediation?
For example, would "We plan to not do the same in the future" be an
acceptable remediation plan? As currently worded, it would seem to meet the
letter of this requi
Here's a draft of the Bugzilla Bug that I plan to file to list the action items
for PROCERT to complete before they may re-apply for inclusion in Mozilla's
Root Store. I will appreciate feedback on this.
== DRAFT ==
Subject: PROCERT: Action Items
As per Bug #1403549 the PSCProcert certificate w
On Mon, Oct 2, 2017 at 10:42 AM, Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, September 29, 2017 at 2:52:49 PM UTC-7, Eric Mill wrote:
> > That dynamic is natural, but accepting that this dynamic exists is
> > different than giving into it in
On Friday, September 29, 2017 at 2:52:49 PM UTC-7, Eric Mill wrote:
> That dynamic is natural, but accepting that this dynamic exists is
> different than giving into it in some absolute way. When offering second
> chances, requiring that the person/org fulfill certain conditions that
> speak direct
attached
CPS
https://www.procert.net.ve/documentos/CPS-PROCERT.pdf
SSL Evidence
https://www.dropbox.com/s/972f3yudpaxhrgi/Mozilla%20SSL%20%282%29.xlsx?dl=0
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla
Dear Mozilla CA Root Team,
After reviewing Mr. Gervase's reply, referring to the exclusion of the PSC
PROCERT from the Mozilla trust repository and having seen the antecedents
existing in multiple previous cases, it is evident that in all cases it was
offered through the bug of a mechanism of
On Thu, Sep 28, 2017 at 12:50 PM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 27/09/17 18:54, Matthew Hardeman wrote:
> > In the case of StartCom, I can not help but feel that they are being
> > held to an especially high standard (higher than other
I'd say this implies two things.
First CAs should be wary of the possibility loosing trust. For
reacting/responding timely and adequately to any concerns being raised, instead
of ignoring them or waiting to "see how they develop", is a lot easier than
any alternative, I'd say.
The other thing
On Thu, Sep 28, 2017 at 11:50 AM, Gervase Markham wrote:
>
> The nature of trust is that it's harder to regain than it is to gain in
> the first place. Just ask someone who's been the victim of adultery - or
> someone who is a now-repentant adulterer. Rightly or wrongly, people get
> a first chan
On 27/09/17 18:54, Matthew Hardeman wrote:
> In the case of StartCom, I can not help but feel that they are being
> held to an especially high standard (higher than other prior adds to
> the program) in this new PKI because of who they are -- despite the
> fact that management and day-to-day decisi
On Wednesday, 27 September 2017 18:56:27 UTC+2, Kathleen Wilson wrote:
> In past incidents, we have provided a list of action items that the CA must
> complete before they can be re-included in Mozilla's root store.
>
> What action items do you all think PROCERT should complete before they can b
On Wednesday, September 27, 2017 at 11:56:27 AM UTC-5, Kathleen Wilson wrote:
> What action items do you all think PROCERT should complete before they can be
> re-included in Mozilla's root store?
> What do you think should happen if PROCERT completes those action items
> before their PSCProcer
In past incidents, we have provided a list of action items that the CA must
complete before they can be re-included in Mozilla's root store.
What action items do you all think PROCERT should complete before they can be
re-included in Mozilla's root store?
What do you think should happen if PROC
Why does the document say "Date: 11/07/17" on every page, and the signed pdf
metadata say
2017-09-25T17:14:35-04:00
2017-09-25T17:18:07-04:00
2017-09-25T17:18:07-04:00
On Tuesday, September 26, 2017 at 4:56:36 PM UTC-4, alejand...@gmail.com wrote:
> In the following link you can find the CPS in
In the following link you can find the CPS in English language
https://www.procert.net.ve/documentos/CPS-PROCERT.pdf
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Thank you for creating the diff and posting it here.
Procert's continued statements of "behaviour x does not violate the RFC" /
"behaviour x does not infringe the standard" show that they do not recognise
the Baseline Requirements as something that needs to be adhered to in order to
remain in t
On 21/09/2017 23:08, alejandrovolcan--- via dev-security-policy wrote:
> Dear Gerv, I have attached a document that gives us a greater
> response to each of the points, as well as Mr. Oscar Lovera sent you
> an email with the same information
>
> https://www.dropbox.com/s/qowngzzvg5q5pjj/Mozilla%2
El lunes, 18 de septiembre de 2017, 8:27:18 (UTC-5), Gervase Markham escribió:
> On 11/09/17 12:03, Gervase Markham wrote:
> > Thank you for this initial response. It is, however, far less detailed
> > than we would like to see.
>
> I have not had any further updates from PROCERT. I have tried t
On 11/09/17 12:03, Gervase Markham wrote:
> Thank you for this initial response. It is, however, far less detailed
> than we would like to see.
I have not had any further updates from PROCERT. I have tried to reflect
their responses from this email here:
https://wiki.mozilla.org/CA:PROCERT_Issues
Hi Alejandro,
Thank you for this initial response. It is, however, far less detailed
than we would like to see. In the email I sent to you letting you know
that we were looking at PROCERT, I wrote:
"You may wish to review a similar issue list we created for Symantec:
https://wiki.mozilla.org/CA:S
Good Afertnoon
In order to answer the points of the wiki, we make the following explanations
Issue D: URI in CN and dnsName SAN (December 2016)
Procert:
Based on internals test and validation, we contacting the client, we asking for
a new CSR and proceed to revoke and reissue the certificate
On Fri, Sep 8, 2017 at 2:39 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 07/09/2017 17:17, Gervase Markham wrote:
>
>> Mozilla has decided that there is sufficient concern about the
>> activities and operations of the CA "PROCERT" to collect together
On 07/09/2017 17:17, Gervase Markham wrote:
Mozilla has decided that there is sufficient concern about the
activities and operations of the CA "PROCERT" to collect together our
list of current concerns. That list can be found here:
https://wiki.mozilla.org/CA:PROCERT_Issues
Note that this list m
On 07/09/17 22:27, Ryan Sleevi wrote:
> Do you have an anticipated time period for discussion? That is, what
> represents a time for which PROCERT may submit feedback to have it
> considered, and at what point you will consider discussion closed?
I don't want to place a hard limit on it because of
I believe it's important to consider more than just the issues themselves,
and to look at a CA's response to the issues. In the past weeks, we've done
a lot of really fantastic work to push CAs on publishing more comprehensive
post-mortems, and several CAs have distinguished themselves with timely
On Thu, Sep 7, 2017 at 11:17 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Mozilla has decided that there is sufficient concern about the
> activities and operations of the CA "PROCERT" to collect together our
> list of current concerns. That list ca
Mozilla has decided that there is sufficient concern about the
activities and operations of the CA "PROCERT" to collect together our
list of current concerns. That list can be found here:
https://wiki.mozilla.org/CA:PROCERT_Issues
Note that this list may expand or reduce over time as issues are
in
39 matches
Mail list logo
