Re: Concerns with Dun & Bradstreet as a QIIS

On Tuesday, October 2, 2018 at 7:02:32 AM UTC-7, Dimitris Zacharopoulos wrote: > On 1/10/2018 8:15 μμ, Ryan Sleevi via dev-security-policy wrote: > > On Mon, Oct 1, 2018 at 9:21 AM Dimitris Zacharopoulos > > wrote: > > > [...] > > > > > >> I am certainly not suggesting that CAs should put

Re: Concerns with Dun & Bradstreet as a QIIS

On 2/10/2018 5:21 μμ, Ryan Sleevi via dev-security-policy wrote: On Tue, Oct 2, 2018 at 10:02 AM Dimitris Zacharopoulos wrote: But this inaccurate data is not used in the validation process nor included in the certificates. Perhaps I didn't describe my thoughts accurately. Let me have

Re: Concerns with Dun & Bradstreet as a QIIS

On Tue, Oct 2, 2018 at 10:02 AM Dimitris Zacharopoulos wrote: > >> But this inaccurate data is not used in the validation process nor > >> included in the certificates. Perhaps I didn't describe my thoughts > >> accurately. Let me have another try using my previous example. Consider > an > >>

Re: Concerns with Dun & Bradstreet as a QIIS

On 1/10/2018 8:15 μμ, Ryan Sleevi via dev-security-policy wrote: On Mon, Oct 1, 2018 at 9:21 AM Dimitris Zacharopoulos wrote: [...] I am certainly not suggesting that CAs should put inaccurate and misleading information in certificates :-) I merely said that if the Subscriber introduces

Re: Concerns with Dun & Bradstreet as a QIIS

On Mon, Oct 1, 2018 at 9:21 AM Dimitris Zacharopoulos wrote: > No, this was not about the domain name but about the information displayed > to the Relying Party with the attributes included in the OV/EV Certificate > (primarily the Organization). So, I'm still uncertain if Ian's "misleading >

RE: Concerns with Dun & Bradstreet as a QIIS

have to do only one or the other. -Tim From: Ryan Sleevi Sent: Friday, September 28, 2018 6:35 PM To: Tim Hollebeek Cc: Dimitris Zacharopoulos ; Ian Carroll ; mozilla-dev-security-policy ; r...@sleevi.com Subject: Re: Concerns with Dun & Bradstreet as a QIIS Yes, we can

Re: Concerns with Dun & Bradstreet as a QIIS

On 1/10/2018 1:06 μμ, Ryan Sleevi via dev-security-policy wrote: On Mon, Oct 1, 2018 at 2:55 AM Dimitris Zacharopoulos wrote: Perhaps I am confusing different past discussions. If I recall correctly, in previous discussions we described the case where an attacker tries to get a certificate

Re: Concerns with Dun & Bradstreet as a QIIS

On Mon, Oct 1, 2018 at 2:55 AM Dimitris Zacharopoulos wrote: > Perhaps I am confusing different past discussions. If I recall correctly, > in previous discussions we described the case where an attacker tries to > get a certificate for a company "Example Inc." with domain "example.com". > This

Re: Concerns with Dun & Bradstreet as a QIIS

On 28/9/2018 9:59 μμ, Ian Carroll via dev-security-policy wrote: On Thursday, September 27, 2018 at 10:22:05 PM UTC-7, Dimitris Zacharopoulos wrote: Forgive my ignorance, but could you please explain what was your ultimate goal, as "an attacker", what were you hoping to gain and how could you

Re: Concerns with Dun & Bradstreet as a QIIS

On 28/9/2018 8:04 μμ, Ryan Sleevi via dev-security-policy wrote: On Fri, Sep 28, 2018 at 1:22 AM Dimitris Zacharopoulos via dev-security-policy wrote: Forgive my ignorance, but could you please explain what was your ultimate goal, as "an attacker", what were you hoping to gain and how could

Re: Concerns with Dun & Bradstreet as a QIIS

To: Dimitris Zacharopoulos > > Cc: mozilla-dev-security-policy > ; > > Ian Carroll > > Subject: Re: Concerns with Dun & Bradstreet as a QIIS > > > > On Fri, Sep 28, 2018 at 1:22 AM Dimitris Zacharopoulos via > dev-security-policy > > wrote: > >

RE: Concerns with Dun & Bradstreet as a QIIS

, 2018 10:04 AM > To: Dimitris Zacharopoulos > Cc: mozilla-dev-security-policy ; > Ian Carroll > Subject: Re: Concerns with Dun & Bradstreet as a QIIS > > On Fri, Sep 28, 2018 at 1:22 AM Dimitris Zacharopoulos via dev-security-policy > wrote: > > > > >

Re: Concerns with Dun & Bradstreet as a QIIS

On Thursday, September 27, 2018 at 10:22:05 PM UTC-7, Dimitris Zacharopoulos wrote: > Forgive my ignorance, but could you please explain what was your > ultimate goal, as "an attacker", what were you hoping to gain and how > could you use this against Relying Parties? > > I read your email

Re: Concerns with Dun & Bradstreet as a QIIS

On Fri, Sep 28, 2018 at 1:22 AM Dimitris Zacharopoulos via dev-security-policy wrote: > > Forgive my ignorance, but could you please explain what was your > ultimate goal, as "an attacker", what were you hoping to gain and how > could you use this against Relying Parties? > > I read your email

Re: Concerns with Dun & Bradstreet as a QIIS

Forgive my ignorance, but could you please explain what was your ultimate goal, as "an attacker", what were you hoping to gain and how could you use this against Relying Parties? I read your email several times but I could not easily find a case where your fake address creates any serious

Re: Concerns with Dun & Bradstreet as a QIIS

-Original Message- > > From: dev-security-policy > On > > Behalf Of Ryan Sleevi via dev-security-policy > > Sent: Thursday, September 27, 2018 4:18 PM > > To: Matthew Hardeman > > Cc: mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.or

RE: Concerns with Dun & Bradstreet as a QIIS

-policy > ; > Ian Carroll > Subject: Re: Concerns with Dun & Bradstreet as a QIIS > > Yes, it would be work, but would result in consistent and reliable > information, > and already reflective of the fact that an EV certificate needs to identify > the > jurisdictio

Re: Concerns with Dun & Bradstreet as a QIIS

Yes, it would be work, but would result in consistent and reliable information, and already reflective of the fact that an EV certificate needs to identify the jurisdictionOfIncorporation and it's incorporating documents. Or are we saying that OV doesn't need to make sure it's actually a valid and

Re: Concerns with Dun & Bradstreet as a QIIS

A whitelist of QGIS sounds fairly difficult. And how long would it take to adopt a new one? In some states you're going to have an authority per county. It'd be a big list. On Thu, Sep 27, 2018 at 5:35 PM, Ian Carroll via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: >

Re: Concerns with Dun & Bradstreet as a QIIS

On Wednesday, September 26, 2018 at 6:12:22 PM UTC-7, Ryan Sleevi wrote: > Thanks for raising this, Ian. > > The question and concern about QIIS is extremely reasonable. As discussed > in past CA/Browser Forum activities, some CAs have extended the definition > to treat Google Maps as a QIIS (it

RE: Concerns with Dun & Bradstreet as a QIIS

> The question and concern about QIIS is extremely reasonable. As discussed in > past CA/Browser Forum activities, some CAs have extended the definition to > treat Google Maps as a QIIS (it is not), as well as third-party WHOIS services > (they’re not; that’s using a DTP). It's worth noting that

Re: Concerns with Dun & Bradstreet as a QIIS

Thanks for raising this, Ian. The question and concern about QIIS is extremely reasonable. As discussed in past CA/Browser Forum activities, some CAs have extended the definition to treat Google Maps as a QIIS (it is not), as well as third-party WHOIS services (they’re not; that’s using a DTP).

RE: Concerns with Dun & Bradstreet as a QIIS

There have been previous discussions about this very issue at CA/Browser Forum Validation Working Group meetings (see also draft Ballot 225). I think it is widely recognized that the rules around QIISs are far too weak and in need of improvement. I actually recently asked Kirk to add an item on