On Saturday, 9 July 2016 00:21:27 UTC+1, Rick Andrews wrote:
> GSA which governs FPKI recently approved Symantec’s proposal for one-way
> cross-certification with the FBCA and to remove the cross-certificate from
> the Symantec CA to the FBCA. The cross certificate is expiring on June 31,
> 201
On Friday, July 8, 2016 at 4:21:27 PM UTC-7, Rick Andrews wrote:
> GSA which governs FPKI recently approved Symantec’s proposal for one-way
> cross-certification with the FBCA and to remove the cross-certificate from
> the Symantec CA to the FBCA. The cross certificate is expiring on June 31,
>
GSA which governs FPKI recently approved Symantec’s proposal for one-way
cross-certification with the FBCA and to remove the cross-certificate from the
Symantec CA to the FBCA. The cross certificate is expiring on June 31, 2016 and
Symantec does not intend to renew the certificate going forward.
On Thursday, 30 June 2016 09:29:15 UTC+1, Rob Stradling wrote:
> The cross-certificate issued by Symantec to "Federal Bridge CA 2013"
> (https://crt.sh/?id=12638543) expires in 1 month. I'm wondering if
> there's any point in revoking this intermediate or the two other
> intermediates that Pet
On 30/06/16 06:34, Peter Bowen wrote:
I think there is confusion over the generic term “Symantec”. There is no issue
for Symantec (the company) to be an affiliate of the USG FPKI and to operate
CAs mutually cross-certified with the USG FPKI. Additionally there is no issue
with Symantec (or a
I think there is confusion over the generic term “Symantec”. There is no issue
for Symantec (the company) to be an affiliate of the USG FPKI and to operate
CAs mutually cross-certified with the USG FPKI. Additionally there is no issue
with Symantec (or anyone else) to operate CAs included in t
Thanks Eric.
1) Mutual trust is dependent on an exchange of certificates as outlined in
the MOA and not the receipt. If one is removed, both must be removed per the
MOA. It is currently being discussed to allow only a certificate receipt
because mutual trust is a fundamental principle of
urity-pol...@lists.mozilla.org>; Kathleen Wilson
mailto:kwil...@mozilla.com>>; Rob Stradling mailto:rob.stradl...@comodo.com>>
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
DigiCert didn't cross-sign the Federal PKI with their Mozilla trusted CAs.
I'm
On 27/06/16 01:07, Nick Lamb wrote:
On Sunday, 26 June 2016 21:26:06 UTC+1, Ben Laurie wrote:
My concern is that is is trivial to demonstrate an intermediate is
revoked, yet still validate a chain that includes that "revoked"
certificate.
Sure. If you decide not to check for revocation, then
om>>; Steve
mailto:steve.me...@gmail.com>>;
mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>;
Kathleen Wilson mailto:kwil...@mozilla.com>>; Rob
Stradling mailto:rob.stradl...@comodo.com>>
Subject: Re: Intermediate certi
On Sunday, 26 June 2016 21:26:06 UTC+1, Ben Laurie wrote:
> My concern is that is is trivial to demonstrate an intermediate is
> revoked, yet still validate a chain that includes that "revoked"
> certificate.
Sure. If you decide not to check for revocation, then you won't know if it's
revoked. I
On Saturday, 25 June 2016 21:55:46 UTC+1, Ben Laurie wrote:
> In practice, what does this mean? How does one revoke the path from
> the trust anchor to the CA?
This path will involve one or more certificates and the certificates can be
revoked in the usual manner by their serial number. For most
And for the benefit of readers of the thread not already familiar with
this, below are the two documented browser approaches to revocation of
intermediates that I'm aware of, for Firefox and Chrome.
Both require browser-maintained (not CA-maintained) lists of revoked
certificates to be updated wit
On Sat, Jun 25, 2016 at 3:50 AM, Ben Laurie wrote:
> On 25 June 2016 at 00:56, Rob Stradling wrote:
>> On 24/06/16 14:38, Rob Stradling wrote:
>>>
>>> I've just updated https://crt.sh/mozilla-disclosures.
>>>
>>> There's now a separate grouping for undisclosed intermediates for which
>>> all obse
7;s comment ,"I would be willing to make an
>>> exception for this specific case, since the Federal Bridge is a known
>>> issue," as an indication that I do not need to disclose the DigiCert
>>> Federated ID CA-1 in the Salesforce database.
>>>
>&g
: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Thursday, June 23, 2016 3:35 PM
To: Eric Mill
Cc: Ben Wilson ; Kurt Roeckx
; Richard Barnes ; Jeremy Rowley
; Steve ;
mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson
; Rob Stradling
Subject: Re: Intermediate certificate disclosure deadl
On 6/21/16 8:26 AM, Rob Stradling wrote:
On 21/06/16 15:55, Ben Wilson wrote:
Rob,
Ben, thanks for passing on the details. My analysis is below...
So far they are -
https://crt.sh/?sha1=e12ba5aeb7613a72cc9652f1673017a5d8fc7479
- technically constrained warning
https://crt.sh/?sha1=8c6c
according to this:
https://test4.fpki.18f.gov/
https://github.com/18F/fpki-testing
Symantec is the second cross-signer of the Federal Bridge, with a root CA that
was supposed to be dormant according to the description here:
https://www.symantec.com/theme/roots
Root 10
VeriSign Universal Root CA
ley ; Steve ;
mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson ; Rob Stradling
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
DigiCert didn't cross-sign the Federal PKI with their Mozilla trusted CAs.
I'm sure Ben will tell me I have my termin
Mill
Cc: Ben Wilson ; Kurt Roeckx ; Richard
Barnes ; Jeremy Rowley ; Steve
; mozilla-dev-security-pol...@lists.mozilla.org;
Kathleen Wilson ; Rob Stradling
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
DigiCert didn't cross-sign the Federal PKI with their Mozilla truste
To: Ben Wilson
>> Cc: Eric Mill ; Kurt Roeckx ; Richard
>> Barnes ; Jeremy Rowley ;
>> Steve ;
>> mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson
>> ; Rob Stradling
>> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
>>
...@konklone.com]
Sent: Thursday, June 23, 2016 2:41 PM
To: Ben Wilson
Cc: Peter Bowen ; Kurt Roeckx ; Richard
Barnes ; Jeremy Rowley ; Steve
; mozilla-dev-security-pol...@lists.mozilla.org;
Kathleen Wilson ; Rob Stradling
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
Peter, I
een Wilson <
> kwil...@mozilla.com>; Rob Stradling
> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
>
> On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson
> wrote:
> > Another issue that needs to be resolved involves the Federal Bridge
> > CA 201
mozilla.org;
> Kathleen Wilson ; Rob Stradling
>
> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
>
> On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson wrote:
>> Another issue that needs to be resolved involves the Federal Bridge
>> CA 2013 (“Federal Bridge”)
dling
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson wrote:
> Another issue that needs to be resolved involves the Federal Bridge
> CA 2013 (“Federal Bridge”). When a publicly trusted sub CA
> cross-certifies the Federa
On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson wrote:
> Another issue that needs to be resolved involves the Federal Bridge CA 2013
> (“Federal Bridge”). When a publicly trusted sub CA cross-certifies the
> Federal Bridge, then all of the CAs cross-certified by the Federal Bridge
> are trusted.
gt; *To:* Kurt Roeckx
> *Cc:* Peter Bowen ; Richard Barnes ;
> Jeremy Rowley ; Steve ;
> mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson <
> kwil...@mozilla.com>; Rob Stradling ; Ben
> Wilson
> *Subject:* Re: Intermediate certificate disclosure deadline in 2 weeks
&
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On Wed, Jun 22, 2016 at 6:11 PM, Kurt Roeckx mailto:k...@roeckx.be> > wrote:
On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote:
> I think there are two things getting conflated here:
>
> 1
On Wed, Jun 22, 2016 at 6:11 PM, Kurt Roeckx wrote:
> On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote:
> > I think there are two things getting conflated here:
> >
> > 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
> >
> > 2) Disclosure of CA certificates si
On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote:
> I think there are two things getting conflated here:
>
> 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
>
> 2) Disclosure of CA certificates signed by CAs that are the subject of #1
>
> Imagine the followin
I think there are two things getting conflated here:
1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
2) Disclosure of CA certificates signed by CAs that are the subject of #1
Imagine the following heirarchy:
Univercert Root CA (in trust store) --(CA Cert A)--> Apertur
Wednesday, June 22, 2016 2:31 PM
> To: Steve
> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Eric Mill
> ; Kathleen Wilson ; Rob Stradling
> ; Peter Bowen ; Ben Wilson
>
> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
>
>> On Wed, Jun 2
owley=digicert.com@lists.mozilla
.org] On Behalf Of Kurt Roeckx
Sent: Wednesday, June 22, 2016 2:31 PM
To: Steve
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Eric Mill
; Kathleen Wilson ; Rob Stradling
; Peter Bowen ; Ben Wilson
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
O
On Wed, Jun 22, 2016 at 06:18:51PM +, Steve wrote:
> CAs are running OCSP responders up to the root tier. Once a CA is
> terminated in a standards-compliant and densely interoperable way from
> participating in a trusted discovery path to an embedded root, it should no
> longer be in the scope
On Wed, Jun 22, 2016 at 3:31 PM, Peter Bowen wrote:
> On Wed, Jun 22, 2016 at 11:19 AM, Ryan Sleevi wrote:
> > On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson
> wrote:
> >> It seems to me that requiring the registration of these subordinate CAs
> bloats the Salesforce database unnecessarily.
> >
>
On Wed, Jun 22, 2016 at 11:19 AM, Ryan Sleevi wrote:
> On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote:
>> It seems to me that requiring the registration of these subordinate CAs
>> bloats the Salesforce database unnecessarily.
>
> We've historically been at a chronic lack of data, rather than
On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote:
> It seems to me that requiring the registration of these subordinate CAs
> bloats the Salesforce database unnecessarily.
We've historically been at a chronic lack of data, rather than a
chronic glut. I think we should definitely err on the side
CAs are running OCSP responders up to the root tier. Once a CA is
terminated in a standards-compliant and densely interoperable way from
participating in a trusted discovery path to an embedded root, it should no
longer be in the scope of business of root trust store owners.
On Wed, Jun 22, 2016
On Tue, Jun 21, 2016 at 12:10 PM, Peter Bowen wrote:
> On Tue, Jun 21, 2016 at 8:26 AM, Rob Stradling
> wrote:
> > Revocation of a "parent intermediate" does not exempt "child
> intermediates"
> > from the disclosure requirement, AFAICT. So I think the KBC Group CAs do
> > need to be disclosed
, 2016 4:00 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On 21/06/16 17:56, Nick Lamb wrote:
> On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote:
>> If all paths from a trusted root to a given interme
On 21/06/16 17:56, Nick Lamb wrote:
On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote:
If all paths from a trusted root to a given intermediate are revoked
or expired, then I don't think it "directly or transitively chain[s]
to a certificate included in Mozilla’s CA Certificate Program
___
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org]
On Behalf Of Nick Lamb
Sent: Tuesday, June 21, 2016 10:56 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Intermediate certific
On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote:
> If all paths from a trusted root to a given intermediate are revoked
> or expired, then I don't think it "directly or transitively chain[s]
> to a certificate included in Mozilla’s CA Certificate Program". It
> would be no different th
Agreed. I don't see a reason to disclose anything where the parent is revoked.
I think it's a similar question as whether a CA has to disclose all the sub
case under a root where removal from the root program was requested. In both
cases the certs are not publicly trusted and don't affect the M
On Tue, Jun 21, 2016 at 8:26 AM, Rob Stradling wrote:
> Revocation of a "parent intermediate" does not exempt "child intermediates"
> from the disclosure requirement, AFAICT. So I think the KBC Group CAs do
> need to be disclosed to Salesforce.
If all paths from a trusted root to a given interme
On 21/06/16 15:55, Ben Wilson wrote:
Rob,
Ben, thanks for passing on the details. My analysis is below...
So far they are -
https://crt.sh/?sha1=e12ba5aeb7613a72cc9652f1673017a5d8fc7479
- technically constrained warning
https://crt.sh/?sha1=8c6c7a20b48ef3bcb0fcb203008773846611486a
- t
Cheers,
Ben
-Original Message-
From: Rob Stradling [mailto:rob.stradl...@comodo.com]
Sent: Monday, June 20, 2016 4:17 PM
To: Ben Wilson
Cc: Peter Bowen ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On 21/06/16 04:03, Jeremy Rowley wrote:
Whether they are currently issuing is irrelevant.
Indeed. Having no intent to issue certificates is not going to stop the
sort of attack that DigiNotar experienced!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Onlin
y-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of ???(robin.lin)
Sent: Monday, June 20, 2016 7:43 PM
To: Rob Stradling ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Intermediate certificate disclosure deadline in 2 weeks
Hello Rob,
What if the CA is no longer iss
Hello Rob,
What if the CA is no longer issue certificate?
Thanks,
Robin Lin (Wei Tsong Lin)
CSSLPR
Project Manager
Research and Developing Department
TAIWAN-CA INC.
TEL:+886-2-2370-8886 ext. 721
FAX:+886-2-2370-0728
E-mail:robin@twca.com.tw
10th Floor, 85 Yenping South Road, 10043 Taipei, Ta
ty-policy
[mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On
Behalf Of Peter Bowen
Sent: Monday, June 20, 2016 11:59 AM
To: Rob Stradling
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On Fri, Jun 17,
On 20/06/16 18:58, Peter Bowen wrote:
On Fri, Jun 17, 2016 at 4:12 AM, Rob Stradling wrote:
Friendly reminder to all CA representatives:
Don't forget the June 30th deadline! And don't leave it until the last
minute if you have lots of intermediate certificates to disclose!
https://crt.sh/moz
lla-dev-security-pol...@lists.mozilla.org
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On Fri, Jun 17, 2016 at 4:12 AM, Rob Stradling
wrote:
> Friendly reminder to all CA representatives:
>
> Don't forget the June 30th deadline! And don't leave it until the
> la
..@lists.mozilla.org
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On Fri, Jun 17, 2016 at 4:12 AM, Rob Stradling
wrote:
> Friendly reminder to all CA representatives:
>
> Don't forget the June 30th deadline! And don't leave it until the
> la
On Fri, Jun 17, 2016 at 4:12 AM, Rob Stradling wrote:
> Friendly reminder to all CA representatives:
>
> Don't forget the June 30th deadline! And don't leave it until the last
> minute if you have lots of intermediate certificates to disclose!
>
> https://crt.sh/mozilla-disclosures
> ...lists (un
55 matches
Mail list logo