Re: StartCom inclusion request: next steps

2017-11-02 Thread Gervase Markham via dev-security-policy
Dear Inigo, On 14/09/17 09:49, Gervase Markham wrote: > The Mozilla CA Certificates team has been considering what the > appropriate next steps are for the inclusion request from the CA > "StartCom".[0] As readers will know, this CA has previously been removed > from trust[1], and so a

Re: FW: StartCom inclusion request: next steps

2017-09-19 Thread userwithuid via dev-security-policy
On Tue, Sep 19, 2017 at 3:09 PM, Nick Lamb via dev-security-policy wrote: > I have no doubt that this was obvious to people who have worked for a public > CA, but it wasn't obvious to me, so thank you for answering. I think these > answers give us good

Re: FW: StartCom inclusion request: next steps

2017-09-19 Thread Gervase Markham via dev-security-policy
Hi Inigo, On 15/09/17 17:30, Inigo Barreira wrote: > There wasn´t a lack of integrity and monitoring, of course not. All PKI logs > were and are signed, it´s just the auditors wanted to add the integrity to > other systems which is not so clear that should have this enabled. For > example, if

Re: FW: StartCom inclusion request: next steps

2017-09-19 Thread Gervase Markham via dev-security-policy
Hi Franck, On 18/09/17 15:49, Franck Leroy wrote: > Our understanding in April was that as long as StartCom is not > allowed by Certinomis to issue EE certs, the disclosure was not > mandated immediately. I think that we need to establish a timeline of the exact events involved here. But I

Re: FW: StartCom inclusion request: next steps

2017-09-19 Thread Gervase Markham via dev-security-policy
On 15/09/17 15:35, Inigo Barreira wrote: > No, those weren´t tests. We allowed the use of curves permitted by the BRs > but this issue came up in the mozilla policy (I think Arkadiusz posted) and I > also asked about it in the last CABF F2F (I asked Ryan about it) and then, > with that outcome

Re: FW: StartCom inclusion request: next steps

2017-09-18 Thread Franck Leroy via dev-security-policy
Le lundi 18 septembre 2017 14:52:27 UTC+2, Ryan Sleevi a écrit : > On Mon, Sep 18, 2017 at 8:12 AM, Inigo Barreira <> > wrote: > Then they misissued a CA certificate and failed to disclose it, and we > should start an incident report into it. Hello In April 2017 the mozilla policy in force (v2.4)

Re: FW: StartCom inclusion request: next steps

2017-09-18 Thread Ryan Sleevi via dev-security-policy
On Mon, Sep 18, 2017 at 8:12 AM, Inigo Barreira wrote: > > We are not seeking to identify personal blame. We are seeking to > understand what, if any, improvements have been made to address such > issues. In reading this thread, I have difficulty finding any discussion >

Re: StartCom inclusion request: next steps

2017-09-18 Thread James Burton via dev-security-policy
On Monday, September 18, 2017 at 11:38:57 AM UTC+1, Inigo Barreira wrote: > > > > I want to give you some words from one of the "community side" (this is a > > personal opinion and may vary from other opinions inside the community). > > > > Trust is not something that you get, it is something

RE: StartCom inclusion request: next steps

2017-09-18 Thread Inigo Barreira via dev-security-policy
> > I want to give you some words from one of the "community side" (this is a > personal opinion and may vary from other opinions inside the community). > > Trust is not something that you get, it is something that you earn. True > StartCom was distrusted because of serious issues with their

Re: FW: StartCom inclusion request: next steps

2017-09-17 Thread Eric Mill via dev-security-policy
I didn't understand the original below comment by StartCom very well about the cross-sign, but after Ryan's message I understand it better in retrospect: > On Thu, Sep 14, 2017 at 11:05 AM, Inigo Barreira via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I´ve never said

Re: StartCom inclusion request: next steps

2017-09-16 Thread mw--- via dev-security-policy
I want to give you some words from one of the "community side" (this is a personal opinion and may vary from other opinions inside the community). Trust is not something that you get, it is something that you earn. StartCom was distrusted because of serious issues with their old PKI and now

Re: FW: StartCom inclusion request: next steps

2017-09-15 Thread Ryan Sleevi via dev-security-policy
On Fri, Sep 15, 2017 at 12:30 PM, Inigo Barreira via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > > Hi Inigo, > > > > On 14/09/17 16:05, Inigo Barreira wrote: > > > Those tests were done to check the CT behaviour, there was any other > > testing of the new systems,

RE: FW: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
> > Hi Inigo, > > On 14/09/17 16:05, Inigo Barreira wrote: > > Those tests were done to check the CT behaviour, there was any other > testing of the new systems, just for the CT. > > Is there any reason those tests could not have been done using a parallel > testing hierarchy (other than the

RE: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
> > Yes, you´re right, that was on the table and also suggested by > > Mozilla, but the issue was that people from 360 are used to code in > > PHP and the old one was in Java and some other for which they are not > > so familiar and then was decided to re-write all the code in PHP > > trying to

Re: FW: StartCom inclusion request: next steps

2017-09-15 Thread Alex Gaynor via dev-security-policy
I'm fairly confused by your answers, if the only thing you tested in production was CT, why was the system issuing non-compliant certs? Why did production CT testing come before having established, tested, and verified a compliant certificate profile? Alex On Fri, Sep 15, 2017 at 10:35 AM, Inigo

Re: FW: StartCom inclusion request: next steps

2017-09-15 Thread Gervase Markham via dev-security-policy
On 15/09/17 09:24, Inigo Barreira wrote: > AFAIK, Certinomis only disclosed in the CCADB That means it's published and available. As noted in my other reply, information as to exactly what this cross-sign enables trust for would be most helpful, as I may have misunderstood previous statements on

Re: FW: StartCom inclusion request: next steps

2017-09-15 Thread Gervase Markham via dev-security-policy
Hi Inigo, On 14/09/17 16:05, Inigo Barreira wrote: > Those tests were done to check the CT behaviour, there was any other testing > of the new systems, just for the CT. Is there any reason those tests could not have been done using a parallel testing hierarchy (other than the fact that you

RE: FW: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
> Hi Inigo, > > To add from the last post. > > I know this is unwelcome news to you but I feel that with all these incidents > happening right now with Symantec and the incidents before, we can't really > take any more chances. Every incident is eroding trust in this system and if > we > want

RE: FW: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
> > > > > > > Those tests were done to check the CT behaviour, there was any > > > > other > > > testing of the new systems, just for the CT. Those certs were under > > > control all the time and were lived for some minutes because were > > > revoked inmediately after checking the certs were

Re: FW: StartCom inclusion request: next steps

2017-09-15 Thread James Burton via dev-security-policy
On Friday, September 15, 2017 at 12:30:00 PM UTC+1, James Burton wrote: > On Friday, September 15, 2017 at 10:56:11 AM UTC+1, Inigo Barreira wrote: > > > > > > > Those tests were done to check the CT behaviour, there was any other > > > testing of the new systems, just for the CT. Those certs

Re: FW: StartCom inclusion request: next steps

2017-09-15 Thread James Burton via dev-security-policy
On Friday, September 15, 2017 at 10:56:11 AM UTC+1, Inigo Barreira wrote: > > > > > Those tests were done to check the CT behaviour, there was any other > > testing of the new systems, just for the CT. Those certs were under control > > all > > the time and were lived for some minutes because

RE: FW: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
> > > Those tests were done to check the CT behaviour, there was any other > testing of the new systems, just for the CT. Those certs were under control > all > the time and were lived for some minutes because were revoked inmediately > after checking the certs were logged correctly in the CTs.

Re: FW: StartCom inclusion request: next steps

2017-09-15 Thread James Burton via dev-security-policy
> Those tests were done to check the CT behaviour, there was any other testing > of the new systems, just for the CT. Those certs were under control all the > time and were lived for some minutes because were revoked inmediately after > checking the certs were logged correctly in the CTs. It´s

RE: FW: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
> On 14/09/2017 17:05, Inigo Barreira wrote: > > All, > > > > ... > >> > >> We should add the existing Certnomis cross-signs to OneCRL to revoke > >> all the existing certificates. As of 10th August (now a month ago) > >> StartCom said they have 5 outstanding SSL certs which are valid > >> due

RE: FW: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
re de 2017 1:22 > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: FW: StartCom inclusion request: next steps > > On Thursday, 14 September 2017 16:00:35 UTC+1, Inigo Barreira wrote: > > Well, finally this is a business and I don´t think none on this list is > >

RE: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
tartcomca@lists.mozilla.org] On Behalf Of Percy via dev- > security-policy > Sent: jueves, 14 de septiembre de 2017 22:13 > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: StartCom inclusion request: next steps > > "Conclusion: StartCom's atte

Re: FW: StartCom inclusion request: next steps

2017-09-14 Thread Jakob Bohm via dev-security-policy
On 14/09/2017 17:05, Inigo Barreira wrote: All, ... We should add the existing Certnomis cross-signs to OneCRL to revoke all the existing certificates. As of 10th August (now a month ago) StartCom said they have 5 outstanding SSL certs which are valid due to the Certnomis cross- sign.

Re: FW: StartCom inclusion request: next steps

2017-09-14 Thread Nick Lamb via dev-security-policy
On Thursday, 14 September 2017 16:00:35 UTC+1, Inigo Barreira wrote: > Well, finally this is a business and I don´t think none on this list is > working for free. At the end everyone has his/her salary, etc. But that was > not the main reason because getting included in the root programs takes

Re: StartCom inclusion request: next steps

2017-09-14 Thread Percy via dev-security-policy
"Conclusion: StartCom's attempt to restart the CA was rushed." "It was a very hard task in very few time but the people at 360 tried everything to get it done by that date, end of december 2016, and yes, we reached the date but with many failures" May I ask why StartCom choose to rush

FW: StartCom inclusion request: next steps

2017-09-14 Thread Inigo Barreira via dev-security-policy
All, Obviously this is not the message we would like to read and will try to explain and rebate as much as possible some of the comments posted here. > > The Mozilla CA Certificates team has been considering what the appropriate > next steps are for the inclusion request from the CA

Re: StartCom inclusion request: next steps

2017-09-14 Thread Jonathan Rudenberg via dev-security-policy
> On Sep 14, 2017, at 04:49, Gervase Markham via dev-security-policy > wrote: > > We should add the existing Certnomis cross-signs to OneCRL to revoke > all the existing certificates. As of 10th August (now a month ago) > StartCom said they have 5