Re: StartCom & Qihoo Incidents
On Thursday, October 27, 2016 at 5:26:23 PM UTC-7, Erwann Abalea wrote: > Le jeudi 27 octobre 2016 09:55:09 UTC+2, Percy a écrit : > > So this is it? Qihoo can continue to get away with this MITM browser? > > I'm afraid that can't be solved by Mozilla. Qihoo is free to sell or freely > distribute their browser. Since I'm not familiar with CAB forum, does CAB forum has authority to compel its members to protect its users? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: New SHA-1 certificates issued in 2016
On Friday, October 28, 2016 at 9:06:44 AM UTC-7, Ben Wilson wrote: > -Original Message- > Subject: RE: New SHA-1 certificates issued in 2016 > > Thank you, Patrick, for pointing these out to us. DigiCert has been in the > forefront pushing the move toward SHA-2. In fact, we've been issuing SHA-2 > certificates by default to our customers for a couple of years now. We've > communicated with these sub-CAs and requested that these certificates be > revoked. We'll follow up with a status report on our efforts sometime next > week. > Sincerely yours, > Ben Wilson > DigiCert VP of Compliance Ben, While it's useful that you've requested these certs been revoked, as has been pointed out during numerous discussions of SHA-1, a revocation does not mitigate the fact that a SHA-1 cert was issued, as an attacker can manipulate the contents in such a way to avoid any revocations. More important to the community would be understanding why these subordinate CAs are not complying with the Baseline Requirements, as required by the Mozilla Root Certificate Program policies, and as required by the Baseline Requirements. As these are not technically constrained sub-CAs, what we have is demonstrable evidence of several possibilities, most seriously: 1) That these CAs may not be adhering to the Baseline Requirements as part of their policies - an indicator that their auditors may be derelict in their professional duties to ensure that the policies and practices are consistent with the BRs 2) If their policies document adherence, as they're required to, then these CAs are not issuing according to their CP/CPS Could you indicate what steps DigiCert is taking to assure members of the public that these subordinate CAs will be operated in a manner consistent with expectations? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: New SHA-1 certificates issued in 2016
Resending without a digital signature. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On Behalf Of Ben Wilson Sent: Friday, October 28, 2016 10:01 AM To: Patrick Figel; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: New SHA-1 certificates issued in 2016 Thank you, Patrick, for pointing these out to us. DigiCert has been in the forefront pushing the move toward SHA-2. In fact, we've been issuing SHA-2 certificates by default to our customers for a couple of years now. We've communicated with these sub-CAs and requested that these certificates be revoked. We'll follow up with a status report on our efforts sometime next week. Sincerely yours, Ben Wilson DigiCert VP of Compliance -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On Behalf Of Patrick Figel Sent: Friday, October 28, 2016 9:12 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: New SHA-1 certificates issued in 2016 I found a number of SHA-1 certificates chaining up to CAs trusted by Mozilla that have not been brought up on this list or on Bugzilla yet. Apologies in case I missed prior discussion for any of these, and kudos to censys for making this search incredibly easy. #1 https://crt.sh/?id=32335005=cablint Common Name: portalcsg.siemens.com Serial: 1518050245 Not Before: Jul 12 14:01:45 2016 GMT Chains to: "Baltimore CyberTrust Root" (DigiCert) via: - Siemens Issuing CA Class Internet Server 2013 - Siemens Internet CA V1.0 #2 https://crt.sh/?id=32335007=cablint Common Name: downloada.industrysoftware.automation.siemens.com Serial: 2087556804 Not Before: May 10 15:54:05 2016 GMT Chains to: "Baltimore CyberTrust Root" (DigiCert) via: - Siemens Issuing CA Class Internet Server 2013 - Siemens Internet CA V1.0 #3 https://crt.sh/?id=32331581=cablint Common Name: VPN-PDC1.vodafone.com Serial: 77:00:1c:7f:f6:f8:7e:5d:d6:48:bf:72:4d:00:01:00:1c:7f:f6 Not Before: Jun 23 09:39:53 2016 GMT Chains to: "Baltimore CyberTrust Root" (DigiCert) via: - Vodafone (Corporate Services 2009) - Vodafone (Corporate Domain 2009) #4 https://crt.sh/?id=20279777=cablint Common Name: styles.ag2rlamondiale.fr Serial: 11:21:79:9c:b3:3b:51:dd:43:a5:40:b5:a2:4b:81:38:b8:4a Not Before: May 23 12:02:20 2016 GMT Chains to: "Class 2 Primary CA" (DocuSign (OpenTrust/Keynectis)) via: - CLASS 2 KEYNECTIS CA #5 https://crt.sh/?id=23099350=cablint Common Name: enterprisevault.dnb.no Serial: 7e:c3:58:c6:d5:0a:4a:7f:c6:be:ea:19:f3:f4:98:e5:9d:cd:df:41 Not Before: May 19 13:15:04 2016 GMT Chains to: "Baltimore CyberTrust Root" (DigiCert) via: - DnB NOR ASA PKI Class G - Eurida Primary CA #6 Don't know what to make of this one. It's a CA:true SHA-1 certificate. Not sure what the BRs/Mozilla's policies have to say about this: https://crt.sh/?id=2199=cablint Common Name: ACCV-CA3 Serial: 1246797330 Not Before: May 23 10:00:00 2016 GMT Chains to: "Root CA Generalitat Valenciana" (Government of Spain) #7 Some non-TLS-Server-Auth SHA-1 certificates chaining up to "Certum CA" (Asseco Data Systems S.A.). Most appear to be S/MIME or TLS client auth certificates, but I don't think the intermediates have any relevant technical constraints. I'm not sure if they're in scope for BRs/Mozilla, but here's the list in any case: https://crt.sh/?id=26427662=cablint https://crt.sh/?id=32333872=cablint https://crt.sh/?id=19594797=cablint https://crt.sh/?id=24979702=cablint ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: New SHA-1 certificates issued in 2016
Thank you, Patrick, for pointing these out to us. DigiCert has been in the forefront pushing the move toward SHA-2. In fact, we've been issuing SHA-2 certificates by default to our customers for a couple of years now. We've communicated with these sub-CAs and requested that these certificates be revoked. We'll follow up with a status report on our efforts sometime next week. Sincerely yours, Ben Wilson DigiCert VP of Compliance -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On Behalf Of Patrick Figel Sent: Friday, October 28, 2016 9:12 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: New SHA-1 certificates issued in 2016 I found a number of SHA-1 certificates chaining up to CAs trusted by Mozilla that have not been brought up on this list or on Bugzilla yet. Apologies in case I missed prior discussion for any of these, and kudos to censys for making this search incredibly easy. #1 https://crt.sh/?id=32335005=cablint Common Name: portalcsg.siemens.com Serial: 1518050245 Not Before: Jul 12 14:01:45 2016 GMT Chains to: "Baltimore CyberTrust Root" (DigiCert) via: - Siemens Issuing CA Class Internet Server 2013 - Siemens Internet CA V1.0 #2 https://crt.sh/?id=32335007=cablint Common Name: downloada.industrysoftware.automation.siemens.com Serial: 2087556804 Not Before: May 10 15:54:05 2016 GMT Chains to: "Baltimore CyberTrust Root" (DigiCert) via: - Siemens Issuing CA Class Internet Server 2013 - Siemens Internet CA V1.0 #3 https://crt.sh/?id=32331581=cablint Common Name: VPN-PDC1.vodafone.com Serial: 77:00:1c:7f:f6:f8:7e:5d:d6:48:bf:72:4d:00:01:00:1c:7f:f6 Not Before: Jun 23 09:39:53 2016 GMT Chains to: "Baltimore CyberTrust Root" (DigiCert) via: - Vodafone (Corporate Services 2009) - Vodafone (Corporate Domain 2009) #4 https://crt.sh/?id=20279777=cablint Common Name: styles.ag2rlamondiale.fr Serial: 11:21:79:9c:b3:3b:51:dd:43:a5:40:b5:a2:4b:81:38:b8:4a Not Before: May 23 12:02:20 2016 GMT Chains to: "Class 2 Primary CA" (DocuSign (OpenTrust/Keynectis)) via: - CLASS 2 KEYNECTIS CA #5 https://crt.sh/?id=23099350=cablint Common Name: enterprisevault.dnb.no Serial: 7e:c3:58:c6:d5:0a:4a:7f:c6:be:ea:19:f3:f4:98:e5:9d:cd:df:41 Not Before: May 19 13:15:04 2016 GMT Chains to: "Baltimore CyberTrust Root" (DigiCert) via: - DnB NOR ASA PKI Class G - Eurida Primary CA #6 Don't know what to make of this one. It's a CA:true SHA-1 certificate. Not sure what the BRs/Mozilla's policies have to say about this: https://crt.sh/?id=2199=cablint Common Name: ACCV-CA3 Serial: 1246797330 Not Before: May 23 10:00:00 2016 GMT Chains to: "Root CA Generalitat Valenciana" (Government of Spain) #7 Some non-TLS-Server-Auth SHA-1 certificates chaining up to "Certum CA" (Asseco Data Systems S.A.). Most appear to be S/MIME or TLS client auth certificates, but I don't think the intermediates have any relevant technical constraints. I'm not sure if they're in scope for BRs/Mozilla, but here's the list in any case: https://crt.sh/?id=26427662=cablint https://crt.sh/?id=32333872=cablint https://crt.sh/?id=19594797=cablint https://crt.sh/?id=24979702=cablint ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Guang Dong Certificate Authority (GDCA) root inclusion request
We have uploaded the lastest translantion of CP/CPS. CP: https://bugzilla.mozilla.org/attachment.cgi?id=8805543 CPS: https://bug1128392.bmoattachments.org/attachment.cgi?id=8805545 EV CP: https://bugzilla.mozilla.org/attachment.cgi?id=8805546 EV CPS: https://bug1128392.bmoattachments.org/attachment.cgi?id=8805547 Because of our English level, there maybe some mistakes. If you have any questions, please contact us. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Guang Dong Certificate Authority (GDCA) root inclusion request
We are not intended to cover-up anything since we had disclosed every change to the Chinese version CP/CPS at once after the auditor reviewed. The “ROOTCA(SM2)” CA in $1.1.3 of CPS ver4.3 is equivalent to the “SM2 ROOT Certificate” CA in $1.1.3 of CPS ver4.1. The “Guangdong Certificate Authority(SM2) ” CA in $1.1.3 of CPS ver4.3 is equivalent to the “SM2 CA Certificate” CA in $1.1.3 of CPS ver4.1. We change these names in diagram in this revision in order to show the actual CN of these certificates. Furthermore, we only issue SM2 subscriber certificates from the subCA of “ROOTCA(SM2)” CA. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy