Re: Symantec Update on SubCA Proposal

2017-07-26 Thread Jakob Bohm via dev-security-policy
On 25/07/2017 22:28, Rick Andrews wrote: ... You are correct in that most customers are indeed not prepared to deal with potential crises in the SSL system. We have all witnessed this first hand with Heartbleed, the replacement of SHA1 certificates, etc. A four month replacement window for a

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-07-26 Thread Jakob Bohm via dev-security-policy
On 25/07/2017 14:58, simon.wat...@surevine.com wrote: On Tuesday, 20 June 2017 10:43:37 UTC+1, Nick Lamb wrote: On Tuesday, 20 June 2017 05:50:06 UTC+1, Matthew Hardeman wrote: The right balance is probably revoking when misuse is shown. Plus education. Robin has stated that there _are_

Re: Symantec Update on SubCA Proposal

2017-07-26 Thread Alex Gaynor via dev-security-policy
On Tue, Jul 25, 2017 at 4:28 PM, Rick Andrews via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Symantec has proposed timing changes that are consistent with the scope of > distrust of the original SubCA proposal as proposed by Google and endorsed > by Mozilla, which

Re: Bad characters in dNSNames

2017-07-26 Thread Rob Stradling via dev-security-policy
On 26/07/17 11:44, Kurt Roeckx via dev-security-policy wrote: On 2017-07-26 12:21, Rob Stradling wrote: At Jonathan's suggestion, I've used the crt.sh DB to produce this report of certs that have SAN:dNSName(s) that contain non-permitted characters: The report says "CN or dNSName". It's my

Re: Bad characters in dNSNames

2017-07-26 Thread Kurt Roeckx via dev-security-policy
On 2017-07-26 12:21, Rob Stradling wrote: At Jonathan's suggestion, I've used the crt.sh DB to produce this report of certs that have SAN:dNSName(s) that contain non-permitted characters: The report says "CN or dNSName". It's my understanding that in the CN you can have international

Bad characters in dNSNames

2017-07-26 Thread Rob Stradling via dev-security-policy
At Jonathan's suggestion, I've used the crt.sh DB to produce this report of certs that have SAN:dNSName(s) that contain non-permitted characters: https://docs.google.com/spreadsheets/d/1IACTYMDXcdz4DoMKxkHfePfb5mv2XN68BcB7p6acTqg/edit?usp=sharing I've only looked at certs for which there's a

Re: Symantec Update on SubCA Proposal

2017-07-26 Thread Nick Lamb via dev-security-policy
On Tuesday, 25 July 2017 21:29:06 UTC+1, Rick Andrews wrote: > The details of this process would probably be best served in a separate > thread. Essentially, such a process would involve a quick assessment by the > community on the context and merits of the request by the customer You want us