RE: Proposed policy change: require private pre-notification of 3rd party subCAs

2017-10-24 Thread Ben Wilson via dev-security-policy
I’ll leave Jeremy’s comments as DigiCert’s most recent. From: Eric Mill [mailto:e...@konklone.com] Sent: Tuesday, October 24, 2017 2:34 PM To: Ben Wilson Cc: Doug Beattie ; Gervase Markham ;

Re: Proposed policy change: require private pre-notification of 3rd party subCAs

2017-10-24 Thread Eric Mill via dev-security-policy
Ben, I think Gerv addressed Doug's concern and indicated that situation wouldn't fall under this policy. If that's not accurate, it'd be worth an on-list clarification. On Tue, Oct 24, 2017 at 9:01 AM, Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I echo

Incident Report : GoDaddy certificates with ROCA Fingerprint

2017-10-24 Thread Daymion Reynolds via dev-security-policy
Godaddy LLC first became aware of possible ROCA vulnerability exposure on Monday October 16th 2017 at 9:30am. The following are the steps we took for detection, revocation, and the permanent fix of certificate provisioning: • Monday October 16th 2017 AZ, first became aware of the ROCA

RE: Proposed policy change: require private pre-notification of 3rd party subCAs

2017-10-24 Thread Jeremy Rowley via dev-security-policy
Assuming the rule applies only to externally run third parties, I think it's an excellent idea, but perhaps it should be a public pre-notification? As you mentioned, the relationship will become transparent through CCDAB submission and the audit report, so what's the advantage of keeping it

Re: Proposed policy change: require private pre-notification of 3rd party subCAs

2017-10-24 Thread Gervase Markham via dev-security-policy
Hi Doug, On 24/10/17 16:43, Doug Beattie wrote: > I assume this applies equally to cross signing, Yes. > but not to "Vanity" CAs that are set up and run by the CA on behalf of a > customer. If you have physical control of the intermediate and control of issuance, it doesn't apply. Gerv

RE: Proposed policy change: require private pre-notification of 3rd party subCAs

2017-10-24 Thread Doug Beattie via dev-security-policy
Gerv, I assume this applies equally to cross signing, but not to "Vanity" CAs that are set up and run by the CA on behalf of a customer. Is that accurate? Doug > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- >

Re: Proposed policy change: require private pre-notification of 3rd party subCAs

2017-10-24 Thread Ryan Sleevi via dev-security-policy
I think this would be of great benefit to the community. 1) It provides meaningful opportunity to ensure that the Mozilla-specific program requirements are being met. The spate of misissuances discussed in the past few months have revealed an unfortunately common trend of CAs not staying aware of

Proposed policy change: require private pre-notification of 3rd party subCAs

2017-10-24 Thread Gervase Markham via dev-security-policy
One of the ways in which the number of organizations trusted to issue for the WebPKI is extended is by an existing CA bestowing the power of issuance upon a third party in the form of control of a non-technically-constrained subCA. Examples of such are the Google and Apple subCAs under GeoTrust,