Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Peter Gutmann via dev-security-policy
Ryan Sleevi writes: >I similarly suspect you’re unaware of https://wicg.github.io/cors-rfc1918/ in >which browsers seek to limit or restrict communication to such devices? A... blog post? Not sure what that is, it's labelled "A Collection of Interesting Ideas", stashed on

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Ryan Sleevi via dev-security-policy
On Wed, Jan 10, 2018 at 3:33 AM Peter Gutmann wrote: > Ryan Sleevi writes: > > >I hope you can see how I responded to precisely the problem provided. > > You responded to that one specific limited instance. I responded to the topic of this thread,

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Peter Gutmann via dev-security-policy
Ryan Sleevi writes: >I hope you can see how I responded to precisely the problem provided. You responded to that one specific limited instance. That doesn't work for anything else where you've got a service that you want to make available over HTTPS. Native messaging is a

Potential problem with ACME TLS-SNI-01 validation

2018-01-09 Thread josh--- via dev-security-policy
We've received a credible report of a problem with ACME TLS-SNI-01 validation which could allow people to get certificates they should not be able to get. While we investigate further we have disabled tls-sni-01 validation. We'll post more information soon.

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Ryan Sleevi via dev-security-policy
On Wed, Jan 10, 2018 at 12:42 AM Peter Gutmann wrote: > Ryan Sleevi writes: > > >Of course, if that doesn’t tickle your fancy, there are other ways that > are > >supported that you may not have heard about - for example: > > >

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Jonathan Rudenberg via dev-security-policy
> On Jan 9, 2018, at 19:31, Peter Gutmann via dev-security-policy > wrote: > > Jonathan Rudenberg writes: > >> For communicating with other machines, the correct thing to do is to issue a >> unique certificate for each device from

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Peter Gutmann via dev-security-policy
Jonathan Rudenberg writes: >For communicating with other machines, the correct thing to do is to issue a >unique certificate for each device from a publicly trusted CA. The way Plex >does this is a good example:

Changes to CA Program - Q1 2018

2018-01-09 Thread Kathleen Wilson via dev-security-policy
All, I would like to thank Aaron Wu for all of his help on our CA Program, and am sorry to say that his last day at Mozilla will be January 12. I have appreciated all of Aaron’s work, and it has been a pleasure to work with him. I will be re-assigning all of the root inclusion/update

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Jonathan Rudenberg via dev-security-policy
> On Jan 9, 2018, at 18:42, Peter Gutmann via dev-security-policy > wrote: > > Ryan Sleevi writes: > >> Of course, if that doesn’t tickle your fancy, there are other ways that are >> supported that you may not have heard about - for

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Peter Gutmann via dev-security-policy
Ryan Sleevi writes: >Of course, if that doesn’t tickle your fancy, there are other ways that are >supported that you may not have heard about - for example: >https://docs.microsoft.com/en-us/microsoft-edge/extensions/guides/native-messaging >

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Ryan Sleevi via dev-security-policy
On Wed, Jan 10, 2018 at 12:08 AM Peter Gutmann wrote: > Ryan Sleevi writes: > > >Or is your viewpoint that because this happened in the past, one should > >assume that it will forever happen, no matter how much the ecosystem > changes - > >including

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Peter Gutmann via dev-security-policy
Ryan Sleevi writes: >Or is your viewpoint that because this happened in the past, one should >assume that it will forever happen, no matter how much the ecosystem changes - >including explicitly prohibiting it for years? Pretty much. See the followup message, which shows it

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Ryan Sleevi via dev-security-policy
On Tue, Jan 9, 2018 at 11:12 PM Peter Gutmann wrote: > Ryan Sleevi writes: > > >First, there are non-commercial CAs that are trusted. > > By "commercial CAs" I meant external business entities, not an in-house CA > that the key or cert owner controls.

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Peter Gutmann via dev-security-policy
Ryan Sleevi writes: >First, there are non-commercial CAs that are trusted. By "commercial CAs" I meant external business entities, not an in-house CA that the key or cert owner controls. Doesn't matter if they charge money or not, you still need to go to an external

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Ryan Sleevi via dev-security-policy
On Tue, Jan 9, 2018 at 4:40 PM, Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Nicholas Humfrey via dev-security-policy mozilla.org> writes: > > >What is the correct way for them to achieve what they are trying to do? > > I'm

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Hanno Böck via dev-security-policy
Hi, On Tue, 09 Jan 2018 21:04:34 + Nicholas Humfrey via dev-security-policy wrote: > What is the correct way for them to achieve what they are trying to > do? > > Would it be better to use a self-signed localhost certificate (same > subject and >

Re: DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Peter Gutmann via dev-security-policy
Nicholas Humfrey via dev-security-policy writes: >What is the correct way for them to achieve what they are trying to do? I'm not sure if there is a correct way, just a least awful way. The problem is that the browser vendors have decreed that you can

DYMO Root CA installed by Label Printing Software

2018-01-09 Thread Nicholas Humfrey via dev-security-policy
Hello, Apologies if this is off-topic but I am not sure where else to query this. While going through the list of Root Certificate Authorities on my computer, I was alarmed to discover one I wasn't expecting there, called "DYMO Root CA (for localhost)". This certificate was installed by the

Re: Serial number length

2018-01-09 Thread Gervase Markham via dev-security-policy
Hi, On 29/12/17 06:24, Jakob Bohm wrote: > 1. Do all recently issued certificates have to contain at least 64 bits >   of randomness in their serial numbers? Yes. (References given by others.) > 2. Is it acceptable for a CA to satisfy this requirement by generating >   random 64 bit serial

Re: Dashboard and Study on CAA Adoption

2018-01-09 Thread Gervase Markham via dev-security-policy
Hi Quirin, On 15/12/17 15:09, Quirin Scheitle wrote: > The results, paper, and a dashboard tracking CAA adoption are available under > > https://caastudy.github.io/ Belatedly, thank you and your colleagues for doing this excellent work. It is interesting that you have received no iodef

RE: Misissued certificate

2018-01-09 Thread Francesc Ferrer via dev-security-policy
Dear all, In response to Mr. Gaynor email reporting a mis-issued certificate, the owner of the certificate has been contacted and request its revocation. Our compromise is to have it revoked by this afternoon at most. After reviewing the problem, we believe that given the issuance date