Policy 2.7.1: MRSP Issue #186: Requirement to Disclose Self-signed Certificates

2020-10-28 Thread Ben Wilson via dev-security-policy
Issue #186 in Github deals with the disclosure of CA certificates that directly or transitively chain up to an already-trusted, Mozilla-included root. A common scenario for the situation discussed in Issue #186 is when a CA creates a second (or

Policy 2.7.1: MRSP Issue #173: Strengthen requirement for newly included roots to meet all current requirements

2020-10-28 Thread Ben Wilson via dev-security-policy
The current language of MRSP section 7.1 says, "Before being included, CAs MUST provide evidence that their CA certificates have continually, from the time of creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements." If an older root were to be submitted for

Re: EJBCA performs incorrect calculation of validities

2020-10-28 Thread Jakob Bohm via dev-security-policy
On 2020-10-28 20:54, Ryan Sleevi wrote: On Wed, Oct 28, 2020 at 10:50 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: This aspect of RFC5280 section 4.1.2.5 is quite unusual in computing, where the ends of intervals are typically encoded such that

Re: EJBCA performs incorrect calculation of validities

2020-10-28 Thread Ryan Sleevi via dev-security-policy
On Wed, Oct 28, 2020 at 10:50 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > This aspect of RFC5280 section 4.1.2.5 is quite unusual in computing, > where the ends of intervals are typically encoded such that subtracting > the interval ends (as pure

Re: EJBCA performs incorrect calculation of validities

2020-10-28 Thread Jakob Bohm via dev-security-policy
On 2020-10-28 11:55, Mike Kushner wrote: Hi all, We were alerted to the fact that EJBCA does not calculate certificate and OCSP validities in accordance with RFC 5280, which has been a requirement since BR 1.7.1 The word "inclusive" was not caught, meaning that a certificate/response issued

Re: EJBCA performs incorrect calculation of validities

2020-10-28 Thread Burton via dev-security-policy
Mike, How do you plan to stop similar issues from occurring in future? Thank you Burton On Wed, 28 Oct 2020, 10:55 Mike Kushner via dev-security-policy, < dev-security-policy@lists.mozilla.org> wrote: > Hi all, > > We were alerted to the fact that EJBCA does not calculate certificate and >

EJBCA performs incorrect calculation of validities

2020-10-28 Thread Mike Kushner via dev-security-policy
Hi all, We were alerted to the fact that EJBCA does not calculate certificate and OCSP validities in accordance with RFC 5280, which has been a requirement since BR 1.7.1 The word "inclusive" was not caught, meaning that a certificate/response issued by EJBCA will have a validity of one second