On Monday, April 11, 2016 at 9:04:32 PM UTC+2, Kathleen Wilson wrote:
> All,
>
> I previously updated section 11 of the draft of version 2.3 of Mozilla's CA
> Certificate Inclusion Policy to reflect the new ETSI numbers.
>
> Please see section 11 of
>
On Monday, June 27, 2016 at 10:30:15 AM UTC+2, inigo.b...@gmail.com wrote:
> On Saturday, June 25, 2016 at 1:45:49 AM UTC+2, Kathleen Wilson wrote:
> > All,
> >
> > It seems that ETSI has not yet officially retired ETSI TS 102 042, although
> > they published ETSI EN 319 411-1 which "is derived
On Saturday, June 25, 2016 at 1:45:49 AM UTC+2, Kathleen Wilson wrote:
> All,
>
> It seems that ETSI has not yet officially retired ETSI TS 102 042, although
> they published ETSI EN 319 411-1 which "is derived from the requirements
> specified in ETSI TS 102 042".
>
> Can CAs continue to use
Yes, I´m also agree. This was also taken into account when writting the ETSI
standards, and for the CA certs, the minumun is what Peter has indicated
plus the common name. We indicate that "... shall contain at least the
following attributes ": countryName, organizationName and commonName
All,
In this link,
https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf,
you´ll find the detailed remediation plan for StartCom as was notified last
week. It took us some time to have all the people needed for these tasks and
clarify the dates for fixing all the possible
All,
In this link,
https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf, you´ll
find the detailed remediation plan for StartCom as was notified last week. It
took us some time to have all the people needed for these tasks and clarify the
dates for fixing all the possible
All,
In this link,
https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf, you´ll
find the detailed remediation plan for StartCom as was notified last week. It
took us some time to have all the people needed for these tasks and clarify the
dates for fixing all the
Hi all,
I´ve been reading some emails that need clarification form both sides.
Firstly I´d like to remind, if I´m not wrong, that Kathleen proposed an
action plan for distrusting StartCom, which has been taken as the final
decission, but with a small option to regain the trust for StartCom
, Inigo Barreira wrote:
> I see many "should" in this link. Basically those indicating "should
> notify Mozilla" and "should follow the physical relocation section".
It may be that this document does need redoing in formal policy language. In
the mean time
Gerv,
I see many "should" in this link. Basically those indicating "should notify
Mozilla" and "should follow the physical relocation section". But in
physical relocation and personnel changes sections it seems to me there´s a
contradiction because there are some must. Can you explain the
Hi, this is my reply in the bugzilla
Hi all,
what Fanck is saying is true and we haven´t started to issue any cert using
this new path.
Regarding the info that is in this bug I´m really shocked because the
majority of them are revoked and don´t understand why have been included
here.
For
igel.email]
Sent: jueves, 3 de agosto de 2017 13:07
To: Inigo Barreira <in...@startcomca.com>; Franck Leroy
<fr.le...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom cross-signs disclosed by Certinomis
On 03/08/2017 10:47, Inigo Barreira via dev-security-p
[mailto:jonat...@titanous.com]
Sent: jueves, 3 de agosto de 2017 16:52
To: Inigo Barreira <in...@startcomca.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom cross-signs disclosed by Certinomis
> On Aug 3, 2017, at 04:47, Inigo Barreira via dev-security-policy
> &
Thanks for this info. These Startcom certs were issued from the old system.
We´ll contact the users and act accordingly.
Best regards
Iñigo Barreira
CEO
StartCom CA Limited
-Original Message-
From: dev-security-policy
Barreira <in...@startcomca.com>; mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: Symantec Conclusions and Next Steps
On 27/04/17 11:56, Inigo Barreira wrote:
> Good to know that our new certs are there :-) Regarding StartCom,
> these are t
Good to know that our new certs are there :-)
Regarding StartCom, these are the new certs we´ve generated and will be used
to apply for inclusion in the Mozilla root program. Nothing to disclose at
the moment I guess. We´ve not been audited yet nor applied.
Best regards
Iñigo Barreira
CEO
>
> In this larger light, it would also seem that StartCom, having misissued a
number of certificates already under their new hierarchy, which present a
risk to Mozilla users (revocation is neither an excuse nor a mitigation for
misissuance), should be required to take corrective steps and
Hi Percy,
StartCom Spain exists since september last year. And it was included in the
remediation plan set in October last year, but at the time Gerv wrote that
email it didn´t exist officially, it took a while to be registered
officially in the "equivalent" spanish companies house.
The process
Hi,
1.- yes, I said many times that it was not a good decission and of course not
the best way to start, but at all times these test certs were under control,
lived only for some minutes. Everything was explained in bugzilla #1369359
2.- Those pre-certificates were related to these test
Hi,
In the remediation plan that was published in October there was a chart in
which was indicate how the group was going to change, from WoSign management
to be under 360 management. I can provide the information again if you wish.
StartCom Spain is 100% owned by Startcom UK, which is also 100%
Wosign and Startcom?
No
Are there any personnel switching between WoSign and Startcom?
No
On Tuesday, August 8, 2017 at 4:39:39 AM UTC-4, Inigo Barreira wrote:
> Hi,
>
> 1.- yes, I said many times that it was not a good decission and of
> course not the best way to start, but
Yes, thank you for letting us know.
Best regards
Iñigo Barreira
CEO
StartCom CA Limited
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] On
Behalf Of Lewis Resmond via dev-security-policy
Sent: miércoles, 3 de
definition of constraints for
id-kp-emailProtection
On 19/05/17 15:16, Inigo Barreira wrote:
> What about those for gmail, Hotmail, etc.? Are out of scope?
I'm not sure what you mean. If Gmail wants a TCSC for @gmail.com, they can
have one. They would presumably need to set the dirN
Hi all,
There´s been a misunderstanding internally when requested to create some "test"
certificates as indicated in the Microsoft root program requirements as stated
in 4b "Test URLs for each root, or a URL of a publicly accessible server that
Microsoft can use to verify the certificates."
Hi all,
Firstly I´d like to apologize for not having answering before and for
posting an initial response that was not correct not accurate and not
related what it´s being discussed right now. It was my fault for not having
checked before with my team, which is in China and they are 6 hours
Hello all,
I also did it but it´s not reflected.
In my case was also my fault because I was disclosing a different one.
Best regards
Iñigo Barreira
CEO
StartCom CA Limited
-Original Message-
From: dev-security-policy
Sent: jueves, 1 de junio de 2017 14:46
To: Eric Mill <e...@konklone.com>; Gervase Markham <g...@mozilla.org>; Inigo
Barreira <in...@startcomca.com>; Jeremy Rowley <jeremy.row...@digicert.com>;
Yuhong Bao <yuhongbao_...@hotmail.com>
Cc: Kurt Roeckx <k...@roeckx.be>
What about those for gmail, Hotmail, etc.? Are out of scope?
Best regards
Iñigo Barreira
CEO
StartCom CA Limited
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org]
On Behalf Of Gervase Markham via dev-security-policy
> > >
> > > > Those tests were done to check the CT behaviour, there was any
> > > > other
> > > testing of the new systems, just for the CT. Those certs were under
> > > control all the time and were lived for some minutes because were
> > > revoked inmediately after checking the certs were
>
> > Those tests were done to check the CT behaviour, there was any other
> testing of the new systems, just for the CT. Those certs were under control
> all
> the time and were lived for some minutes because were revoked inmediately
> after checking the certs were logged correctly in the CTs.
> Hi Inigo,
>
> To add from the last post.
>
> I know this is unwelcome news to you but I feel that with all these incidents
> happening right now with Symantec and the incidents before, we can't really
> take any more chances. Every incident is eroding trust in this system and if
> we
> want
> > Yes, you´re right, that was on the table and also suggested by
> > Mozilla, but the issue was that people from 360 are used to code in
> > PHP and the old one was in Java and some other for which they are not
> > so familiar and then was decided to re-write all the code in PHP
> > trying to
>
> Hi Inigo,
>
> On 14/09/17 16:05, Inigo Barreira wrote:
> > Those tests were done to check the CT behaviour, there was any other
> testing of the new systems, just for the CT.
>
> Is there any reason those tests could not have been done using a parallel
>
do about StartCom's poor quality PHP code. While
> continued use of it would cause us concern, we are not really in a position to
> request particular changes to it, or a complete rewrite, in a verifiable way.
> On
> the other hand, a security audit is a remediation condition, and the c
> On 14/09/2017 17:05, Inigo Barreira wrote:
> > All,
> >
> > ...
> >>
> >> We should add the existing Certnomis cross-signs to OneCRL to revoke
> >> all the existing certificates. As of 10th August (now a month ago)
> >> StartCom said they
Hi Percy,
Yes, you´re right, that was on the table and also suggested by Mozilla, but
the issue was that people from 360 are used to code in PHP and the old one
was in Java and some other for which they are not so familiar and then was
decided to re-write all the code in PHP trying to keep the
re de 2017 1:22
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: FW: StartCom inclusion request: next steps
>
> On Thursday, 14 September 2017 16:00:35 UTC+1, Inigo Barreira wrote:
> > Well, finally this is a business and I don´t think none on this list is
> >
een improved since then. The audits are just for that, and we will
continue doing yearly security audits to improve our systems.
>
> Though I would love to see StartCom up and running again, I have to agree
> with James that all of these issues do not enwake trust into you and instead
&
olicy-
> bounces+inigo=startcomca@lists.mozilla.org] On Behalf Of Gervase
> Markham via dev-security-policy
> Sent: jueves, 5 de octubre de 2017 11:48
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: PROCERT issues
>
> On 05/10/17 15:32, Inigo Barreira wrote:
[mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org]
On Behalf Of Inigo Barreira via dev-security-policy
Sent: lunes, 4 de septiembre de 2017 18:40
To: Andrew Ayer <a...@andrewayer.name>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: StartCom communication
Hi
Hi Gerv,
Those updates are referred basically to the format of the report in which
Franck asked to include specific information such as the serial number,
names, etc. according to your instructions. The report itself has not been
changed (that´s forbidden).
Regarding the qualifications or
Hi Quirin,
I was going to reply to your email after investigating what happened, but since
you´ve posted here, I can share it.
I think most of the CAs are strugling with the DNSSEC interpretation or how to
solve some of the issues.
In our case, I can tell the following:
The DNSSEC checking is
Thanks Quirin, we´re working with Primekey to know what happened (we´ll
generate a report once known) and will contact you if necessary to check
that info you have.
Regarding the logs, the log message actually means that CAA either
explicitly permitted the issuance, or implicitly permitted
]
On Behalf Of Nick Lamb via dev-security-policy
Sent: martes, 12 de septiembre de 2017 12:26
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone
On Tuesday, 12 September 2017 10:38:56 UTC+1, Inigo Barreira wrote:
> Futherm
rreira
CEO
StartCom CA Limited
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org]
On Behalf Of Inigo Barreira via dev-security-policy
Sent: martes, 12 de septiembre de 2017 12:44
To: Nick Lamb <tialara...@gma
Message-
From: Andrew Ayer [mailto:a...@andrewayer.name]
Sent: lunes, 4 de septiembre de 2017 18:06
To: Inigo Barreira <in...@startcomca.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom communication
On Mon, 4 Sep 2017 12:10:19 +
Inigo Barreira via dev-se
Hi all,
I´ve realized that there has not been a good communication path to announce
all the tasks and actions performed by StartCom during this time and this
email will try to remediate it. I´d also like to ask you for some feedback,
comments and/or suggestions on how to improve. I think we´ve
And checking this site, how can Comodo have more certs with errors (15030) than
certs issued (15020).
Regards
From: dev-security-policy on
behalf of Adriano Santoni via dev-security-policy
Sent: Monday, October 01, 2018 10:09 PM
To: Rob Stradling;
48 matches
Mail list logo