Re: Include Symantec-brand Class 1 and Class 2 Root Certs

2016-11-17 Thread Tarah Wheeler 
Thanks, Jakob; I'll try and replicate that to check. 

Tarah Wheeler
Principal Security Advocate
Senior Director of Engineering, Website Security
Symantec
ta...@symantec.com


> On Nov 17, 2016, at 2:13 AM, "dev-security-policy-requ...@lists.mozilla.org" 
> <dev-security-policy-requ...@lists.mozilla.org> wrote:
> 
> Re: Include Symantec-brand Class 1 and Class 2 Root Certs
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Apple's response to the WoSign incidents

2016-11-14 Thread Tarah Wheeler 
If Apple is using wildcards that permit an otherwise-banned certificate, it 
seems like not only a regex problem--and who hasnĀ¹t had those before?-- but 
also a rather disturbing workaround for certs that otherwise should not be 
respected. I just hit this site in Safari on a Mac and got no popup or 
interstitial but also saw about 20 insecure content errors (not that everyone 
has Error Console running all the time). I also just hit a site I knew had an 
invalid certificate, and got a popup. Both sites show https inURL.


Respectfully,

Tarah Wheeler
Principal Security Advocate
Senior Director of Engineering, Website Security
Symantec
ta...@symantec.com


> On Nov 13, 2016, at 1:01 PM, "dev-security-policy-requ...@lists.mozilla.org" 
> <dev-security-policy-requ...@lists.mozilla.org> wrote:
> 
> Send dev-security-policy mailing list submissions to
>  dev-security-policy@lists.mozilla.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>  https://lists.mozilla.org/listinfo/dev-security-policy
> or, via email, send a message with subject or body 'help' to
>  dev-security-policy-requ...@lists.mozilla.org
> 
> You can reach the person managing the list at
>  dev-security-policy-ow...@lists.mozilla.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of dev-security-policy digest..."
> 
> 
> Today's Topics:
> 
> 1. Re: Action on undisclosed intermediates (Peter Bowen)
> 2. Re: Action on undisclosed intermediates (Rob Stradling)
> 3. Re: Comodo issued a certificate for an extension (Eric Mill)
> 4. Re: Apple's response to the WoSign incidents (Percy)
> 
> 
> --
> 
> Message: 1
> Date: Sat, 12 Nov 2016 09:43:36 -0800
> From: Peter Bowen <pzbo...@gmail.com>
> To: Gervase Markham <g...@mozilla.org>
> Cc: "mozilla-dev-security-pol...@lists.mozilla.org"
>  <mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Action on undisclosed intermediates
> Message-ID:
>  <cak6vnd_0odjsgoa5zxhxryeghtskaeccij76mco3q_vkrtj...@mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
>> On Tue, Nov 8, 2016 at 8:18 AM, Gervase Markham <g...@mozilla.org> wrote:
>> I'd like to take some action about persistent failures to properly
>> disclose intermediates. The deadline for this was June, and CAs have had
>> a number of reminders, so there's no excuse.
>> 
>> Of course, if intermediates aren't disclosed, we can't be certain what
>> they are, but crt.sh has a good idea of many of them:
>> https://crt.sh/mozilla-disclosures#undisclosed
>> 
>> There is also a list on that page of certs which CAs have disclosed but
>> not provided audit info, but given that you can get off that list by
>> putting _anything_ in the relevant box in Salesforce, I'm worried about
>> perverse incentives if we go after people on that list at the moment:
>> https://crt.sh/mozilla-disclosures#disclosureincomplete
> 
> Based on data this morning, it looks like there are only two left on
> that undisclosed list.  One of them is RSA, who is already scheduled
> for removal.  The other is TurkTrust, which announced they are leaving
> the server auth cert business:
> https://cabforum.org/pipermail/public/2016-September/008475.html
> 
> So it seems this problem has resolved itself.  No need to invent
> random selection schemes.
> 
> Now, the real fun is going to be seeing if the supplied audit report
> URLs actually point to reports and if all the CAs claimed to be
> covered are actually covered ;)
> 
> Thanks,
> Peter
> 
> 
> --
> 
> Message: 2
> Date: Sat, 12 Nov 2016 20:11:50 +
> From: Rob Stradling <rob.stradl...@comodo.com>
> To: Peter Bowen <pzbo...@gmail.com>, Gervase Markham
>  <g...@mozilla.org>
> Cc: "mozilla-dev-security-pol...@lists.mozilla.org"
>  <mozilla-dev-security-pol...@lists.mozilla.org>
> Subject: Re: Action on undisclosed intermediates
> Message-ID: <734f7b4e-9911-d28e-acdc-a95afa440...@comodo.com>
> Content-Type: text/plain; charset=windows-1252
> 
>> On 12/11/16 17:43, Peter Bowen wrote:
>> 
>> So it seems this problem has resolved itself.  No need to invent
>> random selection schemes.
> 
> ISTM that the threat of random selection schemes may have been what
> resolved the problem.  ;-)
> 
> -- 
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> 
> 
> --
> 
> Message: 3
> Date: Sat, 12 Nov 2016 23:12:48 -0500
> From: Eric Mill <e...@konklo