12:09 PM
To: r...@sleevi.com
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham
<g...@mozilla.org>
Subject: RE: CA Validation quality is failing
Okay – we’ll add them all to CT over the next couple of days.
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Tuesday, May 2
On 02/05/2017 17:30, Rob Stradling wrote:
On 02/05/17 16:11, Alex Gaynor via dev-security-policy wrote:
I know several CAs are using certlint
(https://github.com/awslabs/certlint)
as a pre-issuance check that the cert they're about to issue doesn't have
any programmatically detectable
.mozilla.org
Subject: Re: CA Validation quality is failing
(Still wearing Google Hat in this context)
I think sharing a list (in CT) of the certs is good and can help verify the
assertions made here :)
But overall, I think this sounds right and the risk is minimal to our users, so
not re
la.org
Subject: Re: CA Validation quality is failing
On 02/05/17 00:01, Ryan Sleevi wrote:
> Thank you for
> 1) Disclosing the details to a sufficient level of detail immediately
> 2) Providing regular updates and continued investigation
> 3) Confirming the acceptability of the plan b
cert.com>
*Cc:* Gervase Markham <g...@mozilla.org>; mozilla-dev-security-policy@
lists.mozilla.org
*Subject:* Re: CA Validation quality is failing
On Mon, May 1, 2017 at 3:41 PM, Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Th
> >
> >
> >
> > What else would you like to know?
> >
> >
> >
> > Jeremy
> >
> >
> >
> > *From:* Ryan Sleevi [mailto:r...@sleevi.com]
> > *Sent:* Monday, May 1, 2017 5:01 PM
> > *To:* Jeremy Rowley <jeremy.row...
On 02/05/17 00:01, Ryan Sleevi wrote:
> Thank you for
> 1) Disclosing the details to a sufficient level of detail immediately
> 2) Providing regular updates and continued investigation
> 3) Confirming the acceptability of the plan before implementing it, and
> with sufficient detail to understand
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: CA Validation quality is failing
On Mon, May 1, 2017 at 3:41 PM, Jeremy Rowley via dev-security-policy
<dev-security-policy@lists.mozilla.org
<mailto:dev-security-policy@lists.mozilla.org> > wrote:
There isn't anything in o
Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Thursday, April 27, 2017 2:41 AM
To: Jeremy Rowley <jeremy.row...@digicert.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: CA Validation quality is failing
On 27/04/17 00:16, Jeremy Rowley wro
ozilla-dev-security-pol...@lists.mozilla.org>
Subject: RE: CA Validation quality is failing
Thanks Mike for bringing this up. We’ve looked into it and have an initial
report to share.
After receiving the email on the Mozilla list, we investigated the identified
certificates and discovered a cou
On Thu, Apr 20, 2017 at 6:42 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> One thing:
>
> Could this be a result of the common (among CAs) bug of requiring entry
> of a US/Canada State/Province regardless of country, forcing applicants
> to fill in
gt;
Cc: Ben Wilson <ben.wil...@digicert.com>; mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: RE: CA Validation quality is failing
I’m looking into it right now. I’ll report back shortly.
Jeremy
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: W
Ryan Sleevi writes:
>For an EV cert, you look in
>https://cabforum.org/wp-content/uploads/EV-V1_6_1.pdf
It was meant as a rhetorical question, the OP asked whether doing XYZ in an
EV certificate was allowed and I was pointing out that the CAB Forum
guidelines should
To: r...@sleevi.com; Mike vd Ent <pasarellaph...@gmail.com>
Cc: Ben Wilson <ben.wil...@digicert.com>; mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: RE: CA Validation quality is failing
I’m looking into it right now. I’ll report back shortly.
On Wed, Apr 19, 2017 at 09:00:22PM -0400, Ryan Sleevi wrote:
> On Wed, Apr 19, 2017 at 7:53 PM, Kurt Roeckx via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> >
> > (It was a code sign certificate, but I expect if it's labeled EV
> > that the same things apply.)
> >
>
>
On Wed, Apr 19, 2017 at 11:58:28PM +, Jeremy Rowley wrote:
> That was changed in ballot 127.
Which is adopted in july 2014. This was somewhere in 2016.
As I understood it, they didn't ask for the HR department, just
someone else. That might of course be a misunderstanding of what
was asked,
On Wed, Apr 19, 2017 at 7:53 PM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> (It was a code sign certificate, but I expect if it's labeled EV
> that the same things apply.)
>
Not necessarily. A separate set of guidelines cover those -
gut...@cs.auckland.ac.nz>
Cc: Ryan Sleevi <r...@sleevi.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: CA Validation quality is failing
On Wed, Apr 19, 2017 at 10:41:33PM +, Peter Gutmann via
dev-security-policy wrote:
> Kurt Roeckx via dev-security-policy
<dev-security-policy
On Wed, Apr 19, 2017 at 10:41:33PM +, Peter Gutmann via dev-security-policy
wrote:
> Kurt Roeckx via dev-security-policy
> writes:
>
> >Both the localityName and stateOrProvinceName are Almere, while the province
> >is Flevoland.
>
> How much
On Wed, Apr 19, 2017 at 6:41 PM, Peter Gutmann via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Kurt Roeckx via dev-security-policy
> writes:
>
> >Both the localityName and stateOrProvinceName are Almere, while the
> province
> >is
Kurt Roeckx via dev-security-policy
writes:
>Both the localityName and stateOrProvinceName are Almere, while the province
>is Flevoland.
How much checking is a CA expected to do here? I know that OV and DV certs
are just "someone at this site responded
c: mozilla-dev-security-policy
> <mozilla-dev-security-pol...@lists.mozilla.org>; Jeremy Rowley
> <jeremy.row...@digicert.com>; Ben Wilson <ben.wil...@digicert.com>
> Subject: Re: CA Validation quality is failing
>
>
>
>
>
>
>
>
eremy Rowley
<jeremy.row...@digicert.com>; Ben Wilson <ben.wil...@digicert.com>
Subject: Re: CA Validation quality is failing
On Wed, Apr 19, 2017 at 3:47 PM, Mike vd Ent via dev-security-policy
<dev-security-policy@lists.mozilla.org
<mailto:dev-security-policy@lists.mo
On Wed, Apr 19, 2017 at 3:47 PM, Mike vd Ent via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Ryan,
>
> My answers on the particular issues are stated inline.
> But the thing I want to address is how could (in this case Digicert)
> validate such data and issues
Ryan,
My answers on the particular issues are stated inline.
But the thing I want to address is how could (in this case Digicert) validate
such data and issues certificates? I am investigation more of them and afraid
even linked company names or registration numbers could be false. Shouldn't
On Wed, Apr 19, 2017 at 12:28:16PM -0700, Ryan Sleevi via dev-security-policy
wrote:
> > https://portal.mobilitymixx.nl
>
> I'm not sure I understand enough to know what the issues are here. Could you
> explain?
Both the localityName and stateOrProvinceName are Almere, while
the province is
I found out that often the OV or EV validation of CA's is lacking and
concerning the baseline requirements data submitted for a TLS certificate
should be valid and thus validated. So when a country is Amsterdam, that should
fail or a city Utrecht is placed in the province Zuid-Holland, that
27 matches
Mail list logo