RE: CA Validation quality is failing

12:09 PM To: r...@sleevi.com Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham <g...@mozilla.org> Subject: RE: CA Validation quality is failing Okay – we’ll add them all to CT over the next couple of days. From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Tuesday, May 2

Re: CA Validation quality is failing

On 02/05/2017 17:30, Rob Stradling wrote: On 02/05/17 16:11, Alex Gaynor via dev-security-policy wrote: I know several CAs are using certlint (https://github.com/awslabs/certlint) as a pre-issuance check that the cert they're about to issue doesn't have any programmatically detectable

RE: CA Validation quality is failing

.mozilla.org Subject: Re: CA Validation quality is failing (Still wearing Google Hat in this context) I think sharing a list (in CT) of the certs is good and can help verify the assertions made here :) But overall, I think this sounds right and the risk is minimal to our users, so not re

RE: CA Validation quality is failing

la.org Subject: Re: CA Validation quality is failing On 02/05/17 00:01, Ryan Sleevi wrote: > Thank you for > 1) Disclosing the details to a sufficient level of detail immediately > 2) Providing regular updates and continued investigation > 3) Confirming the acceptability of the plan b

Re: CA Validation quality is failing

cert.com> *Cc:* Gervase Markham <g...@mozilla.org>; mozilla-dev-security-policy@ lists.mozilla.org *Subject:* Re: CA Validation quality is failing On Mon, May 1, 2017 at 3:41 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Th

Re: CA Validation quality is failing

> > > > > > > > What else would you like to know? > > > > > > > > Jeremy > > > > > > > > *From:* Ryan Sleevi [mailto:r...@sleevi.com] > > *Sent:* Monday, May 1, 2017 5:01 PM > > *To:* Jeremy Rowley <jeremy.row...

Re: CA Validation quality is failing

On 02/05/17 00:01, Ryan Sleevi wrote: > Thank you for > 1) Disclosing the details to a sufficient level of detail immediately > 2) Providing regular updates and continued investigation > 3) Confirming the acceptability of the plan before implementing it, and > with sufficient detail to understand

RE: CA Validation quality is failing

mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CA Validation quality is failing On Mon, May 1, 2017 at 3:41 PM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: There isn't anything in o

RE: CA Validation quality is failing

Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Thursday, April 27, 2017 2:41 AM To: Jeremy Rowley <jeremy.row...@digicert.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CA Validation quality is failing On 27/04/17 00:16, Jeremy Rowley wro

RE: CA Validation quality is failing

ozilla-dev-security-pol...@lists.mozilla.org> Subject: RE: CA Validation quality is failing Thanks Mike for bringing this up. We’ve looked into it and have an initial report to share. After receiving the email on the Mozilla list, we investigated the identified certificates and discovered a cou

Re: CA Validation quality is failing

On Thu, Apr 20, 2017 at 6:42 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > One thing: > > Could this be a result of the common (among CAs) bug of requiring entry > of a US/Canada State/Province regardless of country, forcing applicants > to fill in

Re: CA Validation quality is failing

gt; Cc: Ben Wilson <ben.wil...@digicert.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: RE: CA Validation quality is failing I’m looking into it right now. I’ll report back shortly. Jeremy From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: W

Re: CA Validation quality is failing

Ryan Sleevi writes: >For an EV cert, you look in  >https://cabforum.org/wp-content/uploads/EV-V1_6_1.pdf It was meant as a rhetorical question, the OP asked whether doing XYZ in an EV certificate was allowed and I was pointing out that the CAB Forum guidelines should

RE: CA Validation quality is failing

To: r...@sleevi.com; Mike vd Ent <pasarellaph...@gmail.com> Cc: Ben Wilson <ben.wil...@digicert.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: RE: CA Validation quality is failing I’m looking into it right now. I’ll report back shortly.

Re: CA Validation quality is failing

On Wed, Apr 19, 2017 at 09:00:22PM -0400, Ryan Sleevi wrote: > On Wed, Apr 19, 2017 at 7:53 PM, Kurt Roeckx via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > (It was a code sign certificate, but I expect if it's labeled EV > > that the same things apply.) > > > >

Re: CA Validation quality is failing

On Wed, Apr 19, 2017 at 11:58:28PM +, Jeremy Rowley wrote: > That was changed in ballot 127. Which is adopted in july 2014. This was somewhere in 2016. As I understood it, they didn't ask for the HR department, just someone else. That might of course be a misunderstanding of what was asked,

Re: CA Validation quality is failing

On Wed, Apr 19, 2017 at 7:53 PM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > (It was a code sign certificate, but I expect if it's labeled EV > that the same things apply.) > Not necessarily. A separate set of guidelines cover those -

RE: CA Validation quality is failing

gut...@cs.auckland.ac.nz> Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CA Validation quality is failing On Wed, Apr 19, 2017 at 10:41:33PM +, Peter Gutmann via dev-security-policy wrote: > Kurt Roeckx via dev-security-policy <dev-security-policy

Re: CA Validation quality is failing

On Wed, Apr 19, 2017 at 10:41:33PM +, Peter Gutmann via dev-security-policy wrote: > Kurt Roeckx via dev-security-policy > writes: > > >Both the localityName and stateOrProvinceName are Almere, while the province > >is Flevoland. > > How much

Re: CA Validation quality is failing

On Wed, Apr 19, 2017 at 6:41 PM, Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Kurt Roeckx via dev-security-policy > writes: > > >Both the localityName and stateOrProvinceName are Almere, while the > province > >is

Re: CA Validation quality is failing

Kurt Roeckx via dev-security-policy writes: >Both the localityName and stateOrProvinceName are Almere, while the province >is Flevoland. How much checking is a CA expected to do here? I know that OV and DV certs are just "someone at this site responded

Re: CA Validation quality is failing

c: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org>; Jeremy Rowley > <jeremy.row...@digicert.com>; Ben Wilson <ben.wil...@digicert.com> > Subject: Re: CA Validation quality is failing > > > > > > > >

RE: CA Validation quality is failing

eremy Rowley <jeremy.row...@digicert.com>; Ben Wilson <ben.wil...@digicert.com> Subject: Re: CA Validation quality is failing On Wed, Apr 19, 2017 at 3:47 PM, Mike vd Ent via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mo

Re: CA Validation quality is failing

On Wed, Apr 19, 2017 at 3:47 PM, Mike vd Ent via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Ryan, > > My answers on the particular issues are stated inline. > But the thing I want to address is how could (in this case Digicert) > validate such data and issues

Re: CA Validation quality is failing

Ryan, My answers on the particular issues are stated inline. But the thing I want to address is how could (in this case Digicert) validate such data and issues certificates? I am investigation more of them and afraid even linked company names or registration numbers could be false. Shouldn't

Re: CA Validation quality is failing

On Wed, Apr 19, 2017 at 12:28:16PM -0700, Ryan Sleevi via dev-security-policy wrote: > > https://portal.mobilitymixx.nl > > I'm not sure I understand enough to know what the issues are here. Could you > explain? Both the localityName and stateOrProvinceName are Almere, while the province is

CA Validation quality is failing

I found out that often the OV or EV validation of CA's is lacking and concerning the baseline requirements data submitted for a TLS certificate should be valid and thus validated. So when a country is Amsterdam, that should fail or a city Utrecht is placed in the province Zuid-Holland, that