Re: TunRootCA2 root inclusion request

I think this discussion has made it clear that the request for inclusion of the TunRootCA2 root should be denied. CAs inherently must be trusted, and trust must be earned. A CA can't simply fix one problem after another as we find them during the inclusion process and expect to be rewarded for

Re: TunRootCA2 root inclusion request

On Thursday, 15 March 2018 04:30:22 UTC+1, syri...@gmail.com wrote: > Dear Wayne, > Based on the long discussion regarding our request, I would appreciate having > your opinion on the following: > Move to a new root based on EJBCA (Enterprise License) and conduct a new > audit with a new

Re: TunRootCA2 root inclusion request

Dear Wayne, Based on the long discussion regarding our request, I would appreciate having your opinion on the following: Move to a new root based on EJBCA (Enterprise License) and conduct a new audit with a new auditor as required by Mozilla and the BR. We are ready and we do commit to do these

Re: TunRootCA2 root inclusion request

On Mon, Mar 12, 2018 at 10:53 PM, taher.mestiri--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I asked about fast tracks because it's taking long time to get things > processed related to the fact that all this is running by a community and I > think it can be great

RE: TunRootCA2 root inclusion request

ts.mozilla.org > Subject: Re: TunRootCA2 root inclusion request > > Dear Tim, > > Not sure your penguin-related example would make the picture sharper or > ideas clearer. > > I asked about fast tracks because it's taking long time to get things processed > related to the f

Re: TunRootCA2 root inclusion request

k=digicert@lists.mozilla.org] On Behalf Of > > taher.mestiri--- via dev-security-policy > > Sent: Monday, March 12, 2018 7:31 PM > > To: mozilla-dev-security-pol...@lists.mozilla.org > > Subject: Re: TunRootCA2 root inclusion request > > > > Dear All, > > &

RE: TunRootCA2 root inclusion request

.org > Subject: Re: TunRootCA2 root inclusion request > > Dear All, > > Thank you for your detailed description of your concerns with the Tunisian CA. > > I have been one of those guys that developped IT communities for more than 7 > years in Tunisia, starting by Tunandroid (Tunisi

Re: TunRootCA2 root inclusion request

Dear All, Thank you for your detailed description of your concerns with the Tunisian CA. I have been one of those guys that developped IT communities for more than 7 years in Tunisia, starting by Tunandroid (Tunisian Android Community), Google Developers Groups, organized the best Software

Re: TunRootCA2 root inclusion request

These responses demonstrate why the request is troubling. They attempt to paint it as "other people do it" The risk of removing an included CA must balance the ecosystem disruption to those non-erroneous certs, while the risk to ecosystem inclusion needs to balance both the aggregate harm to the

Re: TunRootCA2 root inclusion request

Hi Ryan I am so sorry but is the same error. CN NAME NOT INCLUDE IN THE SAN Local IP ADRESS Policy not upto date Is clear for me and i understand. All this error became from approuved authority. Is the risk no. Then The ecosystem is not protected! ANIS

Re: TunRootCA2 root inclusion request

On Sat, Mar 10, 2018 at 7:03 PM, syrine.tl--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > Trusting a CA is like that. Operating a CA requires a high degree of > > competence and excellence, and each CA applying for inclusion should be > as > > or more competent,

Re: TunRootCA2 root inclusion request

On Sat, Mar 10, 2018 at 2:55 PM, Anis via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Ryan > > just I want to remind you of these discussion and your opinion below > in some was different than you say here !!! > > https://groups.google.com/forum/#!topic/mozilla.dev. >

Re: TunRootCA2 root inclusion request

Hi Ryan just I want to remind you of these discussion and your opinion below in some was different than you say here !!! https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/CfyeeybBz9c https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/K3sk5ZMv2DE and

Re: TunRootCA2 root inclusion request

On Saturday, March 10, 2018 at 4:57:43 PM UTC+1, Ryan Sleevi wrote: > On Fri, Mar 9, 2018 at 6:51 PM, syrine.tl--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > > > > We do use another CA's tool to check the validity of CSR. As we do use the > > cr.sh tool

Re: TunRootCA2 root inclusion request

On Fri, Mar 9, 2018 at 6:51 PM, syrine.tl--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > We do use another CA's tool to check the validity of CSR. As we do use the > cr.sh tool developed also by another CA to check pre-certificate before > issuance. So why is

Re: TunRootCA2 root inclusion request

On Friday, March 9, 2018 at 10:30:18 PM UTC+1, Ryan Sleevi wrote: > On Tue, Feb 27, 2018 at 4:17 PM, Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > This request has been in public discussion for more than 6 months, so I > > would like to make a

Re: TunRootCA2 root inclusion request

In addition to the issues Ryan has listed, during the root inclusion process multiple issues with their OCSP responder and CRL endpoints were observed and fixed only after the flaws were documented in the bug ( https://bugzilla.mozilla.org/show_bug.cgi?id=1233645). I believe any CA seeking

Re: TunRootCA2 root inclusion request

On Tue, Feb 27, 2018 at 4:17 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > This request has been in public discussion for more than 6 months, so I > would like to make a decision soon. If you have comments or concerns with > this request, please post

Re: TunRootCA2 root inclusion request

Le mercredi 19 juillet 2017 10:10:19 UTC+1, Aaron Wu a écrit : > This request from the Government of Tunisia is to include the “Tunisian Root > Certificate Authority - TunRootCA2” root certificate, and enable the Websites > trust bit. > > The request is documented in the following bug: >

Re: TunRootCA2 root inclusion request

Dear Jonathan, Given the misissued certificates in CT under the existing root, I believe this request should be rejected, and a new clean root with audits should be required before moving forward. ==>All the misissued certificates have been revoked by the NDCA and new correct ones were

Re: TunRootCA2 root inclusion request

> On Feb 27, 2018, at 16:47, Wayne Thayer via dev-security-policy > wrote: > > On Tue, Feb 27, 2018 at 2:40 PM, Jonathan Rudenberg > wrote: > >> >>> On Feb 27, 2018, at 16:35, Jonathan Rudenberg via dev-security-policy < >>

Re: TunRootCA2 root inclusion request

On Tue, Feb 27, 2018 at 2:40 PM, Jonathan Rudenberg wrote: > > > On Feb 27, 2018, at 16:35, Jonathan Rudenberg via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > > >> On Feb 27, 2018, at 16:17, Wayne Thayer via dev-security-policy < >

Re: TunRootCA2 root inclusion request

> On Feb 27, 2018, at 16:35, Jonathan Rudenberg via dev-security-policy > wrote: > > >> On Feb 27, 2018, at 16:17, Wayne Thayer via dev-security-policy >> wrote: >> >> This request has been in public discussion

Re: TunRootCA2 root inclusion request

> On Feb 27, 2018, at 16:17, Wayne Thayer via dev-security-policy > wrote: > > This request has been in public discussion for more than 6 months, so I > would like to make a decision soon. If you have comments or concerns with > this request, please post

Re: TunRootCA2 root inclusion request

This request has been in public discussion for more than 6 months, so I would like to make a decision soon. If you have comments or concerns with this request, please post them here by 6-March 2018. On Tue, Feb 27, 2018 at 7:33 AM, Olfa Kaddachi via dev-security-policy <

Re: TunRootCA2 root inclusion request

Dear Wayne, The TunRootCA2 root CA operates under the following CPS: http://www.certification.tn/pub/PC-PDC_AC_RACINE-NG-01-EN.pdf ==> The TunRootCA2 operates under a new version of the CP/CPS: : http://www.certification.tn/sites/default/files/documents/CPCPS-NG-EN-02.pdf The

Re: TunRootCA2 root inclusion request

The TunrootCA2 root operates under the following CPS: http://www.certification.tn/pub/PC-PDC_AC_RACINE-NG-01-EN.pdf The TunserverCA2 subordinate CA operates under a different CPS: http://www.certification.tn/sites/default/files/documents/CPCPS-PTC-BR-EN-05.pdf I have reviewed the supplied BR

Re: TunRootCA2 root inclusion request

Hello, I started reading your CP/CPS and I noticed that you do not use the standard CA/B Forum terminology. Is this on purpose? Is it just a translation issue? Furthermore, I believe that the English Root CA CP/CPS should be added to the bug, I can only find the translation of the SSL SubCA

Re: TunRootCA2 root inclusion request

On 03/08/17 08:01, Olfa Kaddachi wrote: > ==> Some of these controls are already in place (such as the field CN and > Subject Alternative Name that does not contain a private IP address). That doesn't quite answer my question. Let me ask another way: for how long has the Government of Tunisia

Re: TunRootCA2 root inclusion request

Dear Gerv, Given that some of these are BR requirements, why were these controls not in place already? ==> Some of these controls are already in place (such as the field CN and Subject Alternative Name that does not contain a private IP address). In addition to that NDCA has implemented a

Re: TunRootCA2 root inclusion request

Hi Olfa, On 31/07/17 11:55, Olfa Kaddachi wrote: > 2) The deficiencies identified in those controls after the misissuance of > each of these certificates are essentially: > •controls on the field subject alternative names : > o this field must not contains private addresses > o this

Re: TunRootCA2 root inclusion request

Hi Jonathan, Please find below the description of the technical and organizational controls required: 1) The currently process of certificates issuance is composed by 4 steps: step 1: Registration process: This step consists of the verification of the following items: •the subscriber identify

Re: TunRootCA2 root inclusion request

For reference, I’ve added crt.sh links for the replacement certificates below. > On Jul 29, 2017, at 09:08, kaddachi olfa via dev-security-policy > wrote: > > https://crt.sh/?id=15126121 is an expired certificate (notBefore March 2016; > notAfter March

Re: TunRootCA2 root inclusion request

> On Jul 29, 2017, at 09:08, kaddachi olfa via dev-security-policy > wrote: > > ==> The CA proceeded to notify the end entity of the certificate > https://crt.sh/?id=21813439. The certificate is revoked on 28/07/2017. No new > certificate is issued by

Re: TunRootCA2 root inclusion request

https://crt.sh/?id=21813439 is a certificate issued by this CA which has a domain name in the common name but only an email address in the SAN. (The certificate has TLS server/client usage EKUs.) ==> The CA proceeded to notify the end entity of the certificate https://crt.sh/?id=21813439. The

Re: TunRootCA2 root inclusion request

On 07/19/2017 05:10 AM, Aaron Wu wrote: - Tunisian Server Certificate Authority - TunServerCA2 https://crt.sh/?id=79470561=cablint is a certificate for the internal name 'adv-mail.calladvance.local' issued by this CA with a notBefore of 2017. ___

Re: TunRootCA2 root inclusion request

On 07/19/17 05:10, Aaron Wu wrote: - Tunisian Server Certificate Authority - TunServerCA2 https://crt.sh/?id=21813439 is a certificate issued by this CA which has a domain name in the common name but only an email address in the SAN. (The certificate has TLS server/client usage EKUs.)

TunRootCA2 root inclusion request

This request from the Government of Tunisia is to include the “Tunisian Root Certificate Authority - TunRootCA2” root certificate, and enable the Websites trust bit. The request is documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233645 BR Self Assessment is