Re: Mozilla's Response to Camerfirma's Compliance Issues

2021-01-26 Thread Andrey West Siberia via dev-security-policy
In my opinion, Mozilla is too soft on violators... (sorry) ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2021-01-26 Thread Ben Wilson via dev-security-policy
Thanks, Clemens. I'll take a look. Also, apparently my redlining was lost when my message was saved to the newsgroup. I'll see if I can re-post without the text formatting of strikeouts and underlines. On Tue, Jan 26, 2021 at 10:24 AM Clemens Wanko via dev-security-policy <

Re: Mozilla's Response to Camerfirma's Compliance Issues

2021-01-26 Thread Jonathan Rudenberg via dev-security-policy
On Tue, Jan 26, 2021, at 00:21, Ben Wilson via dev-security-policy wrote: > > - Do the proposed actions in the Remediation Plan address the underlying > issues? > > - If Camerfirma fully executes on this plan, will that be sufficient to > regain trust so that they can remain a CA in Mozilla's

Re: Mozilla's Response to Camerfirma's Compliance Issues

2021-01-26 Thread Matthias van de Meent via dev-security-policy
On Tue, 26 Jan 2021 at 06:21, Ben Wilson via dev-security-policy wrote: > > - Do the proposed actions in the Remediation Plan address the underlying > issues? One of the underlying issues is that Camerfirma has multiple SubCAs with each their own control over ICA keys, CPS, certificate profiles,

Re: Summary of Camerfirma's Compliance Issues

2021-01-26 Thread Ramiro Muñoz via dev-security-policy
El lunes, 25 de enero de 2021 a las 13:31:18 UTC+1, Matthias van de Meent escribió: > On Sun, 24 Jan 2021 at 20:58, Ramiro Muñoz via dev-security-policy > wrote: > > > > Thanks everyone for your valuable contribution to the discussion. We’ve > > prepared a throughful Remediation Plan that

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2021-01-26 Thread Clemens Wanko via dev-security-policy
Hi Ben, looking at what was suggested so far for section 3.2, it seems that the BR combine and summarize under "qualified" in the BR section 8.2 what you and Kathleen describe with the definitions for "competent" and "independent" parties. Based upon that, MRSP section 3.2 could be structured

Re: Mozilla's Response to Camerfirma's Compliance Issues

2021-01-26 Thread Burton via dev-security-policy
Hi Ben, The CA has been given chance after chance to improve after incident after incident but failed to do so. The remediation plan is a doorstop plan for the CA to wedge the door open to remain in the Mozilla root store but it's time to face the inevitable conclusion and the door must close on

Re: Mozilla's Response to Camerfirma's Compliance Issues

2021-01-26 Thread Ben Wilson via dev-security-policy
All, So far there have been several good comments. Please keep them coming. I want to take this opportunity just to clarify a few of things. First, it has been Mozilla's long-standing position that, "We believe that the best approach to safeguarding secure browsing is to work with CAs as

Re: Mozilla's Response to Camerfirma's Compliance Issues

2021-01-26 Thread Wayne Thayer via dev-security-policy
Ben, Here are my thoughts: - First off, we have given Camerfirma the benefit of the doubt for too long and Mozilla can't continue to trust Camerfirma while they remediate these problems. With all the documented issues and Camerfirma's response, that would represent an unacceptable ongoing risk

Re: Mozilla's Response to Camerfirma's Compliance Issues

2021-01-26 Thread pfuen...--- via dev-security-policy
In my personal opinion, given that most of the actions for the remediation plan are expected to be completed during the first quarter of 2021, if the community considers that the plan adequately prevents further issues, it would be reasonable to establish a deadline to take such a decision

Patch immediately LPE vulnerability in sudo

2021-01-26 Thread Burton via dev-security-policy
If you haven't heard already there is a LPE vulnerability in sudo and must be patched immediately. Details here: https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit Thank you Burton

Re: Mozilla's Response to Camerfirma's Compliance Issues

2021-01-26 Thread Andrew Ayer via dev-security-policy
On Mon, 25 Jan 2021 22:21:31 -0700 Ben Wilson via dev-security-policy wrote: > Camerfirma has responded to the list of issues by providing a Remediation > Plan, > https://drive.google.com/file/d/1DV7cUSWqdOEh3WwKsM5k1U5G4rT9IXog/view?usp=sharing, > with a commitment to align Camerfirma to the