(Writing in a Google capacity)
In [1], we removed support in Camerfirma certificates, as previously
announced [2]. This included removing support for any subordinate CAs. As
announced, this was planned to roll out as part of the Chrome 90 release
schedule, scheduled to hit stable on 2021-04-06.
On Tue, 26 Jan 2021 at 16:28, Ramiro Muñoz via dev-security-policy
wrote:
>
> El lunes, 25 de enero de 2021 a las 13:31:18 UTC+1, Matthias van de Meent
> escribió:
> > On Sun, 24 Jan 2021 at 20:58, Ramiro Muñoz via dev-security-policy
> > wrote:
> > >
> > > Thanks everyone for your valuable
Just to build on what Ryan said, and to clarify any confusion around the scope
of Chrome’s action here - Chrome is no longer accepting Camerfirma certificates
that are specifically used for *TLS server authentication* for websites.
Our planned action is related to the certificates Chrome uses
El lunes, 25 de enero de 2021 a las 13:31:18 UTC+1, Matthias van de Meent
escribió:
> On Sun, 24 Jan 2021 at 20:58, Ramiro Muñoz via dev-security-policy
> wrote:
> >
> > Thanks everyone for your valuable contribution to the discussion. We’ve
> > prepared a throughful Remediation Plan that
On Sun, 24 Jan 2021 at 20:58, Ramiro Muñoz via dev-security-policy
wrote:
>
> Thanks everyone for your valuable contribution to the discussion. We’ve
> prepared a throughful Remediation Plan that addresses all areas of
> improvement emerged both in this public discussion as well as direct
(Writing in a Google capacity)
I personally want to say thanks to everyone who has contributed to this
discussion, who have reviewed or reported past incidents, and who have
continued to provide valuable feedback on current incidents. When
considering CAs and incidents, we really want to ensure
On Sunday, January 24, 2021 at 11:58:29 AM UTC-8, Ramiro Muñoz wrote:
>
> Thanks everyone for your valuable contribution to the discussion. We’ve
> prepared a throughful Remediation Plan that addresses all areas of
> improvement emerged both in this public discussion as well as direct contacts
El jueves, 3 de diciembre de 2020 a las 19:01:55 UTC+1, Ben Wilson escribió:
> All,
>
> We have prepared an issues list as a summary of Camerfirma's compliance
> issues over the past several years. The purpose of the list is to collect
> and document all issues and responses in one place so
On Friday, January 22, 2021 at 10:01:22 AM UTC-8, Ramiro Muñoz wrote:
> El miércoles, 20 de enero de 2021 a las 5:04:27 UTC+1, Matt Palmer escribió:
> > On Tue, Jan 19, 2021 at 07:28:17AM -0800, Ramiro Muñoz via
> > dev-security-policy wrote:
> > > Camerfirma is not the member with the highest
El miércoles, 20 de enero de 2021 a las 5:04:27 UTC+1, Matt Palmer escribió:
> On Tue, Jan 19, 2021 at 07:28:17AM -0800, Ramiro Muñoz via
> dev-security-policy wrote:
> > Camerfirma is not the member with the highest number of
> > incidents nor the member with the most severe ones.
> No, but
El viernes, 22 de enero de 2021 a las 2:31:00 UTC+1, Filippo Valsorda escribió:
> 2021-01-19 18:01 GMT+01:00 Andrew Ayer via dev-security-policy
> :
> > It's troubling that even at this stage, Camerfirma still doesn't seem
> > to grasp the seriousness of their compliance problems. Today,
> >
El miércoles, 20 de enero de 2021 a las 2:07:31 UTC+1, Paul Kehrer escribió:
> On Tue, Jan 19, 2021 at 6:37 PM Jonathan Rudenberg via
> dev-security-policy wrote:
> >
> > On Tue, Jan 19, 2021, at 12:01, Andrew Ayer via dev-security-policy wrote:
> > > Camerfirma was warned in 2018 that trust
El martes, 19 de enero de 2021 a las 18:01:49 UTC+1, Andrew Ayer escribió:
> On Sun, 17 Jan 2021 00:51:29 -0800 (PST)
> Ramiro Mu__oz via dev-security-policy
> wrote:
>
> > Some certificates may have been syntactically
> > incorrect due to misinterpretation, but we have never compromised any
One issue that really stands out for me is "Issue NN: Incorrect OCSP Delegated
Responder Certificate (2013 - 2020)".
Despite detailed public discussion on the risk and remedial actions (including
what would properly demonstrate destruction of the affected CA keys through
e.g. ISAE3000
2021-01-19 18:01 GMT+01:00 Andrew Ayer via dev-security-policy
:
> It's troubling that even at this stage, Camerfirma still doesn't seem
> to grasp the seriousness of their compliance problems. Today,
> they are arguing that there was no security threat from a certificate
> issued for a domain
On Tue, Jan 19, 2021 at 07:28:17AM -0800, Ramiro Muñoz via dev-security-policy
wrote:
> Camerfirma is not the member with the highest number of
> incidents nor the member with the most severe ones.
No, but Camerfirma's got a pretty shocking history of poor incident
response, over an extended
On Tue, Jan 19, 2021 at 6:37 PM Jonathan Rudenberg via
dev-security-policy wrote:
>
> On Tue, Jan 19, 2021, at 12:01, Andrew Ayer via dev-security-policy wrote:
> > Camerfirma was warned in 2018 that trust in their CA was in jeopardy,
> > yet compliance problems continued. There is no reason to
On Tue, Jan 19, 2021, at 12:01, Andrew Ayer via dev-security-policy wrote:
> Camerfirma was warned in 2018 that trust in their CA was in jeopardy,
> yet compliance problems continued. There is no reason to believe
> Camerfirma will improve, and there are many indications that they won't.
>
On Sun, 17 Jan 2021 00:51:29 -0800 (PST)
Ramiro Mu__oz via dev-security-policy
wrote:
> Some certificates may have been syntactically
> incorrect due to misinterpretation, but we have never compromised any
> vetting, identification or information validation.
This is false, as shown by incidents
El martes, 19 de enero de 2021 a las 14:32:19 UTC+1, paul.leo@gmail.com
escribió:
> On Tuesday, January 19, 2021 at 11:01:15 AM UTC+1, Ramiro Muñoz wrote:
>
> > Finally, I’d like to ask you, based on which article of Mozilla Root Store
> > Policy, you are sentencing a removal from the
On 2021-01-19 11:02, Ramiro Muñoz wrote:
El martes, 19 de enero de 2021 a las 0:49:42 UTC+1, Matt Palmer escribió:
On Sun, Jan 17, 2021 at 12:51:29AM -0800, Ramiro Muñoz via dev-security-policy
wrote:
We don’t ask the community to disregard the data, on the contrary we ask
the community to
On Tuesday, January 19, 2021 at 11:01:15 AM UTC+1, Ramiro Muñoz wrote:
> Finally, I’d like to ask you, based on which article of Mozilla Root Store
> Policy, you are sentencing a removal from the Mozilla store.
Oh, I know this one: It is in the Mozilla Root Store Policy, 7.3: "Mozilla MAY,
at
El martes, 19 de enero de 2021 a las 0:49:42 UTC+1, Matt Palmer escribió:
> On Sun, Jan 17, 2021 at 12:51:29AM -0800, Ramiro Muñoz via
> dev-security-policy wrote:
> > We don’t ask the community to disregard the data, on the contrary we ask
> > the community to analyze the data thoroughly
El martes, 19 de enero de 2021 a las 0:49:42 UTC+1, Matt Palmer escribió:
> On Sun, Jan 17, 2021 at 12:51:29AM -0800, Ramiro Muñoz via
> dev-security-policy wrote:
> > We don’t ask the community to disregard the data, on the contrary we ask
> > the community to analyze the data thoroughly
On Sun, Jan 17, 2021 at 12:51:29AM -0800, Ramiro Muñoz via dev-security-policy
wrote:
> We don’t ask the community to disregard the data, on the contrary we ask
> the community to analyze the data thoroughly including the impacts
> produced.
OK, I'll bite. As a member of the community, I've
El domingo, 10 de enero de 2021 a las 17:27:01 UTC+1, Ryan Sleevi escribió:
> On Sat, Jan 9, 2021 at 1:44 PM Ramiro Muñoz via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
> > > That Camerfirma does not understand or express appreciation for this
> > risk
> > > is, to the
On Sat, Jan 9, 2021 at 1:44 PM Ramiro Muñoz via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> > That Camerfirma does not understand or express appreciation for this
> risk
> > is, to the extent, of great cause for concern.
>
> Dear Ryan,
>
> We are looking at the same data
El martes, 5 de enero de 2021 a las 16:45:11 UTC+1, Ryan Sleevi escribió:
> On Tue, Jan 5, 2021 at 9:01 AM Ramiro Muñoz via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
> > In response to Ryan’s latest post, we want to provide the community with
> > Camerfirma’s due
On Tue, Jan 5, 2021 at 9:01 AM Ramiro Muñoz via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> In response to Ryan’s latest post, we want to provide the community with
> Camerfirma’s due responses and we hope this clears up any doubts that might
> have arisen.
>
> Ryan
In response to Ryan’s latest post, we want to provide the community with
Camerfirma’s due responses and we hope this clears up any doubts that might
have arisen.
Ryan argument number 1: “These statements are ones that are sort of "true by
degree". That is, if I was to dispute 1, Camerfirma
On Mon, Dec 28, 2020 at 6:35 AM Ramiro Muñoz via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> El miércoles, 23 de diciembre de 2020 a las 0:01:23 UTC+1, Wayne Thayer
> escribió:
> > On Sat, Dec 19, 2020 at 1:03 AM Ramiro Muñoz via dev-security-policy <
> >
El miércoles, 23 de diciembre de 2020 a las 0:01:23 UTC+1, Wayne Thayer
escribió:
> On Sat, Dec 19, 2020 at 1:03 AM Ramiro Muñoz via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
> > Hi Ben, Ryan, Burton and all:
> >
> > Camerfirma will present its claims based on a
On Sat, Dec 19, 2020 at 1:03 AM Ramiro Muñoz via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi Ben, Ryan, Burton and all:
>
> Camerfirma will present its claims based on a description of the problems
> found by associating the references to the specific bugs.
> After
sue FF: Intentional unrevocation of externally-operated sub-CA (2019).
Regards
Ramiro.
De: Burton
Enviado el: martes, 15 de diciembre de 2020 19:39
Para: Ramiro Muñoz
CC: r...@sleevi.com; mozilla-dev-security-policy
; Ben Wilson
Asunto: Re: Summary of Camerfirma's Compliance Issues
It doesn'
Hi Ben, Ryan, Burton and all:
Camerfirma will present its claims based on a description of the problems found
by associating the references to the specific bugs.
After making a complete analysis of the bugs as presented by Ben, always
considering that bugs are the main source of truth, we see
de diciembre de 2020 19:39
Para: Ramiro Muñoz
CC: r...@sleevi.com; mozilla-dev-security-policy
; Ben Wilson
Asunto: Re: Summary of Camerfirma's Compliance Issues
It doesn't look great to the community when a CA that is under investigation
for serious compliance issues asks for more time
e accurate answer. We plan to
> postpone to this Friday.
>
> KR
> Ramiro
>
>
> De: Ryan Sleevi
> Enviado el: lunes, 14 de diciembre de 2020 22:41
> Para: Ramiro Muñoz
> CC: r...@sleevi.com; Ben Wilson ;
> mozilla-dev-security-policy >
> Asunto: Re:
de 2020 22:41
Para: Ramiro Muñoz
CC: r...@sleevi.com; Ben Wilson ;
mozilla-dev-security-policy
Asunto: Re: Summary of Camerfirma's Compliance Issues
Thanks Ramiro for the update.
I do want to make sure we're on the same page. Responding point-by-point to the
issues would probably be the least
Thanks Ramiro for the update.
I do want to make sure we're on the same page. Responding point-by-point to
the issues would probably be the least productive path forward. If there
are specific disagreements with the facts as presented, which were taken
from the Bugzilla reports, it would be good
diciembre de 2020 21:44
Para: Ben Wilson
CC: mozilla-dev-security-policy
Asunto: Re: Summary of Camerfirma's Compliance Issues
Hi Ben,
This is clearly a portrait of a CA that, like those that came before
[1][2][3][4], paint a pattern of a CA that consistently and regularly fails to
meet program
cy en
nombre de Ryan Sleevi via dev-security-policy
Enviado: jueves, 10 de diciembre de 2020 21:44
Para: Ben Wilson
Cc: mozilla-dev-security-policy
Asunto: Re: Summary of Camerfirma's Compliance Issues
Hi Ben,
This is clearly a portrait of a CA that, like those that came before
[1][2][3][4],
Hi Ben,
This is clearly a portrait of a CA that, like those that came before
[1][2][3][4], paint a pattern of a CA that consistently and regularly fails
to meet program requirements, in a way that clearly demonstrates these are
systemic and architectural issues.
As with Symantec, we see a
42 matches
Mail list logo
