On 27/06/16 12:13, Myers, Kenneth (10421) wrote:
The Federal PKI has a tool to help identify trust paths,
FPKI-graph.fpki-lab.gov<http://fpki-graph.fpki-lab.gov>.
I can do a true-up between the Mozilla CA list and FPKI trust paths to help
identify which path may be causing the issue.
Hi Kenneth. It would be great if you could do that, especially if there
are any trust paths that are not yet known to CT / crt.sh.
I've just run some analysis on the crt.sh DB. It's the following 2
cross-certificates that are of interest:
https://crt.sh/?id=9114292
Issuer: IdenTrust ACES CA 1
Subject: Federal Bridge CA 2013
OneCRL: Already revoked.
Salesforce: Not yet disclosed.
https://crt.sh/?id=12638543
Issuer: VeriSign Class 3 SSP Intermediate CA - G2
Subject: Federal Bridge CA 2013
OneCRL: Not yet revoked.
Salesforce: Not yet disclosed.
If/when both of these intermediates are disclosed to Salesforce as
"revoked", crt.sh should (once Mozilla have updated the CSV reports)
detect the FPKI trust paths as "revoked".
Richard Barnes wrote on 23rd:
"It should be clear by this point that it is not acceptable for CAs
trusted by the Mozilla program to cross-sign the Federal Bridge"
That Symantec cross-cert has not yet even been revoked via CRL!
Kenneth Myers
Supporting the GSA Federal PKI Management Authority
Protiviti | Government Solutions | Manager
Alexandria | +1 571-366-6120<tel:+1%20571-366-6120> |
kenneth.my...@protiviti.com<mailto:kenneth.my...@protiviti.com>
Connect: LinkedIn<https://www.linkedin.com/in/kennethmy> | Thought Leadership:
Protiviti.com<http://www.protiviti.it/en-US/Pages/Insights.aspx>
On Jun 24, 2016, at 08:01,
"dev-security-policy-requ...@lists.mozilla.org<mailto:dev-security-policy-requ...@lists.mozilla.org>"
<dev-security-policy-requ...@lists.mozilla.org<mailto:dev-security-policy-requ...@lists.mozilla.org>>
wrote:
-----Original Message-----
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Thursday, June 23, 2016 3:35 PM
To: Eric Mill <e...@konklone.com<mailto:e...@konklone.com>>
Cc: Ben Wilson <ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>>; Kurt Roeckx <k...@roeckx.be<mailto:k...@roeckx.be>>; Richard Barnes
<rbar...@mozilla.com<mailto:rbar...@mozilla.com>>; Jeremy Rowley <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>>; Steve
<steve.me...@gmail.com<mailto:steve.me...@gmail.com>>;
mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>; Kathleen Wilson
<kwil...@mozilla.com<mailto:kwil...@mozilla.com>>; Rob Stradling <rob.stradl...@comodo.com<mailto:rob.stradl...@comodo.com>>
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
DigiCert didn't cross-sign the Federal PKI with their Mozilla trusted CAs.
I'm sure Ben will tell me I have my terminology wrong, but DigiCert basically
operates two PKIs:
- DigiCert Public WebPKI
- DigiCert Shared FederatedPKI
The first is a set of CAs that are in the Mozilla program and CAs signed by the
Mozilla program. The second is a set of CAs that are signed by the US Federal
PKI; they are not in the Mozilla program.
The problem is that some non-DigiCert CA int he Mozilla program signed the US
Federal PKI. The DigiCert Shared FederatedPKI is now brought in via that
signature, with which they had nothing to do.
On Thu, Jun 23, 2016 at 1:41 PM, Eric Mill
<e...@konklone.com<mailto:e...@konklone.com>> wrote:
Peter, I think I get what you're saying about this being a different
category of cross-sign, but could you spell out explicitly how this
differs from e.g. the Identrust cross-sign issue that Richard linked to?
-- Eric
On Thu, Jun 23, 2016 at 4:39 PM, Ben Wilson
<ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>> wrote:
That's correct.
-----Original Message-----
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Thursday, June 23, 2016 2:39 PM
To: Ben Wilson <ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>>
Cc: Eric Mill <e...@konklone.com<mailto:e...@konklone.com>>; Kurt Roeckx
<k...@roeckx.be<mailto:k...@roeckx.be>>;
Richard Barnes <rbar...@mozilla.com<mailto:rbar...@mozilla.com>>; Jeremy Rowley
<jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>>; Steve
<steve.me...@gmail.com<mailto:steve.me...@gmail.com>>;
mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>;
Kathleen Wilson
<kwil...@mozilla.com<mailto:kwil...@mozilla.com>>; Rob Stradling
<rob.stradl...@comodo.com<mailto:rob.stradl...@comodo.com>>
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson
<ben.wil...@digicert.com<mailto:ben.wil...@digicert.com>>
wrote:
Another issue that needs to be resolved involves the Federal
Bridge CA 2013 (?Federal Bridge?). When a publicly trusted sub CA
cross-certifies the Federal Bridge, then all of the CAs
cross-certified by the Federal Bridge
are trusted. The chart
(https://urldefense.proofpoint.com/v2/url?u=https-3A__crt.sh_mozilla-2Ddisclosures&d=CwICAg&c=19TEyCb-E0do3cLmFgm9ItTXlbGQ5gmhRAlAtE256go&r=v6QfMBgWaMWhsB_PpBwwzxPtUwSffCWXSAR0gp0RFbY&m=1UjPfxX9IFMWqfbTaQcpveBJs1JYI4p_EuZaqww5tuQ&s=uEywlyUMGlYbep6vFNZz0xasu6IojurxbFc_8QrcDW0&e=
) then
captures
all ?non-publicly-trusted? sub CAs. For instance, the following
CAs are now caught up in the database, but there is no way to
input them (or CAs subordinate to them) into Salesforce because
only the CA that cross-certified the Federal Bridge has access to
that certificate chain in Salesforce. In otherwords, I don?t have
access to input the DigiCert Federated ID CA-1 or its sub CAs.
Ben,
Correct me if I'm wrong, but the DigiCert CA you mention is part of a
different PKI from the DigiCert public roots in Mozilla, right? The
only reason that it is showing in the list is because a non-DigiCert
CA cross-signed the Federal PKI and the Federal PKI cross-signed the
DigiCert CA in question, correct?
Thanks,
Peter
--
konklone.com<http://konklone.com> | @konklone
NOTICE: Protiviti is a global consulting and internal audit firm composed of
experts specializing in risk and advisory services. Protiviti is not licensed
or registered as a public accounting firm and does not issue opinions on
financial statements or offer attestation services. This electronic mail
message is intended exclusively for the individual or entity to which it is
addressed. This message, together with any attachment, may contain confidential
and privileged information. Any views, opinions or conclusions expressed in
this message are those of the individual sender and do not necessarily reflect
the views of Protiviti Inc. or its affiliates. Any unauthorized review, use,
printing, copying, retention, disclosure or distribution is strictly
prohibited. If you have received this message in error, please immediately
advise the sender by reply email message to the sender and delete all copies of
this message. Thank you.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy