On Thu, Nov 23, 2017 at 06:43:42AM +,
=?utf-8?q?Michael_von_Niederh=C3=A4usern_via_dev-security-policy_=3Cd?=@lists.mozilla.org
wrote:
> - 2.2(3) says: " The CA's CP/CPS must clearly specify the procedure(s) that
> the CA employs, and each documented procedure should state which subsection
Hi Wayne
> Thank you, I am now able to access the checklist. Unfortunately, item #4 of
> the checklist also lists obsolete domain validation methods including "any
> other method". Mozilla policy section 2.2(3) requires domain validation
> methods to be clearly described in the CA's CPS.
- You
在 2017年11月22日星期三 UTC+8下午5:06:26,Gervase Markham写道:
> We understand that WoTrus (WoSign changed their name some months ago)
> are working towards a re-application to join the Mozilla Root Program.
> Richard Wang recently asked us to approve a particular auditor as being
> suitable to audit their ope
/* posting for primary discussion at Mozilla Dev Security Policy, copying CAB
Public ML and SPASM@IETF */
Hi all,
the CAA RFC includes an “evaluator” role, a third party than can use public DNS
records and
public certificates to surface anomalies in the issuance process.
We have taken this rol
On Wed, Nov 22, 2017 at 3:34 PM, Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> I don't see any reason why we would want to take that risk.
>
> It's not easy to spin up a new CA, but it's also not rocket surgery.
> Why should we prefer to re-admit a previousl
On Wed, 22 Nov 2017 13:00:40 -0500
Ryan Sleevi via dev-security-policy
wrote:
> But would such statements, such as "I promise I won't do X again, and
> look, here's a document that now says explicitly 'We have trained
> sharks and equipped them with lasers to ensure we do not do X again'"
> be se
I think QiHoo 360's role does open some questions.
In particular, why would QiHoo 360 shut down efforts by Startcom, run by a
relatively trusted member of the community, Inigo Barreira, to be accepted as a
CA; and instead favor WoTrus, run by Richard Wang, an explicitly UN-trusted
member of the
In defense of WoSign/WoTrus/StartCom's parent company, QiHoo 360...
While I don't personally attach a great value to the ethics of the owning
entity of the CA/proposed CA, for those who do or would attach such
importance, I would like to point out that the various vulnerabilities and
security rese
On Wed, Nov 22, 2017 at 12:00 PM, Ryan Sleevi wrote:
>
> Given that WoSign's CP/CPS itself was met by standard boilerplate, I would
> pose that it is insufficient - the past behaviour as a predictor of future
> behaviour means that the existing documentation approaches are insufficient
> to make
Thanks Gerv.
Code signing certificates don't contain EKU of id-kp-serverAuth,
id-kp-emailProtection so it's out of scope for the policy. I didn't take the
statement "key pairs for signer" and narrow that down to "S/MIME signing", now
I get it.
For S/MIME you said the Problematic Practices pag
On Wed, Nov 22, 2017 at 12:24 PM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 22/11/17 17:03, Matthew Hardeman wrote:
> > approval in terms of community buy-in. The downside, of course, is that
> > while this alternative pre-discussion allows for d
On 22/11/17 17:03, Matthew Hardeman wrote:
> approval in terms of community buy-in. The downside, of course, is that
> while this alternative pre-discussion allows for discussion of the nebulous
> concept of "trust" and integrity, it actually denies the community those
> matters which can be most
I think Ryan's commentary reflects, again, that the discussion here seems
to be about trust.
In that spirit, I put forth some questions of hypotheticals to provoke
further contemplation and discussion:
1. Presume that QiHoo 360 / WoTrus / WoTrust / StartCom actually purchased
one of the small bu
Hi,
I touched on my thoughts on this matter a bit before.
This is really about trust.
I think several factors must be weighed here:
1. Is "trust" really required of a CA in a soon-to-be
post-mandatory-CT-log world?
If some level of trust is required, then:
2. Can we say that the QiHoo 360 /
On Wed, Nov 22, 2017 at 11:16 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> Mozilla did not formally require this, but it is true that as far as we
>> can see, Richard Wang is still effectively in charge of WoSign/WoTrus.
>>
>>
> I think assessing and di
On 22/11/2017 16:38, Gervase Markham wrote:
On 22/11/17 10:54, Jakob Bohm wrote:
Some notes about previously discussed items:
Mozilla is not suggesting that WoSign has completed all of the steps.
The entire point is that we want to have this pre-discussion before they
make the effort to do so.
On 14/11/17 21:53, Doug Beattie wrote
> The question is, if we issue Code Signing certificates via P12 files
> in compliance with the Code Signing standard, are we out of
> compliance with the Mozilla policy? How do you recommend we respond
> to this checklist question?
Mozilla does not have poli
On 22/11/17 11:39, Hanno Böck wrote:
> In any case: I agree these are legitimate questions, if past CA
> incidents happen the documents describing them shold be properly
> archived. I think having a rule that one copy of them has to be stored
> on mozilla infrastructure is wise.
Having been burned
On 22/11/17 11:41, Tom wrote:
> https://www.wosign.com/english/about.htm has been updated with the new
> name, WoTrus, and currently says "Richard Wang, CEO&CTO"
Richard stated to me at one point (I can't remember whether in person or
by email) that at the time of speaking, he was no longer CEO, a
On 22/11/17 10:54, Jakob Bohm wrote:
> Some notes about previously discussed items:
Mozilla is not suggesting that WoSign has completed all of the steps.
The entire point is that we want to have this pre-discussion before they
make the effort to do so.
> Although not listed in the Action plan in
Hi Arkadiusz,
On 17/11/17 19:28, Arkadiusz Ławniczak wrote:
> Thanks Gerv
>
> We have a situation in which our last WT audit is for the period
> ending on April 14,2017. As we know the audit is valid until the next
> audit is started. That is, that the next WT audit must be for period
> starting
On 22/11/17 11:45, marcan via dev-security-policy wrote:
On 22/11/17 20:41, Tom via dev-security-policy wrote:
Although not listed in the Action plan in #1311824, it is noteworthy
that Richard Wang has apparently not been relieved of his other
responsibilities, only the CEO title
Do you have a
On 22/11/2017 12:41, Tom wrote:
Although not listed in the Action plan in #1311824, it is noteworthy
that Richard Wang has apparently not been relieved of his other
responsibilities, only the CEO title
Do you have a link about the relieved of the CEO title?
https://www.wosign.com/english/about
On 22/11/17 20:41, Tom via dev-security-policy wrote:
Although not listed in the Action plan in #1311824, it is noteworthy
that Richard Wang has apparently not been relieved of his other
responsibilities, only the CEO title
Do you have a link about the relieved of the CEO title?
https://www.wo
Although not listed in the Action plan in #1311824, it is noteworthy
that Richard Wang has apparently not been relieved of his other
responsibilities, only the CEO title
Do you have a link about the relieved of the CEO title?
https://www.wosign.com/english/about.htm has been updated with the ne
On Wed, 22 Nov 2017 12:26:15 +0100
Tom via dev-security-policy
wrote:
> About the past behavior of WoSign, the incident report
> https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
> from https://wiki.mozilla.org/CA:WoSign_Issues seems missing.
It can be read through waybac
About the past behavior of WoSign, the incident report
https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
from https://wiki.mozilla.org/CA:WoSign_Issues seems missing.
What is the politics of Mozilla about these kind of documents?
- Should the emitter provide it from their
FWIW my opinion:
I don't think there should be a lifetime or long term ban for people or
companies that have operated a bad CA in the past.
However I do believe that the way Wosign representatives on this list
acted in the past was often dishonest and highly problematic.
If Wosign continues to app
On 22/11/2017 10:05, Gervase Markham wrote:
We understand that WoTrus (WoSign changed their name some months ago)
are working towards a re-application to join the Mozilla Root Program.
Richard Wang recently asked us to approve a particular auditor as being
suitable to audit their operations.
In
We understand that WoTrus (WoSign changed their name some months ago)
are working towards a re-application to join the Mozilla Root Program.
Richard Wang recently asked us to approve a particular auditor as being
suitable to audit their operations.
In the WoSign Action Items bug:
https://bugzilla.
30 matches
Mail list logo