Re: Misissuance/non-compliance remediation timelines

2018-02-08 Thread Paul Kehrer via dev-security-policy
On February 9, 2018 at 1:24:12 AM, Wayne Thayer (wtha...@mozilla.com) wrote: On Tue, Feb 6, 2018 at 6:03 PM, Paul Kehrer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > So, how long is too long? > This is the crux of the issue for me. If a CA (that really should have

Re: ComSign Root Renewal Request

2018-02-08 Thread Wayne Thayer via dev-security-policy
On Wed, Feb 7, 2018 at 8:18 AM, YairE via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Wyane, > resopnding to your notes: > > Section 4.9 states that in any case that Comsign is notified about a > misissuance (no matter if it was notified by a subscriber or in any other

Re: Certificate for com and it

2018-02-08 Thread Ryan Sleevi via dev-security-policy
On Thu, Feb 8, 2018 at 3:14 PM, Hanno Böck via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, 8 Feb 2018 15:50:08 + > Gervase Markham via dev-security-policy > wrote: > > > In this case, the certificates are revoked in Firefox via OneCRL and > > Chrome via CRLSe

Re: Certificate for com and it

2018-02-08 Thread Hanno Böck via dev-security-policy
On Thu, 8 Feb 2018 15:50:08 + Gervase Markham via dev-security-policy wrote: > In this case, the certificates are revoked in Firefox via OneCRL and > Chrome via CRLSets (AIUI) and so the revocations are guaranteed to be > noticed. Hi Gerv, Independent of this specific case, which I guess is

Re: Certificate for com and it

2018-02-08 Thread Wayne Thayer via dev-security-policy
On Thu, Feb 8, 2018 at 8:54 AM, Rob Stradling via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 08/02/18 15:50, Gervase Markham via dev-security-policy wrote: > >> On 08/02/18 13:47, Hanno Böck wrote: >> >> OneCRL additions normally have an associated bug but I can't see

Re: Misissuance/non-compliance remediation timelines

2018-02-08 Thread Wayne Thayer via dev-security-policy
On Tue, Feb 6, 2018 at 6:03 PM, Paul Kehrer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > So, how long is too long? > This is the crux of the issue for me. If a CA (that really should have stopped responding 'good' for unknown certs back in 2013) needs to select, pur

Re: Certificate for com and it

2018-02-08 Thread Rob Stradling via dev-security-policy
On 08/02/18 15:50, Gervase Markham via dev-security-policy wrote: On 08/02/18 13:47, Hanno Böck wrote: Is a revoked intermediate cert a license for operating a yolo CA that signs everything? Given the fragility of revocation checking I'd find that a problematic precedent. In this case, the cer

Re: Certificate for com and it

2018-02-08 Thread Gervase Markham via dev-security-policy
On 08/02/18 13:47, Hanno Böck wrote: > Is a revoked intermediate cert a license for operating a yolo CA that > signs everything? Given the fragility of revocation checking I'd find > that a problematic precedent. In this case, the certificates are revoked in Firefox via OneCRL and Chrome via CRLSe

Re: Misissuance/non-compliance remediation timelines

2018-02-08 Thread Gervase Markham via dev-security-policy
On 07/02/18 15:14, Alex Gaynor wrote: > That said, given the issues Paul highlighted in his original mail (which I > wholeheartedly concur with), it seems the place to focus is the folks who > are getting Ds right now. Therefore I think the essential part of your > email is your agreement that CAs

Re: Mozilla’s Plan for Symantec Roots

2018-02-08 Thread westmail24--- via dev-security-policy
Also, it should be understood that on Linux OS no transitional periods will be made, but simply to removes all Symantec certificates from a certain date. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org

Re: Mozilla’s Plan for Symantec Roots

2018-02-08 Thread Kai Engert via dev-security-policy
On 16.10.2017 19:32, Gervase Markham via dev-security-policy wrote: > The subCAs that we know of that fall into this category belong to Google > and Apple. If there are any other subCAs that fall into this category, > please let us know immediately. Google has one such subCA; Apple has seven. Besi

Re: Mozilla’s Plan for Symantec Roots

2018-02-08 Thread Kai Engert via dev-security-policy
On 16.10.2017 20:26, Eric Mill via dev-security-policy wrote: > Adding code to Firefox to support the distrust of specified subCAs seems > like it would be a good long-term investment for Mozilla, as it would give > Mozilla a lot more flexibility during future distrust events. I think this isn't a

Re: Certificate for com and it

2018-02-08 Thread Hanno Böck via dev-security-policy
Hi, On Tue, 6 Feb 2018 16:56:48 +0100 Kurt Roeckx via dev-security-policy wrote: > I should probably more clear, the certificates of the CA have been > revoked. I'm wondering what that means. Is a revoked intermediate cert a license for operating a yolo CA that signs everything? Given the fragi

Re: Mozilla’s Plan for Symantec Roots

2018-02-08 Thread Kai Engert via dev-security-policy
On 16.10.2017 19:33, Gervase Markham via dev-security-policy wrote: > As per previous discussions and > https://wiki.mozilla.org/CA:Symantec_Issues, a consensus proposal[0] was > reached among multiple browser makers for a graduated distrust of > Symantec roots. > > Here is Mozilla’s planned timel

Re: Statement on DigiCert’s Proposed Purchase of Symantec

2018-02-08 Thread Kai Engert via dev-security-policy
On 01.11.2017 00:58, Jeremy Rowley via dev-security-policy wrote: > A couple of points of clarification (as it seems to have stirred some > questions) > 1. Migration to the DigiCert issuing and validation process only applies to > certs intended for browser use, meaning the infrastructure may iss