(Writing in a Google capacity)
In [1], we removed support in Camerfirma certificates, as previously
announced [2]. This included removing support for any subordinate CAs. As
announced, this was planned to roll out as part of the Chrome 90 release
schedule, scheduled to hit stable on 2021-04-06.
A
On Tue, 26 Jan 2021 at 16:28, Ramiro Muñoz via dev-security-policy
wrote:
>
> El lunes, 25 de enero de 2021 a las 13:31:18 UTC+1, Matthias van de Meent
> escribió:
> > On Sun, 24 Jan 2021 at 20:58, Ramiro Muñoz via dev-security-policy
> > wrote:
> > >
> > > Thanks everyone for your valuable cont
Just to build on what Ryan said, and to clarify any confusion around the scope
of Chrome’s action here - Chrome is no longer accepting Camerfirma certificates
that are specifically used for *TLS server authentication* for websites.
Our planned action is related to the certificates Chrome uses a
El lunes, 25 de enero de 2021 a las 13:31:18 UTC+1, Matthias van de Meent
escribió:
> On Sun, 24 Jan 2021 at 20:58, Ramiro Muñoz via dev-security-policy
> wrote:
> >
> > Thanks everyone for your valuable contribution to the discussion. We’ve
> > prepared a throughful Remediation Plan that add
On Sun, 24 Jan 2021 at 20:58, Ramiro Muñoz via dev-security-policy
wrote:
>
> Thanks everyone for your valuable contribution to the discussion. We’ve
> prepared a throughful Remediation Plan that addresses all areas of
> improvement emerged both in this public discussion as well as direct contac
(Writing in a Google capacity)
I personally want to say thanks to everyone who has contributed to this
discussion, who have reviewed or reported past incidents, and who have
continued to provide valuable feedback on current incidents. When
considering CAs and incidents, we really want to ensure we
On Sunday, January 24, 2021 at 11:58:29 AM UTC-8, Ramiro Muñoz wrote:
>
> Thanks everyone for your valuable contribution to the discussion. We’ve
> prepared a throughful Remediation Plan that addresses all areas of
> improvement emerged both in this public discussion as well as direct contacts
El jueves, 3 de diciembre de 2020 a las 19:01:55 UTC+1, Ben Wilson escribió:
> All,
>
> We have prepared an issues list as a summary of Camerfirma's compliance
> issues over the past several years. The purpose of the list is to collect
> and document all issues and responses in one place so tha
On Friday, January 22, 2021 at 10:01:22 AM UTC-8, Ramiro Muñoz wrote:
> El miércoles, 20 de enero de 2021 a las 5:04:27 UTC+1, Matt Palmer escribió:
> > On Tue, Jan 19, 2021 at 07:28:17AM -0800, Ramiro Muñoz via
> > dev-security-policy wrote:
> > > Camerfirma is not the member with the highest n
El miércoles, 20 de enero de 2021 a las 5:04:27 UTC+1, Matt Palmer escribió:
> On Tue, Jan 19, 2021 at 07:28:17AM -0800, Ramiro Muñoz via
> dev-security-policy wrote:
> > Camerfirma is not the member with the highest number of
> > incidents nor the member with the most severe ones.
> No, but Came
El viernes, 22 de enero de 2021 a las 2:31:00 UTC+1, Filippo Valsorda escribió:
> 2021-01-19 18:01 GMT+01:00 Andrew Ayer via dev-security-policy
> :
> > It's troubling that even at this stage, Camerfirma still doesn't seem
> > to grasp the seriousness of their compliance problems. Today,
> > th
El miércoles, 20 de enero de 2021 a las 2:07:31 UTC+1, Paul Kehrer escribió:
> On Tue, Jan 19, 2021 at 6:37 PM Jonathan Rudenberg via
> dev-security-policy wrote:
> >
> > On Tue, Jan 19, 2021, at 12:01, Andrew Ayer via dev-security-policy wrote:
> > > Camerfirma was warned in 2018 that trust i
El martes, 19 de enero de 2021 a las 18:01:49 UTC+1, Andrew Ayer escribió:
> On Sun, 17 Jan 2021 00:51:29 -0800 (PST)
> Ramiro Mu__oz via dev-security-policy
> wrote:
>
> > Some certificates may have been syntactically
> > incorrect due to misinterpretation, but we have never compromised any
One issue that really stands out for me is "Issue NN: Incorrect OCSP Delegated
Responder Certificate (2013 - 2020)".
Despite detailed public discussion on the risk and remedial actions (including
what would properly demonstrate destruction of the affected CA keys through
e.g. ISAE3000 independe
2021-01-19 18:01 GMT+01:00 Andrew Ayer via dev-security-policy
:
> It's troubling that even at this stage, Camerfirma still doesn't seem
> to grasp the seriousness of their compliance problems. Today,
> they are arguing that there was no security threat from a certificate
> issued for a domain wit
On Tue, Jan 19, 2021 at 07:28:17AM -0800, Ramiro Muñoz via dev-security-policy
wrote:
> Camerfirma is not the member with the highest number of
> incidents nor the member with the most severe ones.
No, but Camerfirma's got a pretty shocking history of poor incident
response, over an extended peri
On Tue, Jan 19, 2021 at 6:37 PM Jonathan Rudenberg via
dev-security-policy wrote:
>
> On Tue, Jan 19, 2021, at 12:01, Andrew Ayer via dev-security-policy wrote:
> > Camerfirma was warned in 2018 that trust in their CA was in jeopardy,
> > yet compliance problems continued. There is no reason to b
On Tue, Jan 19, 2021, at 12:01, Andrew Ayer via dev-security-policy wrote:
> Camerfirma was warned in 2018 that trust in their CA was in jeopardy,
> yet compliance problems continued. There is no reason to believe
> Camerfirma will improve, and there are many indications that they won't.
> Mozilla
On Sun, 17 Jan 2021 00:51:29 -0800 (PST)
Ramiro Mu__oz via dev-security-policy
wrote:
> Some certificates may have been syntactically
> incorrect due to misinterpretation, but we have never compromised any
> vetting, identification or information validation.
This is false, as shown by incidents
El martes, 19 de enero de 2021 a las 14:32:19 UTC+1, paul.leo@gmail.com
escribió:
> On Tuesday, January 19, 2021 at 11:01:15 AM UTC+1, Ramiro Muñoz wrote:
>
> > Finally, I’d like to ask you, based on which article of Mozilla Root Store
> > Policy, you are sentencing a removal from the Mozil
On 2021-01-19 11:02, Ramiro Muñoz wrote:
El martes, 19 de enero de 2021 a las 0:49:42 UTC+1, Matt Palmer escribió:
On Sun, Jan 17, 2021 at 12:51:29AM -0800, Ramiro Muñoz via dev-security-policy
wrote:
We don’t ask the community to disregard the data, on the contrary we ask
the community to ana
On Tuesday, January 19, 2021 at 11:01:15 AM UTC+1, Ramiro Muñoz wrote:
> Finally, I’d like to ask you, based on which article of Mozilla Root Store
> Policy, you are sentencing a removal from the Mozilla store.
Oh, I know this one: It is in the Mozilla Root Store Policy, 7.3: "Mozilla MAY,
at
El martes, 19 de enero de 2021 a las 0:49:42 UTC+1, Matt Palmer escribió:
> On Sun, Jan 17, 2021 at 12:51:29AM -0800, Ramiro Muñoz via
> dev-security-policy wrote:
> > We don’t ask the community to disregard the data, on the contrary we ask
> > the community to analyze the data thoroughly includ
El martes, 19 de enero de 2021 a las 0:49:42 UTC+1, Matt Palmer escribió:
> On Sun, Jan 17, 2021 at 12:51:29AM -0800, Ramiro Muñoz via
> dev-security-policy wrote:
> > We don’t ask the community to disregard the data, on the contrary we ask
> > the community to analyze the data thoroughly includ
On Sun, Jan 17, 2021 at 12:51:29AM -0800, Ramiro Muñoz via dev-security-policy
wrote:
> We don’t ask the community to disregard the data, on the contrary we ask
> the community to analyze the data thoroughly including the impacts
> produced.
OK, I'll bite. As a member of the community, I've ana
El domingo, 10 de enero de 2021 a las 17:27:01 UTC+1, Ryan Sleevi escribió:
> On Sat, Jan 9, 2021 at 1:44 PM Ramiro Muñoz via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
> > > That Camerfirma does not understand or express appreciation for this
> > risk
> > > is, to the ex
On Sat, Jan 9, 2021 at 1:44 PM Ramiro Muñoz via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> > That Camerfirma does not understand or express appreciation for this
> risk
> > is, to the extent, of great cause for concern.
>
> Dear Ryan,
>
> We are looking at the same data
El martes, 5 de enero de 2021 a las 16:45:11 UTC+1, Ryan Sleevi escribió:
> On Tue, Jan 5, 2021 at 9:01 AM Ramiro Muñoz via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
> > In response to Ryan’s latest post, we want to provide the community with
> > Camerfirma’s due response
On Tue, Jan 5, 2021 at 9:01 AM Ramiro Muñoz via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> In response to Ryan’s latest post, we want to provide the community with
> Camerfirma’s due responses and we hope this clears up any doubts that might
> have arisen.
>
> Ryan argum
In response to Ryan’s latest post, we want to provide the community with
Camerfirma’s due responses and we hope this clears up any doubts that might
have arisen.
Ryan argument number 1: “These statements are ones that are sort of "true by
degree". That is, if I was to dispute 1, Camerfirma woul
On Mon, Dec 28, 2020 at 6:35 AM Ramiro Muñoz via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> El miércoles, 23 de diciembre de 2020 a las 0:01:23 UTC+1, Wayne Thayer
> escribió:
> > On Sat, Dec 19, 2020 at 1:03 AM Ramiro Muñoz via dev-security-policy <
> > dev-secur...@lis
El miércoles, 23 de diciembre de 2020 a las 0:01:23 UTC+1, Wayne Thayer
escribió:
> On Sat, Dec 19, 2020 at 1:03 AM Ramiro Muñoz via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
> > Hi Ben, Ryan, Burton and all:
> >
> > Camerfirma will present its claims based on a descrip
On Sat, Dec 19, 2020 at 1:03 AM Ramiro Muñoz via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi Ben, Ryan, Burton and all:
>
> Camerfirma will present its claims based on a description of the problems
> found by associating the references to the specific bugs.
> After mak
2019).
* Issue FF: Intentional unrevocation of externally-operated sub-CA (2019).
Regards
Ramiro.
De: Burton
Enviado el: martes, 15 de diciembre de 2020 19:39
Para: Ramiro Muñoz
CC: r...@sleevi.com; mozilla-dev-security-policy
; Ben Wilson
Asunto: Re: Summary of Camerfirma's Complian
Hi Ben, Ryan, Burton and all:
Camerfirma will present its claims based on a description of the problems found
by associating the references to the specific bugs.
After making a complete analysis of the bugs as presented by Ben, always
considering that bugs are the main source of truth, we see t
de diciembre de 2020 19:39
Para: Ramiro Muñoz
CC: r...@sleevi.com; mozilla-dev-security-policy
; Ben Wilson
Asunto: Re: Summary of Camerfirma's Compliance Issues
It doesn't look great to the community when a CA that is under investigation
for serious compliance issues asks for mo
r to give a more accurate answer. We plan to
> postpone to this Friday.
>
> KR
> Ramiro
>
>
> De: Ryan Sleevi
> Enviado el: lunes, 14 de diciembre de 2020 22:41
> Para: Ramiro Muñoz
> CC: r...@sleevi.com; Ben Wilson ;
> mozilla-dev-security-policy >
> Asun
de 2020 22:41
Para: Ramiro Muñoz
CC: r...@sleevi.com; Ben Wilson ;
mozilla-dev-security-policy
Asunto: Re: Summary of Camerfirma's Compliance Issues
Thanks Ramiro for the update.
I do want to make sure we're on the same page. Responding point-by-point to the
issues would probably be
Thanks Ramiro for the update.
I do want to make sure we're on the same page. Responding point-by-point to
the issues would probably be the least productive path forward. If there
are specific disagreements with the facts as presented, which were taken
from the Bugzilla reports, it would be good to
10 de diciembre de 2020 21:44
Para: Ben Wilson
CC: mozilla-dev-security-policy
Asunto: Re: Summary of Camerfirma's Compliance Issues
Hi Ben,
This is clearly a portrait of a CA that, like those that came before
[1][2][3][4], paint a pattern of a CA that consistently and regularly fails to
me
cy en
nombre de Ryan Sleevi via dev-security-policy
Enviado: jueves, 10 de diciembre de 2020 21:44
Para: Ben Wilson
Cc: mozilla-dev-security-policy
Asunto: Re: Summary of Camerfirma's Compliance Issues
Hi Ben,
This is clearly a portrait of a CA that, like those that came before
[1][2][3][
Hi Ben,
This is clearly a portrait of a CA that, like those that came before
[1][2][3][4], paint a pattern of a CA that consistently and regularly fails
to meet program requirements, in a way that clearly demonstrates these are
systemic and architectural issues.
As with Symantec, we see a systema
42 matches
Mail list logo