Re: Taiwan GRCA Root Renewal Request

2016-12-13 Thread Kathleen Wilson 
Thanks to all of you who have reviewed and commented on this request from 
Government of Taiwan, Government Root Certification Authority (GRCA), to 
include their renewed Government Root Certification Authority root certificate, 
and turn on the Websites and Email trust bits.

To summarize this discussion so far, two primary concerns have been raised, as 
follows.

1) There are several intermediate certificates that are technically capable of 
issuing TLS certificates, but have not been audited according to the BRs. This 
is a show-stopper.

Reference:
https://wiki.mozilla.org/CA:BaselineRequirements#Whole-Population_Audit_of_Intermediate_Certs
“BR Audits must always include the whole-population audit of intermediate 
certificates that are capable of issuing SSL certs.”

This means that if the intermediate certificate is not technically constrained 
via EKU (and name constraints) then it must be audited according to the BRs. 

We have resolved this particular situation in the past by having the CA get an 
audit statement saying that the intermediate certificate has not issued TLS 
certificates during the audit period. And requiring that the CA get such an 
audit statement annually.


2) The new root certificate has the same exact full distinguished name as the 
old root certificate. I think this is OK.

The CA tested this with Firefox, and provided their test results:
https://bugzilla.mozilla.org/attachment.cgi?id=8818360

Question: Do I need to update 
https://wiki.mozilla.org/CA:How_to_apply#Root_certificates_with_the_same_subject_and_different_keys
 ?


Please let me know if there is anything else (other than item #1) that this CA 
needs to address before we may move forward with this request.

Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Apple's Further Steps for WoSign

2016-12-13 Thread sjw 
Hi

Does this also affect the root CA of StartCom Class 4 (EV) and Class 3
(OV) certs?

Regards,
Jonas



Am 30.11.2016 um 21:32 schrieb
certificate-authority-prog...@group.apple.com:
> We are taking further actions to protect users in an upcoming security 
> update.  Apple products will block certificates from WoSign and StartCom root 
> CAs if the "Not Before" date is on or after 1 Dec 2016 00:00:00 GMT/UTC.




signature.asc
Description: OpenPGP digital signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-13 Thread Richard Wang 
Thanks for your advice.
As I said, we closed it completely in PKI side.


Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of Percy
Sent: Tuesday, December 13, 2016 3:40 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: In September 29, 2016, WoSign stop issuing free certificate, but I 
still successfully get it.

If you made a promise to close it "due to some security consideration", then 
you don't have the right to just enable and disable it at will, or disable it 
at one channel but not another channel, which ultimately has the same security 
if WoSign is doing the validation.

On Sunday, December 11, 2016 at 12:27:46 AM UTC-8, Richard Wang wrote:
> As I said, we have the right to keep it or close it at any time.
>
>
> Best Regards,
>
> Richard
>
> > On 11 Dec 2016, at 12:47, Percy  wrote:
> >
> >> On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote:
> >> Our promise is close the free SSL application in our own website: 
> >> buy.wosign.com.
> >>
> >> And now we closed it in our PKI side.
> >>
> >>
> >> Best Regards,
> >>
> >> Richard
> >>
>  On 9 Dec 2016, at 04:17, Gervase Markham  wrote:
> 
>  On 05/12/16 13:41, Richard Wang wrote:
>  We checked our system, this order is from one of the reseller. We
>  have many resellers that used the API, we noticed all resellers
>  to close the free SSL, but they need some time to update the system.
> >>>
> >>> More than two months?
> >>>
> >>> Has this reseller given a timeline by which they expect to have
> >>> ceased to use the API?
> >>>
>  The
>  most important thing is this certificate is issued by proper way
>  that this subscriber finished the domain validation, so this is
>  not a mis-issuance, not "deceiving".
> >>>
> >>> This is narrowly true, from a Mozilla perspective. Mozilla has not
> >>> required that WoSign stop issuing certificates. We have just said
> >>> that we no longer trust them. Of course, I don't know what
> >>> commitments WoSign has made to other root stores. And indeed,
> >>> no-one has suggested that this certificate is mis-issued from a domain 
> >>> validation perspective.
> >>>
> >>> There is an issue relating to the difference between WoSign's
> >>> public statement on their website that they have ceased free SSL
> >>> issuance, and the reality that they have not. We expect CAs who
> >>> make public statements about their actions to abide by those statements.
> >>>
> >>> Gerv
> > Sorry. You just said there is no deadline? Which is it?
> >
> > -
> >
> > Sorry, we don't have deadline.
> > And no plan to close it in PKI side, we keep the right to active it at any 
> > time, and we can issue this free SSL certificate for subscribers at any 
> > time if customers need it.
> >
> > ___
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy