Re: TrustCor root inclusion request

2017-05-18 Thread Nick Lamb via dev-security-policy 
On Thursday, 18 May 2017 04:23:17 UTC+1, Aaron Wu  wrote:
> - DV SSL Certificates - the domain name registrar must list the applicant as 
> part of the WHOIS record; or effective control of the domain shall be 
> demonstrated by the applicant or communication satisfying BR 3.2.2.4 shall be 
> obtained. 

Mmmm. I believe only 3.2.2.4 is acceptable to Mozilla, am I wrong here? Judging 
from self-assessment document, TrustCor's actual practices are all intended to 
be 3.2.2.4 compliant (I will examine in more detail later) but the language 
here suggests it might be possible for applicants to successfully validate for 
DV by some other means not listed in 3.2.2.4, which (again unless I'm mistaken) 
Mozilla considers always to be mis-issuance.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: DRAFT: Notice to CAs about CCADB changes May 19-21

2017-05-18 Thread Kathleen Wilson via dev-security-policy 
On Thursday, May 18, 2017 at 10:08:32 AM UTC-7, Kathleen Wilson wrote:
> All,
> 
> Below is the draft email that I plan to send later today, after we have final 
> confirmation from Salesforce regarding these proposed changes.
> 

We received confirmation from Salesforce that these changes to the URLs will 
happen at about 1:00pm PDT on May 19.

I have sent email to the CA Contacts who have active CCADB CA Community 
Licenses.

I also added this email to https://wiki.mozilla.org/CA/Communications

Cheers,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

DRAFT: Notice to CAs about CCADB changes May 19-21

2017-05-18 Thread Kathleen Wilson via dev-security-policy 
All,

Below is the draft email that I plan to send later today, after we have final 
confirmation from Salesforce regarding these proposed changes.

I will appreciate your feedback on this.

Thanks,
Kathleen

 
Subject: Common CA Database (CCADB) changes May 19-21, 2017

Dear Certification Authority,

The Common CA Database (CCADB) will undergo the following changes this weekend, 
May 19 to May 21. During this time, the old URLs listed below will stop 
working, and there will be some time when the CCADB is in read-only mode.

On May 19 the following three breaking changes are planned, meaning that the 
old URLs will no longer work. Any links or bookmarks to these URLs will need to 
be updated. After these changes are made, I will also update Mozilla's wiki 
pages to point to the new URLs.

1) The CA login page and the domain CAs see when they are logged into the CCADB 
will change.
https://mozillacacommunity.force.com/
will be changed to
https://ccadb.force.com/

2) The links to reports that are published directly from the CCADB will change.
https://mozillacaprogram.secure.force.com/CA/
will be changed to
https://ccadb-public.secure.force.com/mozilla/

3) The links to CA communication responses that are published directly from the 
CCADB will change.
https://mozillacaprogram.secure.force.com/Communications
will be changed to
https://ccadb-public.secure.force.com/mozillacommunications

Then on May 21 between 12am and 4am PDT, the CCADB will be in read-only mode 
while Salesforce performs an instance refresh to upgrade the infrastructure 
supporting the CCADB instance in their data centers.

Regards,
Kathleen



___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Email sub-CAs

2017-05-18 Thread Doug Beattie via dev-security-policy 
Hi Gerv,

I'm still looking for audit guidance on subordinate CAs that have EKU of Server 
auth and/or Secure Mail along with name constraints.  Do these need to be 
audited?

I'm looking at this:  
https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md

Section 1.1, item #2 implies yes, that these CAs are in scope of this policy 
and thus must be audited - correct me if I'm wrong if being in the policy means 
they need to be audited.

Section 5.3.1 and 5.3.2 imply no audit is needed

Prior versions of the policy (at least 1.3 and before), did not require audits 
for technically constrained CAs like the ones referenced above.  Further, it 
used to be OK if the "Name Constraints" applied for Secure Mail CAs was done 
via contractual methods, vs. in the CA certificate at a technical NC.  We have 
one remaining customer with a CA like this and we're not sure on how new policy 
requirements apply to this existing customer.  Your guidance is appreciated.

Doug


> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of Doug
> Beattie via dev-security-policy
> Sent: Monday, May 8, 2017 12:47 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: RE: Email sub-CAs
> 
> Hi Gerv,
> 
> I wanted to get the latest Mozilla thoughts on the audit requirements for
> TCSCs based on the discussion we started last month.  I understand the BR
> requirement if the CA can issue server auth certificates, this was discussed
> here:
> 
> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/ZMUjQ6
> xHrDA/ySofsF_PAgAJ
> 
> For TCSCs that can issue secure email certs, what are the requirements in the
> new policy, 2.4?  I think they were excluded from audit requirement before,
> but in the latest Mozilla policy these CAs need to have a WT for CA audit even
> if they are Name Constrained.
> 
> So here my questions:
> 
> Was this an intentional change?
> 
> Is the same true for TCSCs that can issue server auth certificates (even NC 
> CAs
> need a webtrust for CA audit)?
> 
> Are previously issued TCSCs exempt, if not, when would the audit period for
> them start?
> 
> Do these CAs need to be publicly disclosed?
> 
> Related tickets:
>https://github.com/mozilla/pkipolicy/issues/36
> 
>https://github.com/mozilla/pkipolicy/issues/69
> 
> 
> 
> 
> 
> 
> 
> 
> 
> > -Original Message-
> > From: dev-security-policy [mailto:dev-security-policy-
> > bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of
> > douglas.beattie--- via dev-security-policy
> > Sent: Thursday, April 13, 2017 12:33 PM
> > To: mozilla-dev-security-pol...@lists.mozilla.org
> > Subject: Re: Email sub-CAs
> >
> > On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham
> wrote:
> > > On 13/04/17 14:23, Doug Beattie wrote:
> > > > In 3.2 the term Technically Constrained is not defined to be any
> > > > different than the BRs (or perhaps even less restrictive).
> > >
> > > You mean 2.3, right?
> >
> > Yes, 2.3.
> >
> > > I would say Inclusion section, bullet 9 gives the definition of
> > > technically constrained. For email certs, because of the bug
> > > described in issue #69, it basically just says that it has to have
> > > the id-kp-emailProtection EKU. It should say more, but it doesn't.
> > > That's problematic, because just having an EKU isn't really a
> > > technical constraint in the "TCSC" sense.
> > >
> > > > In 3.2
> > > > this is all I can find regarding CAs that are capable of signing
> > > > secure email certificates, section 9: "If the certificate includes
> > > > the id-kp-emailProtection extended key usage, then all end-entity
> > > > certificates MUST only include e-mail addresses or mailboxes that
> > > > the issuing CA has confirmed (via technical and/or business
> > > > controls) that the subordinate CA is authorized to use."
> > > >
> > > > There is no statement back to scope or corresponding audits.  Were
> > > > secure email capable CAs supposed to be disclosed and audited to
> > > > Mozilla under 2.3?
> > >
> > > If they did not include id-kp-serverAuth, I would not have faulted a
> > > CA for not disclosing them if they met the exclusion criteria for
> > > email certs as written.
> >
> > OK.
> >
> > > > and how it applies to Secure email, I don't see how TCSCs with
> > > > secure email EKU fall within the scope of the Mozilla Policy 2.3.
> > > > Can you help clarify?
> > >
> > > I think this is basically issue #69.
> > > https://github.com/mozilla/pkipolicy/issues/69
> >
> > OK, I look forward to a conclusion on that.  I hope that name
> > constraining a secure email CA (either technically in the CA
> > certificate or via business
> > controls) is sufficient to avoid WebTrust Audits.  If Public
> > disclosure helps get us there then that would be acceptable.
> >
> > > I don't think it was supposed to be the case that intermediates with
> > > id-kp-emailProtection alone were