Re: Unknown Intermediates
On 23/06/17 14:49, Peter Bowen via dev-security-policy wrote: On Fri, Jun 23, 2017 at 6:17 AM, Rob Stradling via dev-security-policywrote: On 23/06/17 14:10, Kurt Roeckx via dev-security-policy wrote: On 2017-06-23 14:59, Rob Stradling wrote: Reasons: - Some are only trusted by the old Adobe CDS program. - Some are only trusted for Microsoft Kernel Mode Code Signing. - Some are very old roots that are no longer trusted. I wonder if Google's daedalus would like to see some of those. Daedalus only accepts expired certs. Most of these haven't expired. If there's interest, I could add these to our Dodo log. For those three, I would be interested in seeing them. I wonder if any match submariner as well. We've just added the Adobe Root CA and Microsoft Code Verification Root to the list of roots accepted by our Dodo log. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Mozilla Root Store Policy 2.5 Published
Version 2.5 of Mozilla's CA Policy has now been published. You can find it here: https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md This document incorporates by reference the Common CCADB Policy 1.0.1: https://github.com/mozilla/pkipolicy/blob/2.5/ccadb/policy.md or http://ccadb.org/policy The previous Mozilla CCADB Policy document, which was very short, is now part of the main policy. Other than the requirement for using the Ten Blessed Methods (July 21 2017), and the requirement for constraints on email intermediates (January 15 2018 for existing intermediates), all of the new provisions are effective immediately. You can see the differences here: https://github.com/mozilla/pkipolicy/compare/2.4.1...2.5 There were a couple of changes post-review; I added a deadline, and we also made it clear in our policy what is clear elsewhere, that audits must be yearly, period-of-time, and contiguous. The copy of the policy on www.mozilla.org will be updated soon; this can take a few days. https://bugzilla.mozilla.org/show_bug.cgi?id=1375881 Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Unknown Intermediates
On 23/06/2017 14:59, Rob Stradling wrote: On 22/06/17 10:51, Rob Stradling via dev-security-policy wrote: On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote: Is this useful? if not, what key usage is interesting? https://lock.cmpxchg8b.com/ServerOrAny.zip Thanks for this, Tavis. I pointed my certscraper (https://github.com/robstradling/certscraper) at this URL a couple of days ago. This submitted many of the certs to the Dodo and Rocketeer logs. However, it didn't manage to build chains for all of them. I haven't yet had a chance to investigate why. There are ~130 CA certificates in https://lock.cmpxchg8b.com/ServerOrAny.zip that I've not yet been able to submit to any CT logs. Reasons: - Some are only trusted by the old Adobe CDS program. - Some are only trusted for Microsoft Kernel Mode Code Signing. - Some are very old roots that are no longer trusted. - Some are corrupted. - Some seem to be from private PKIs. The SubCAs for Windows 5.01 (XP) to 6.03 (Eight point One) kernel mode signing are all 10 year cross-certs from a dedicated single-purpose Microsoft root CA to well known roots from companies like Symantec and GlobalSign. They can (or could) be downloaded from a Microsoft support page, I know of 6 that expired in 2016, 19 that will expire in 2021 and 4 that will expire in 2023. The issuing 20 year root is http://www.microsoft.com/pki/certs/MicrosoftCodeVerifRoot.crt CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US SHA1 Fingerprint=8F:BE:4D:07:0E:F8:AB:1B:CC:AF:2A:9D:5C:CA:E7:28:2A:2C:66:B3 The relevant root store contains *only* this root, so the issuing (and possible revocation) of the SubCA/crosscerts acts as a dedicated root program more restrictive than the normal Microsoft root program. Chain validation is often done during boot before TCP/IP is up and running (even the network drivers are signed with this), so there is no AIA or OCSP available. Pre-download CRLs could be checked, but I don't know if they do that. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Unknown Intermediates
On Fri, Jun 23, 2017 at 6:17 AM, Rob Stradling via dev-security-policywrote: > On 23/06/17 14:10, Kurt Roeckx via dev-security-policy wrote: >> >> On 2017-06-23 14:59, Rob Stradling wrote: >>> >>> Reasons: >>>- Some are only trusted by the old Adobe CDS program. >>>- Some are only trusted for Microsoft Kernel Mode Code Signing. >>>- Some are very old roots that are no longer trusted. >> >> >> I wonder if Google's daedalus would like to see some of those. > > > Daedalus only accepts expired certs. Most of these haven't expired. > > If there's interest, I could add these to our Dodo log. For those three, I would be interested in seeing them. I wonder if any match submariner as well. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Unknown Intermediates
On 23/06/17 14:10, Kurt Roeckx via dev-security-policy wrote: On 2017-06-23 14:59, Rob Stradling wrote: Reasons: - Some are only trusted by the old Adobe CDS program. - Some are only trusted for Microsoft Kernel Mode Code Signing. - Some are very old roots that are no longer trusted. I wonder if Google's daedalus would like to see some of those. Daedalus only accepts expired certs. Most of these haven't expired. If there's interest, I could add these to our Dodo log. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Unknown Intermediates
On 2017-06-23 14:59, Rob Stradling wrote: Reasons: - Some are only trusted by the old Adobe CDS program. - Some are only trusted for Microsoft Kernel Mode Code Signing. - Some are very old roots that are no longer trusted. I wonder if Google's daedalus would like to see some of those. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Unknown Intermediates
On 22/06/17 10:51, Rob Stradling via dev-security-policy wrote: On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote: Is this useful? if not, what key usage is interesting? https://lock.cmpxchg8b.com/ServerOrAny.zip Thanks for this, Tavis. I pointed my certscraper (https://github.com/robstradling/certscraper) at this URL a couple of days ago. This submitted many of the certs to the Dodo and Rocketeer logs. However, it didn't manage to build chains for all of them. I haven't yet had a chance to investigate why. There are ~130 CA certificates in https://lock.cmpxchg8b.com/ServerOrAny.zip that I've not yet been able to submit to any CT logs. Reasons: - Some are only trusted by the old Adobe CDS program. - Some are only trusted for Microsoft Kernel Mode Code Signing. - Some are very old roots that are no longer trusted. - Some are corrupted. - Some seem to be from private PKIs. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy