Re: Unknown Intermediates

2017-06-23 Thread Rob Stradling via dev-security-policy 

On 23/06/17 14:49, Peter Bowen via dev-security-policy wrote:

On Fri, Jun 23, 2017 at 6:17 AM, Rob Stradling via dev-security-policy
 wrote:

On 23/06/17 14:10, Kurt Roeckx via dev-security-policy wrote:


On 2017-06-23 14:59, Rob Stradling wrote:


Reasons:
- Some are only trusted by the old Adobe CDS program.
- Some are only trusted for Microsoft Kernel Mode Code Signing.
- Some are very old roots that are no longer trusted.



I wonder if Google's daedalus would like to see some of those.



Daedalus only accepts expired certs.  Most of these haven't expired.

If there's interest, I could add these to our Dodo log.


For those three, I would be interested in seeing them.  I wonder if
any match submariner as well.


We've just added the Adobe Root CA and Microsoft Code Verification Root 
to the list of roots accepted by our Dodo log.


--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Mozilla Root Store Policy 2.5 Published

2017-06-23 Thread Gervase Markham via dev-security-policy 
Version 2.5 of Mozilla's CA Policy has now been published. You can
find it here:
https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md

This document incorporates by reference the Common CCADB Policy 1.0.1:
https://github.com/mozilla/pkipolicy/blob/2.5/ccadb/policy.md
or
http://ccadb.org/policy
The previous Mozilla CCADB Policy document, which was very short, is now
part of the main policy.

Other than the requirement for using the Ten Blessed Methods (July 21
2017), and the requirement for constraints on email intermediates
(January 15 2018 for existing intermediates), all of the new provisions
are effective immediately. You can see the differences here:
https://github.com/mozilla/pkipolicy/compare/2.4.1...2.5

There were a couple of changes post-review; I added a deadline, and we
also made it clear in our policy what is clear elsewhere, that audits
must be yearly, period-of-time, and contiguous.

The copy of the policy on www.mozilla.org will be updated soon; this can
take a few days.
https://bugzilla.mozilla.org/show_bug.cgi?id=1375881

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Unknown Intermediates

2017-06-23 Thread Jakob Bohm via dev-security-policy 

On 23/06/2017 14:59, Rob Stradling wrote:

On 22/06/17 10:51, Rob Stradling via dev-security-policy wrote:

On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote:



Is this useful? if not, what key usage is interesting?

https://lock.cmpxchg8b.com/ServerOrAny.zip


Thanks for this, Tavis.  I pointed my certscraper 
(https://github.com/robstradling/certscraper) at this URL a couple of 
days ago.  This submitted many of the certs to the Dodo and Rocketeer 
logs.


However, it didn't manage to build chains for all of them.  I haven't 
yet had a chance to investigate why.


There are ~130 CA certificates in 
https://lock.cmpxchg8b.com/ServerOrAny.zip that I've not yet been able 
to submit to any CT logs.


Reasons:
   - Some are only trusted by the old Adobe CDS program.
   - Some are only trusted for Microsoft Kernel Mode Code Signing.
   - Some are very old roots that are no longer trusted.
   - Some are corrupted.
   - Some seem to be from private PKIs.



The SubCAs for Windows 5.01 (XP) to 6.03 (Eight point One) kernel mode
signing are all 10 year cross-certs from a dedicated single-purpose
Microsoft root CA to well known roots from companies like Symantec and
GlobalSign.

They can (or could) be downloaded from a Microsoft support page, I know
of 6 that expired in 2016, 19 that will expire in 2021 and 4 that will
expire in 2023.

The issuing 20 year root is

http://www.microsoft.com/pki/certs/MicrosoftCodeVerifRoot.crt

CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, 
ST=Washington, C=US


SHA1 Fingerprint=8F:BE:4D:07:0E:F8:AB:1B:CC:AF:2A:9D:5C:CA:E7:28:2A:2C:66:B3

The relevant root store contains *only* this root, so the issuing (and
possible revocation) of the SubCA/crosscerts acts as a dedicated root
program more restrictive than the normal Microsoft root program.  Chain
validation is often done during boot before TCP/IP is up and running
(even the network drivers are signed with this), so there is no AIA or
OCSP available.  Pre-download CRLs could be checked, but I don't know if
they do that.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Unknown Intermediates

2017-06-23 Thread Peter Bowen via dev-security-policy 
On Fri, Jun 23, 2017 at 6:17 AM, Rob Stradling via dev-security-policy
 wrote:
> On 23/06/17 14:10, Kurt Roeckx via dev-security-policy wrote:
>>
>> On 2017-06-23 14:59, Rob Stradling wrote:
>>>
>>> Reasons:
>>>- Some are only trusted by the old Adobe CDS program.
>>>- Some are only trusted for Microsoft Kernel Mode Code Signing.
>>>- Some are very old roots that are no longer trusted.
>>
>>
>> I wonder if Google's daedalus would like to see some of those.
>
>
> Daedalus only accepts expired certs.  Most of these haven't expired.
>
> If there's interest, I could add these to our Dodo log.

For those three, I would be interested in seeing them.  I wonder if
any match submariner as well.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Unknown Intermediates

2017-06-23 Thread Rob Stradling via dev-security-policy 

On 23/06/17 14:10, Kurt Roeckx via dev-security-policy wrote:

On 2017-06-23 14:59, Rob Stradling wrote:

Reasons:
   - Some are only trusted by the old Adobe CDS program.
   - Some are only trusted for Microsoft Kernel Mode Code Signing.
   - Some are very old roots that are no longer trusted.


I wonder if Google's daedalus would like to see some of those.


Daedalus only accepts expired certs.  Most of these haven't expired.

If there's interest, I could add these to our Dodo log.

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Unknown Intermediates

2017-06-23 Thread Kurt Roeckx via dev-security-policy 

On 2017-06-23 14:59, Rob Stradling wrote:

Reasons:
   - Some are only trusted by the old Adobe CDS program.
   - Some are only trusted for Microsoft Kernel Mode Code Signing.
   - Some are very old roots that are no longer trusted.


I wonder if Google's daedalus would like to see some of those.


Kurt
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Unknown Intermediates

2017-06-23 Thread Rob Stradling via dev-security-policy 

On 22/06/17 10:51, Rob Stradling via dev-security-policy wrote:

On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote:



Is this useful? if not, what key usage is interesting?

https://lock.cmpxchg8b.com/ServerOrAny.zip


Thanks for this, Tavis.  I pointed my certscraper 
(https://github.com/robstradling/certscraper) at this URL a couple of 
days ago.  This submitted many of the certs to the Dodo and Rocketeer logs.


However, it didn't manage to build chains for all of them.  I haven't 
yet had a chance to investigate why.


There are ~130 CA certificates in 
https://lock.cmpxchg8b.com/ServerOrAny.zip that I've not yet been able 
to submit to any CT logs.


Reasons:
  - Some are only trusted by the old Adobe CDS program.
  - Some are only trusted for Microsoft Kernel Mode Code Signing.
  - Some are very old roots that are no longer trusted.
  - Some are corrupted.
  - Some seem to be from private PKIs.

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy