Re: AC FNMT Usuarios and anyExtendedKeyUsage

2017-08-18 Thread Eric Mill via dev-security-policy 
Hi Jose,

Apologies, on looking back through m.d.s.p, it's clear attachments aren't
processed by the list configuration. Would you be able to post it to a URL,
or attach it to a bugzilla bug?

-- Eric

On Fri, Aug 18, 2017 at 10:01 AM, Eric Mill  wrote:

> Hi Jose,
>
> There was no attachment to your email. Would you mind re-sending with an
> attachment?
>
> On Fri, Aug 18, 2017 at 8:17 AM, Jose Manuel Torres via
> dev-security-policy  wrote:
>
>> Hello everyone,
>>
>> In response to the questions raised:
>>
>> AC FNMT Usuarios do not issue TLS / SSL certificates, as evidenced by the
>> attached document: Audit Attestation - ETSI Assestment 2017, FNMT CA's and
>> TSU's.
>>
>> Regarding anyExtendedKeyUsage EKU, since January 2017 it is no longer
>> incorporated into the certificates issued by AC FNMT Usuarios so it should
>> not be possible
>> to use it for TLS server authentication.
>>
>> In this sense the certificate indicated in this incident was issued prior
>> to the change indicated.
>>
>> Taking these considerations into account, FNMT considers that a revocation
>> of the intermediate CA by OneCRL is not necessary.
>> ___
>> dev-security-policy mailing list
>> dev-security-policy@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security-policy
>>
>
>
>
> --
> konklone.com | @konklone 
>



-- 
konklone.com | @konklone 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: AC FNMT Usuarios and anyExtendedKeyUsage

2017-08-18 Thread Kurt Roeckx via dev-security-policy 

On 2017-08-18 16:01, Eric Mill wrote:

Hi Jose,

There was no attachment to your email. Would you mind re-sending with an
attachment?


Attachments never make it to the list.


Kurt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: AC FNMT Usuarios and anyExtendedKeyUsage

2017-08-18 Thread Eric Mill via dev-security-policy 
Hi Jose,

There was no attachment to your email. Would you mind re-sending with an
attachment?

On Fri, Aug 18, 2017 at 8:17 AM, Jose Manuel Torres via dev-security-policy
 wrote:

> Hello everyone,
>
> In response to the questions raised:
>
> AC FNMT Usuarios do not issue TLS / SSL certificates, as evidenced by the
> attached document: Audit Attestation - ETSI Assestment 2017, FNMT CA's and
> TSU's.
>
> Regarding anyExtendedKeyUsage EKU, since January 2017 it is no longer
> incorporated into the certificates issued by AC FNMT Usuarios so it should
> not be possible
> to use it for TLS server authentication.
>
> In this sense the certificate indicated in this incident was issued prior
> to the change indicated.
>
> Taking these considerations into account, FNMT considers that a revocation
> of the intermediate CA by OneCRL is not necessary.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



-- 
konklone.com | @konklone 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: AC FNMT Usuarios and anyExtendedKeyUsage

2017-08-18 Thread Jose Manuel Torres via dev-security-policy 
Hello everyone,

In response to the questions raised:

AC FNMT Usuarios do not issue TLS / SSL certificates, as evidenced by the
attached document: Audit Attestation - ETSI Assestment 2017, FNMT CA's and
TSU's.

Regarding anyExtendedKeyUsage EKU, since January 2017 it is no longer
incorporated into the certificates issued by AC FNMT Usuarios so it should
not be possible
to use it for TLS server authentication.

In this sense the certificate indicated in this incident was issued prior
to the change indicated.

Taking these considerations into account, FNMT considers that a revocation
of the intermediate CA by OneCRL is not necessary.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

AC FNMT Usuarios and anyExtendedKeyUsage

2017-08-08 Thread Jonathan Rudenberg via dev-security-policy 
The "AC FNMT Usuarios” intermediate operated by the Government of Spain, 
Fábrica Nacional de Moneda y Timbre (FNMT) issues certificates that are not 
BR-compliant. This was acknowledged during the FNMT root inclusion request 
discussion and allowed as long as the intermediate "never issues TLS/SSL 
certificates”[0].

Recently, some certificates issued from this intermediate were logged to CT, so 
we can see what they look like[1].

While they do not contain dnsName SANs, they do contain the anyExtendedKeyUsage 
EKU which makes them technically usable for TLS server authentication and in 
scope for the Mozilla Root Store Policy.

Additionally, I was able to find one of these certificates[2] served from a TLS 
server in Censys[3].

This is information that does not appear to have been available at the time of 
the root inclusion discussion last year, so I thought I’d point it out.

Jonathan

[0] 
https://groups.google.com/d/msg/mozilla.dev.security.policy/7wIZmwp4qGQ/wRQgVVz2CQAJ
[1] https://crt.sh/?Identity=%25=6664
[2] https://crt.sh/?opt=cablint=145250473
[3] https://censys.io/ipv4/213.96.188.218


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy