Re: ETSI Audits Almost Always FAIL to list audit period

Am Dienstag, 31. Oktober 2017 10:21:47 UTC+1 schrieb Dimitris Zacharopoulos: > It is not the first time this issue is brought up. While I have a very > firm opinion that ETSI auditors under the ISO 17065 (focused on the > quality of products/services) and ETSI EN 319 403 definitely check >

Re: Estonia e-residency instructing users not to update Firefox (on Mac)

On 02/11/17 11:39, Henri Sivonen wrote: > A Medium post claiming[1] to represent Estonia e-residency > https://medium.com/e-residency-blog/estonia-is-enhancing-the-security-of-its-digital-identities-361b9a3c9c52 > instructs Mac users not to update Firefox from December 15 2017 onwards. Thank you

RE: DigiCert ROCA fingerprint incident report

More info (that was sent to me a while ago, I just missed the report): There we actually seven. I missed this one: Serial: "a18e9" We installed a patch to stop accepting ROCA keys for TLS certs on 2017-10-26. A patch for code signing and email certs is coming shortly. Once that patch is

RE: DigiCert ROCA fingerprint incident report

Yeah - still trying to get that info. I'll update this list right when I know what's been done. I'm not 100% sure at this point, but I wanted to post early and update than wait until I know everything. Sorry - should have specified that in the original email. -Original Message- From:

Re: DigiCert ROCA fingerprint incident report

Hi, What I miss is what has been done to prevent new ones from being issued. Kurt On Tue, Nov 07, 2017 at 06:20:53PM +, Jeremy Rowley via dev-security-policy wrote: > Hey everyone, > > > > Here's the DigiCert incident report about the ROCA fingerprints. Note that > these were all

RE: DigiCert ROCA fingerprint incident report

I believe so – I asked that they all be logged, but I’ll need to double check whether it got done. From: Alex Gaynor [mailto:agay...@mozilla.com] Sent: Tuesday, November 7, 2017 11:23 AM To: Jeremy Rowley Cc: mozilla-dev-security-pol...@lists.mozilla.org

Re: DigiCert ROCA fingerprint incident report

Hi Jeremy, Have all these certificates been submitted to CT? Thanks! Alex On Tue, Nov 7, 2017 at 1:20 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hey everyone, > > > > Here's the DigiCert incident report about the ROCA fingerprints. Note that >

DigiCert ROCA fingerprint incident report

Hey everyone, Here's the DigiCert incident report about the ROCA fingerprints. Note that these were all issued by Symantec (ie, before the transaction closed). We became aware of the issue when it was posted to the mailing list. However, at that time, the certs were not operated by

Re: Third party use of OneCRL

Apologies, my understanding is that the XML is synced from the JSON, rather than the other way around See https://wiki.mozilla.org/Firefox/Kinto#Blocklists That is, the canonical source is Kinto (JSON), that is then used to drive the generation of the blocklist.xml (so that released binaries

Re: Third party use of OneCRL

Thanks a lot, Ryan! Your comment on the Firefox specific selection of revoked certificates contained in the list is definitely a point we'll have to consider. One more question: do I see it correctly that what is being called OneCRL is the "certItems" part of

Re: ETSI audits not listing audit periods

On 06/11/2017 17:05, m.wiedenho...@tuvit.de wrote: TÜViT as a conformity assessment body would like to add some explanations to clear up some misunderstandings about ETSI auditing. First of all, we would like to give one preliminary remark. ETSI has separated the TSP technical requirements

Re: Third party use of OneCRL

Note that additions and removals are made in OneCRL relate to the behaviour of mozilla::pkix and the trust lists expressed by the associated version of NSS shipping with the supported versions of Firefox. For example, this includes revocation of 'email only' CAs (that are not appropriately

RE: ETSI Audits Almost Always FAIL to list audit period

For example, in all our audits for other standards, no “audit period” is clearly documented in the report; time since previous audit is always implied. >>> >>> Again, I don't believe that it is reasonable to assume that >>> auditing/sampling has been done over the full year. >>>

Third party use of OneCRL

Hi all I'm working for a big managed security provider. We would like to benefit from OneCRL as a means of improving our certificate revocation checking. I could download OneCRL at https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records. My

Re: ETSI audits not listing audit periods

Thank you for clarification. Do you think the terms "/approval scheme/", "/supervision scheme/", "/accreditation//scheme/" etc. (used in some ETSI TSs or the Commission Decisions) have the same meaning and ETSI EN 319 403 is just one of possible "/certification scheme/s"? Thanks, M.D. On

Re: Incident Report : GlobalSign certificates with ROCA Fingerprint

On 03/11/17 18:16, douglas.beat...@gmail.com wrote: > Here is the final incident report Thanks, Doug :-) Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: ETSI audits not listing audit periods

TÜViT as a conformity assessment body would like to add some explanations to clear up some misunderstandings about ETSI auditing. First of all, we would like to give one preliminary remark. ETSI has separated the TSP technical requirements (ETSI EN 319 411-1, ETSI EN 319 401) from the CAB