Re: Audits for new subCAs

for multiple certs and never issued certs. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Servi

Re: Policy 2.6 Proposal: Move Compliance Date into policy

version if applicable, but also assigning one or more employees to the task), could be done in a week or so, maybe a month if the deciding boss is on holiday on the publication date. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark

Re: TURKTRUST Non-compliance

audit of no issuance (technically a full audit) is overdue, which is clearly a problem. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain

Re: TURKTRUST Non-compliance

On 20/03/2018 18:49, Ryan Sleevi wrote: On Tue, Mar 20, 2018 at 1:30 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Are you suggesting that the BRs be modified so a CA that has ceased issuance can obtain a clean audit report without meeting all c

Re: TURKTRUST Non-compliance

On 20/03/2018 17:39, Wayne Thayer wrote: Jakob, On Mon, Mar 19, 2018 at 9:48 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 17/03/2018 01:23, Wayne Thayer wrote: Note, that if it is reasonably certain/validated that the only activity is maint

Re: TURKTRUST Non-compliance

T/zertifikate/en/6749UE_s.pdf <https://cabforum.org/pipermail/public/2016-September/008475.html> [5] https://cabforum.org/pipermail/public/2016-September/008475.html <https://cabforum.org/pipermail/public/2016-September/008475.html> [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1439127

Re: Mis-issuance of certificate with https in CN/SAN

n the FQDN and to investigate if any additional problematic certificates existed. B. CTJ patched its system on Mar 14. Ben Wilson, JD, CISA, CISSP DigiCert VP Compliance Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 3

Re: Process of including ca root in mozilla

don't add that restriction themselves. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs

Re: Following up on Trustico: reseller practices and accountability

sts that if the Mozilla program introduces their own requirements around reseller management and disclosure then the probability of a CABF ballot with similar restrictions passing is relatively high (thus getting it into the audit regime). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S

Re: Allowing WebExtensions to Override Certificate Trust Decisions

Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded

Re: Code signing and malware

On 26/02/2018 21:28, Ryan Sleevi wrote: On Mon, Feb 26, 2018 at 3:05 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On Mon, Feb 26, 2018 at 12:23 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 2

Re: Code signing and malware

a) are highly likely to be true, as EV codesign is only available for SmartCard/HSM/USBToken stored private keys, making theft of properly issued certificates near impossible. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Di

Re: CA Program for security researchers

On Thu, Feb 22, 2018 at 10:10 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 22/02/2018 22:17, James Burton wrote: There needs to be a program that helps security researchers like myself get free or low cost certificates for research purposes. T

Re: CA Program for security researchers

low. Even for testing. Especially since such research certificates are probably going to trigger additional manual revocation procedures (= more man-hours to be paid). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 3

Re: DRAFT January 2018 CA Communication

apply, at least, to GlobalSign according to another thread). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service

Re: GlobalSign certificate with far-future notBefore

icate is issued until the Expiry Date BR 6.3.2 sets the limits on the "validity period" So the BRs limit the time between the /actual/ date of issuance and the "Not After" date in the certificate. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Tra

Re: Updating Root Inclusion Criteria (organizations)

On 22/01/2018 10:47, Gervase Markham wrote: On 19/01/18 13:20, Jakob Bohm wrote: My suggestions are only meant to inspire formal rules written / chosen by module leaders such as you. But the entire point of this discussion is that we are pointing out it's hard to make such rules in the way

Re: TLS-SNI-01 and compliance with BRs

g the ACME spec, but is sure seems like the validation is not being done on the ADN. Doug Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message

Re: Updating Root Inclusion Criteria (organizations)

On 19/01/2018 11:09, Gervase Markham wrote: On 19/01/18 01:05, Jakob Bohm wrote: On 18/01/2018 11:01, Gervase Markham wrote: On 17/01/18 19:49, Jakob Bohm wrote: 3. Major vertical CAs for high value business categories that issue    publicly trusted certificates at better than EV level

Re: Updating Root Inclusion Criteria (organizations)

On 18/01/2018 11:01, Gervase Markham wrote: On 17/01/18 19:49, Jakob Bohm wrote: 3. Major vertical CAs for high value business categories that issue   publicly trusted certificates at better than EV level integrity.  For How do you define "major"? And "high value business cate

Re: Updating Root Inclusion Criteria (organizations)

On 17/01/2018 22:51, Peter Bowen wrote: On Wed, Jan 17, 2018 at 11:49 AM, Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: 4. Selected company CAs for a handful of too-bit-to-ignore companies that refuse to use a true public CA. This would currently pr

Re: Updating Root Inclusion Criteria

On 17/01/2018 23:03, Jonathan Rudenberg wrote: On Jan 17, 2018, at 16:24, Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: On 17/01/2018 21:14, Jonathan Rudenberg wrote: On Jan 17, 2018, at 14:27, Jakob Bohm via dev-security-policy <dev-securi

Re: Updating Root Inclusion Criteria

On 17/01/2018 21:14, Jonathan Rudenberg wrote: On Jan 17, 2018, at 14:27, Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: On 17/01/2018 16:13, Jonathan Rudenberg wrote: On Jan 17, 2018, at 09:54, Alex Gaynor via dev-security-policy <dev-securi

Re: Updating Root Inclusion Criteria (organizations)

e included in Mozilla's root program MUST: 1.provide some service relevant to typical users of our software products; Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion mess

Re: Updating Root Inclusion Criteria

owards ensuring that the roots accepted are operated with the high level goals described by Alex in mind, and allow more agility at the root store level to respond to issues. Jonathan Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg,

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

party posts) asking hosting providers to block uploads of certificates for acme.invalid. This situation has since changed, and most of my suggestions are thus mostly moot. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

On 11/01/2018 05:38, Ryan Sleevi wrote: On Thu, Jan 11, 2018 at 2:46 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 11/01/2018 01:08, Ryan Sleevi wrote: On Wed, Jan 10, 2018 at 6:35 PM, Jakob Bohm via dev-security-policy < dev-securi

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

On 11/01/2018 01:08, Ryan Sleevi wrote: On Wed, Jan 10, 2018 at 6:35 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Agree. Hence my suggestion that TLS-SNI-0next use a name under the customer's domain (such as the name used for DNS-01), not a name

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

s to keep whitelists and blacklists of hostable TLDs. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Manage

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

other certificate can have been issued in violation of all formal procedures but (by dumb luck) been issued to the right party and thus not misissued anyway (though proving so may be difficult within the short timeframe needed to revoke it due to lack of reason to believe it wasn't misissued in the

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

On 10/01/2018 16:38, ssimon.g...@gmail.com wrote: On Wednesday, January 10, 2018 at 3:34:51 PM UTC+1, Jakob Bohm wrote: Depending on exactly how the shared web server is misconfigured I don't think the web server is misconfigured: serving a self signed cert for any domain - even one that I

Re: 2018.01.09 Issue with TLS-SNI-01 and Shared Hosting Infrastructure

._acme.requested.domain.example.com since that would allow hosting providers to restrict certificate uploads that claim to be for other customers domains. Maybe the name form used by TLS-SNI-02 could be the same as for the DNS-01 challenge. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com

Re: Serial number length

017 18:48, Ryan Sleevi wrote: Or just generate longer serials with random. Which is much simpler. On Fri, Dec 29, 2017 at 11:57 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 29/12/2017 13:55, Nick Lamb wrote: On Fri, 29 Dec 2017 07:24:31 +010

Re: Serial number length

On 29/12/2017 13:55, Nick Lamb wrote: On Fri, 29 Dec 2017 07:24:31 +0100 Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: 3. Or would the elimination in #2 reduce the entropy of such serial numbers to slightly less than 64 bits (since there are less

Serial number length

for all but the first such certificate)? 4. If the answers are yes, no, yes, why doesn't cablint flag certificates with serial numbers of less than or equal to 64 bits as non-compliant? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg

Re: CA generated keys

On 15/12/2017 22:33, Ryan Hurst wrote: On Tuesday, December 12, 2017 at 1:08:24 PM UTC-8, Jakob Bohm wrote: On 12/12/2017 21:39, Wayne Thayer wrote: On Tue, Dec 12, 2017 at 7:45 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 12/12/2017 19:39,

Re: On the value of EV

On 15/12/2017 02:30, Ryan Sleevi wrote: On Thu, Dec 14, 2017 at 5:01 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 14/12/2017 00:23, Peter Gutmann wrote: Tim Shirley via dev-security-policy < dev-security-policy@lists.mozilla.or

Re: On the value of EV

s have more need of a signalling mechanism like that than anyone else. Peter. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo

Re: On the value of EV

assification of what is stronger/weaker/equivalent/incomparable). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Servic

Re: On the value of EV

. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones an

Re: On the value of EV

the entirety of the US nation, of which the government is just one major part. They are at an Organization level. However there are two OID paths in that regard. What OID paths? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denm

Re: On the value of EV

On 13/12/2017 18:38, Nick Lamb wrote: On Wed, 13 Dec 2017 12:29:40 +0100 Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: What is *programmatically* enforced is too little for human safety. believing that computers can replace human judgement is a big m

Re: On the value of EV

conducted behavioral experiments (not to be confused with A/B experiments on unwilling participants). On 13/12/2017 13:39, Ryan Sleevi wrote: On Wed, Dec 13, 2017 at 6:29 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Yes. This is the foundation

Re: On the value of EV

On 12/12/2017 22:51, Ryan Sleevi wrote: On Tue, Dec 12, 2017 at 3:44 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: What you are writing below, with far too many words is that you think that URLs are the only identities that matter in this

Re: CA generated keys

On 12/12/2017 21:39, Wayne Thayer wrote: On Tue, Dec 12, 2017 at 7:45 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 12/12/2017 19:39, Wayne Thayer wrote: The outcome to be avoided is a CA that holds in escrow thousands of private keys used f

Re: On the value of EV

On 12/12/2017 20:04, Ryan Sleevi wrote: On Tue, Dec 12, 2017 at 1:11 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: The overall thing is that the current thread seems to be a major case of throwing the baby out with the bathwater. That is

Re: CA generated keys

tore it securely Wayne Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Pho

Re: On the value of EV

On 12/12/2017 18:31, Jonathan Rudenberg wrote: On Dec 12, 2017, at 08:36, Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: A lot of people have posed suggestions for countermeasures so extreme they should not be taken seriously. This includes discont

Re: On the value of EV

On 12/12/2017 18:19, Ryan Sleevi wrote: On Tue, Dec 12, 2017 at 8:36 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 12/12/2017 01:08, Adam Caudill wrote: Even if it is, someone filed the paperwork. Court houses have clerks, guards, video c

Re: On the value of EV

e per-country and global lists of name-dominating organizations will both take some time and should be done in parallel. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-

Re: Mozilla RSA-PSS policy

On 01/12/2017 17:06, Ryan Sleevi wrote: On Fri, Dec 1, 2017 at 10:33 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Depending on the prevalence of non-public CAs (not listed in public indexes) based on openssl (this would be a smallish company thin

Re: Mozilla RSA-PSS policy

e NSS with final TLS 1.3 version ships Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management

Re: Question on CAA processing for mixed wildcard and non-wildcard SAN DNS names

On 28/11/2017 15:53, Nick Lamb wrote: On Tue, 28 Nov 2017 04:26:30 +0100 Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: Nick Lamb, in the message I replied to, clearly suggested as much, and provided a contrived scenario to "prove" that poin

Re: Question on CAA processing for mixed wildcard and non-wildcard SAN DNS names

On 28/11/2017 04:16, Ryan Sleevi wrote: On Mon, Nov 27, 2017 at 8:29 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 27/11/2017 19:37, Nick Lamb wrote: On Fri, 24 Nov 2017 12:25:40 + Gervase Markham via dev-security-policy <dev-securi

Re: Question on CAA processing for mixed wildcard and non-wildcard SAN DNS names

On 28/11/2017 02:29, Jakob Bohm wrote: On 27/11/2017 19:37, Nick Lamb wrote: On Fri, 24 Nov 2017 12:25:40 + Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: ... While your scenario below sounds compelling, it is very much a contrived sc

Re: Possible future re-application from WoSign (now WoTrus)

__ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public

Re: Possible future re-application from WoSign (now WoTrus)

On 22/11/2017 16:38, Gervase Markham wrote: On 22/11/17 10:54, Jakob Bohm wrote: Some notes about previously discussed items: Mozilla is not suggesting that WoSign has completed all of the steps. The entire point is that we want to have this pre-discussion before they make the effort to do so

Re: Possible future re-application from WoSign (now WoTrus)

f WoSign and > other responsibilities. It is not decided who will replace him. > > ... Although not listed in the Action plan in #1311824, it is noteworthy that Richard Wang has apparently not been relieved of his other responsibilities, only the CEO title. Was this part of the o

Re: .tg Certificates Issued by Let's Encrypt

- Other - explain ~~ Thanks, Kathleen Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for P

Re: ETSI audits not listing audit periods

a referenced ETSI standard. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Serv

Re: Incident report: Certificates with error in subject: postalCode

. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded

Re: Efficient test for weak RSA keys generated in Infineon TPMs / smartcards

to deobfuscate the bitmasks with your favorite bignum calculator. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote

Re: Incident Report format

t might be a good example of that happening). 6. Under "Incident Report", item 3, remove the word "TLS/SSL" to make the bullet point equally applicable to e-mail certs, OCSP certs etc. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transf

Re: Public trust of VISA's CA

uration. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Pho

Re: FW: StartCom inclusion request: next steps

activating the Certinomis path for their server. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs

Re: CAA Certificate Problem Report

ROR or NXDOMAIN and which indicates that no such record is there. Real world experience may add a few other error codes indicating valid absence of a record in an unsigned zone. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 1

Re: PROCERT issues

. level domain under local. as the certificate holder(s). The main issue here is that since the local. TLD doesn't have an official registry, there is no way that the CA could have properly validated that *any* applicant was the proper owner of such a 2nd level domain, because noone is. E

Re: Idea for a stricter name constraint interpretation

On 07/09/2017 21:00, Ryan Sleevi wrote: On Thu, Sep 7, 2017 at 1:20 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: All but one of your suggestions would require the revocation of existing SubCA certificates, essentially invalidating all existin

Re: Idea for a stricter name constraint interpretation

On 01/09/2017 20:07, Ryan Sleevi wrote: On Fri, Sep 1, 2017 at 2:07 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: ... So, from the get-go with the standards, it was possible to name constrain DNS. Unless you were referencing certificates prior t

Re: Idea for a stricter name constraint interpretation

On 01/09/2017 02:14, Ryan Sleevi wrote: On Thu, Aug 31, 2017 at 5:21 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 31/08/2017 22:26, Ryan Sleevi wrote: Agreed. But in general, in order to maintain interoperability, there's a process for bu

Re: Idea for a stricter name constraint interpretation

On 31/08/2017 22:26, Ryan Sleevi wrote: On Thu, Aug 31, 2017 at 4:13 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: I am aware that this was the original specification. However like many other parts of PKIX it may not be as good in 20/20 hin

Re: Idea for a stricter name constraint interpretation

On 31/08/2017 21:49, Ryan Sleevi wrote: On Thu, Aug 31, 2017 at 8:18 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Would it be beneficial to Mozilla in particular and the larger PKI community in general if the following was added to implement

Idea for a stricter name constraint interpretation

n peoples mail boxes. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Managemen

Re: Violations of Baseline Requirements 4.9.10

g Root R2 Example cert: https://crt.sh/?q=239ffa86d71033ba255914782057d87e8421aedd5910b786928b6a1248c3e341 OCSP URI: http://rootcar2-ocsp.disig.sk/ocsp/rootcar2 -Paul Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 Thi

Re: Regarding CA requirements as to technical infrastructure utilized in automated domain validations, etc. (if any)

ent Amazon availability zones for example). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for P

Re: Certificates with less than 64 bits of entropy

/vl5eq0PoJxY/W1D4oZ__BwAJ You can also consider post-mortems from related parts, such as CT logs, as seen in Venafi's CT log post-mortem at https://groups.google.com/a/chromium.org/d/msg/ct-policy/ohtZ64gLN3I/namq_NDmAQAJ Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wi

Re: TrustCor root inclusion request

hain to different current signature algorithms, to minimize risks associated with future distrust of such algorithms. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-b

Re: Symantec Update on SubCA Proposal

solutions to DigiCert because this transaction accelerates the transition for our customers to an existing PKI platform at DigiCert that meets all industry standards and browser requirements, ensuring continuity for our customers and providing a foundation for continued innovation. Enjoy Jakob --

Re: Certificates with invalidly long serial numbers

ship with the customer, perhaps only an email address that can be used to let them know their website is about to go down. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley= digicert.com@lists.mozilla .org] On Behalf Of Jakob Bohm via dev-security-po

Re: Certificates with improperly normalized IDNs

On 11/08/2017 00:14, Ryan Sleevi wrote: On Thu, Aug 10, 2017 at 5:31 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: This raises the question if CAs should be responsible for misissued domain names, or if they should be allowed to issue certif

Re: Certificates with improperly normalized IDNs

On 11/08/2017 00:00, Jonathan Rudenberg wrote: On Aug 10, 2017, at 17:31, Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: On 10/08/2017 22:22, Jonathan Rudenberg wrote: RFC 5280 section 7.2 and the associated IDNA RFC requires that Internationalized

Re: Misissued certificates

On 11/08/2017 00:29, Jonathan Rudenberg wrote: On Aug 10, 2017, at 17:04, Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: Can anyone point out a real world X.509 framework that gets confused by a redundant pathlen:0 in a CA:FALSE certificate? (

Re: Certificates with invalidly long serial numbers

r the cost. On Thu, Aug 10, 2017 at 5:39 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: But that would require the issuer of the replacement cert (which might not be a fast-issue DV cert) to complete validation in something like 36 hours, which is m

Re: Certificates with invalidly long serial numbers

joy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones an

Re: Certificates with improperly normalized IDNs

registrar is currently RUCENTER-RF xn--b1addckdrqixje4a xn--f1awi Third level domains, subscriber responsibility: xn--80aqafgnbi xn-blcihca2aqinbjzlgp0hrd8c Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 3

Re: Misissued certificates

? (Merely to assess the seriousness of the issue, given that the certificate was already revoked). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain

Re: Certificates with invalidly long serial numbers

n violation of the BRs, which I would expect any competent CA to be eminently capable of doing. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may

Re: Certificates with invalidly long serial numbers

which are expected to get a longer deadline if the proposed changes go through. For such, maybe post public descriptions, but delay on the formal filing that would start the 24 hour clock. On Aug 8, 2017, at 1:02 PM, Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.

Re: Certificates with invalidly long serial numbers

bad for interoperability to have certificates randomly disappear due to someone filing mass-bugs for violations of formalities. Alex On Tue, Aug 8, 2017 at 2:43 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Some people seemed to require 2

Re: Certificates with invalidly long serial numbers

applied to them have been for grotesque abuse of the trust vested in them. Alex On Tue, Aug 8, 2017 at 2:25 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 08/08/2017 18:43, Ryan Sleevi wrote: On Tuesday, August 8, 2017 at 11:05:06 PM UTC+9, Jako

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On 08/08/2017 19:44, Ryan Sleevi wrote: On Tuesday, August 8, 2017 at 8:52:54 PM UTC+9, Jakob Bohm wrote: On 08/08/2017 12:54, Nick Lamb wrote: On Monday, 7 August 2017 22:31:34 UTC+1, Jakob Bohm wrote: Since the CT made it possible, I have seen an increasing obsession with enforcing every

Re: Certificates with invalidly long serial numbers

On 08/08/2017 18:43, Ryan Sleevi wrote: On Tuesday, August 8, 2017 at 11:05:06 PM UTC+9, Jakob Bohm wrote: I was not advocating "letting everyone decide". I was advocating that Mozilla show some restraint, intelligence and common sense in wielding the new weapons that certlint and c

Re: Certificates with invalidly long serial numbers

hat the spec requires but that no-one would expect an implementation to do. Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Trans

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On 08/08/2017 12:54, Nick Lamb wrote: On Monday, 7 August 2017 22:31:34 UTC+1, Jakob Bohm wrote: Since the CT made it possible, I have seen an increasing obsession with enforcing every little detail of the BRs, things that would not only have gone unnoticed, but also been considered

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

their boots perfectly or having a picture of their wife on their desk? (To mention other rules that some organizations have overzealously enforced a long time ago). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

in clients checking that particular https certificate for revocation. This was before mass-surveillance became such a big issue, and might have been decided otherwise today. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct

Re: Certificates with invalidly long serial numbers

. These practices represent the same fundamental speed/quality trade-off. On Mon, Aug 7, 2017 at 4:09 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 07/08/2017 18:07, Hanno Böck wrote: On Mon, 7 Aug 2017 15:59:07 + Ben Wilson via dev-se

Re: Certificates with invalidly long serial numbers

m) to a larger value, such as 64 plus optional zero. Doing so would allow future requirements to increase the minimum serial entropy to more than 160 bits, should a relevant attack scenario emerge. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29,

Re: Certificates with invalidly long serial numbers

should not install non-essential patches without a very long and thorough testing process. Since this is (at most) a formal violation and not a security problem, it is better for the fix to go through many month of careful testing than to rush it through. Enjoy Jakob -- Jakob Bohm, CIO, Partner, Wise

Re: StartCom cross-signs disclosed by Certinomis

StartCom: Be more clear if any of the "Chinese" staff is working at, under or otherwise near WoSign and/or Richard Wang. 7. At Quihoo: Actually get rid of Richard Wang, not just change his title from CEO to COO. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com

<    1   2   3   4   5   6   >