Hello again Rob,
"ISRG Root X1" is listed as "Unconstrained id-kp-serverAuth Trust: Disclosure
is required!"
I believe this root is now (or shortly will be) trusted directly by NSS, and so
isn't an intermediate and shouldn't appear on the list.
Before it was added to NSS, it simply wasn't
On 09/08/16 00:16, Kathleen Wilson wrote:
It seems to me that as long as a revoked intermediate certificate has
been disclosed (i.e. in Salesforce) that the certificates that it signed
do not need to be disclosed.
I've just changed "Probably!" to "Unknown" (for the "Unconstrained, but
all
On 08/08/16 10:25, Rob Stradling wrote:
Nick, Peter,
I looked at https://crt.sh/mozilla-disclosures immediately after the
Symantec cross-cert expired, and I was surprised to see no change. I
was on holiday all last week, so I'm only just investigating it properly
now.
I suspect crt.sh is
On 02/08/16 14:46, Peter Bowen wrote:
On Tue, Aug 2, 2016 at 5:11 AM, Nick Lamb wrote:
Rob, today I examined https://crt.sh/mozilla-disclosures because I was interested to see if the now
expired signature from Symantec's "VeriSign Class 3 SSP Intermediate CA - G2" of
On 27/06/16 23:56, Kathleen Wilson wrote:
I understand that many of you are working to get your intermediate
certificate data entered by the end of June, so I will grant a reprieve
of a few days for those of you who are impacted by the system being down
tomorrow. Also, I had to postpone some of
On Saturday, 9 July 2016 00:21:27 UTC+1, Rick Andrews wrote:
> GSA which governs FPKI recently approved Symantec’s proposal for one-way
> cross-certification with the FBCA and to remove the cross-certificate from
> the Symantec CA to the FBCA. The cross certificate is expiring on June 31,
>
On Friday, July 8, 2016 at 4:21:27 PM UTC-7, Rick Andrews wrote:
> GSA which governs FPKI recently approved Symantec’s proposal for one-way
> cross-certification with the FBCA and to remove the cross-certificate from
> the Symantec CA to the FBCA. The cross certificate is expiring on June 31,
>
GSA which governs FPKI recently approved Symantec’s proposal for one-way
cross-certification with the FBCA and to remove the cross-certificate from the
Symantec CA to the FBCA. The cross certificate is expiring on June 31, 2016 and
Symantec does not intend to renew the certificate going
On Thursday, 30 June 2016 09:29:15 UTC+1, Rob Stradling wrote:
> The cross-certificate issued by Symantec to "Federal Bridge CA 2013"
> (https://crt.sh/?id=12638543) expires in 1 month. I'm wondering if
> there's any point in revoking this intermediate or the two other
> intermediates that
On 30/06/16 06:34, Peter Bowen wrote:
I think there is confusion over the generic term “Symantec”. There is no issue
for Symantec (the company) to be an affiliate of the USG FPKI and to operate
CAs mutually cross-certified with the USG FPKI. Additionally there is no issue
with Symantec (or
I think there is confusion over the generic term “Symantec”. There is no issue
for Symantec (the company) to be an affiliate of the USG FPKI and to operate
CAs mutually cross-certified with the USG FPKI. Additionally there is no issue
with Symantec (or anyone else) to operate CAs included in
onday, June 27, 2016 09:01
> To: Myers, Kenneth (10421) <kenneth.my...@protiviti.com>;
> dev-security-policy@lists.mozilla.org
> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
>
> On 27/06/16 12:13, Myers, Kenneth (10421) wrote:
> > The Federa
t; category of cross-sign, but could you spell out explicitly how this
> > differs from e.g. the Identrust cross-sign issue that Richard linked to?
> >
> > -- Eric
> >
> > On Thu, Jun 23, 2016 at 4:39 PM, Ben Wilson
> > <ben.wil...@digicert.com<mailto:ben
om]
Sent: Monday, June 27, 2016 09:01
To: Myers, Kenneth (10421) <kenneth.my...@protiviti.com>;
dev-security-policy@lists.mozilla.org
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On 27/06/16 12:13, Myers, Kenneth (10421) wrote:
The Federal PKI has a tool to help ident
stradl...@comodo.com]
Sent: Monday, June 27, 2016 09:01
To: Myers, Kenneth (10421) <kenneth.my...@protiviti.com>;
dev-security-policy@lists.mozilla.org
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On 27/06/16 12:13, Myers, Kenneth (10421) wrote:
> The Federal PKI has a tool t
ert.com>>; Steve
<steve.me...@gmail.com<mailto:steve.me...@gmail.com>>;
mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>;
Kathleen Wilson
<kwil...@mozilla.com<mailto:kwil...@mozilla.com>>; Rob Stradling
<rob
On 27/06/16 01:07, Nick Lamb wrote:
On Sunday, 26 June 2016 21:26:06 UTC+1, Ben Laurie wrote:
My concern is that is is trivial to demonstrate an intermediate is
revoked, yet still validate a chain that includes that "revoked"
certificate.
Sure. If you decide not to check for revocation, then
On Sunday, 26 June 2016 21:26:06 UTC+1, Ben Laurie wrote:
> My concern is that is is trivial to demonstrate an intermediate is
> revoked, yet still validate a chain that includes that "revoked"
> certificate.
Sure. If you decide not to check for revocation, then you won't know if it's
revoked.
And for the benefit of readers of the thread not already familiar with
this, below are the two documented browser approaches to revocation of
intermediates that I'm aware of, for Firefox and Chrome.
Both require browser-maintained (not CA-maintained) lists of revoked
certificates to be updated
On Sat, Jun 25, 2016 at 3:50 AM, Ben Laurie wrote:
> On 25 June 2016 at 00:56, Rob Stradling wrote:
>> On 24/06/16 14:38, Rob Stradling wrote:
>>>
>>> I've just updated https://crt.sh/mozilla-disclosures.
>>>
>>> There's now a separate grouping for
gt;> -Original Message-
>>> From: Peter Bowen [mailto:pzbo...@gmail.com]
>>> Sent: Thursday, June 23, 2016 3:35 PM
>>> To: Eric Mill <e...@konklone.com>
>>> Cc: Ben Wilson <ben.wil...@digicert.com>; Kurt Roeckx
>>> <k...@roeckx.be
zilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson
<kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com>
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
DigiCert didn't cross-sign the Federal PKI with their Mozilla trusted
CAs.
I'm sure Ben will tell m
On 6/21/16 8:26 AM, Rob Stradling wrote:
On 21/06/16 15:55, Ben Wilson wrote:
Rob,
Ben, thanks for passing on the details. My analysis is below...
So far they are -
https://crt.sh/?sha1=e12ba5aeb7613a72cc9652f1673017a5d8fc7479
- technically constrained warning
according to this:
https://test4.fpki.18f.gov/
https://github.com/18F/fpki-testing
Symantec is the second cross-signer of the Federal Bridge, with a root CA that
was supposed to be dormant according to the description here:
https://www.symantec.com/theme/roots
Root 10
VeriSign Universal Root
t;k...@roeckx.be>; Richard Barnes
<rbar...@mozilla.com>; Jeremy Rowley <jeremy.row...@digicert.com>; Steve <steve.me...@gmail.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson <kwil...@mozilla.com>; Rob Stradling
<rob.stradl...@comodo.com>
Subject:
il...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com>
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
DigiCert didn't cross-sign the Federal PKI with their Mozilla trusted CAs.
I'm sure Ben will tell me I have my terminology wrong, but DigiCert basically
operat
il.com>; mozilla-dev-security-pol...@lists.mozilla.org;
Kathleen Wilson <kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com>
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
Peter, I think I get what you're saying about this being a different category
of cr
> Barnes <rbar...@mozilla.com>; Jeremy Rowley <jeremy.row...@digicert.com>;
> Steve <steve.me...@gmail.com>;
> mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson <
> kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com>
> Subject: Re:
, June 22, 2016 9:19 PM
> *To:* Kurt Roeckx <k...@roeckx.be>
> *Cc:* Peter Bowen <pzbo...@gmail.com>; Richard Barnes <rbar...@mozilla.com>;
> Jeremy Rowley <jeremy.row...@digicert.com>; Steve <steve.me...@gmail.com>;
> mozilla-dev-security-pol...@lists.mozilla
com>; Steve <steve.me...@gmail.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson
<kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com>; Ben Wilson
<ben.wil...@digicert.com>
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On Wed, Jun 22, 2016 at 6:11 PM, Kurt Roeckx wrote:
> On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote:
> > I think there are two things getting conflated here:
> >
> > 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
> >
> > 2) Disclosure of
On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote:
> I think there are two things getting conflated here:
>
> 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
>
> 2) Disclosure of CA certificates signed by CAs that are the subject of #1
>
> Imagine the
I think there are two things getting conflated here:
1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
2) Disclosure of CA certificates signed by CAs that are the subject of #1
Imagine the following heirarchy:
Univercert Root CA (in trust store) --(CA Cert A)-->
gt;; Peter Bowen <pzbo...@gmail.com>; Ben Wilson
> <ben.wil...@digicert.com>
> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
>
>> On Wed, Jun 22, 2016 at 06:18:51PM +, Steve wrote:
>> CAs are running OCSP responders up to the root ti
odo.com>; Peter Bowen <pzbo...@gmail.com>; Ben Wilson
<ben.wil...@digicert.com>
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On Wed, Jun 22, 2016 at 06:18:51PM +, Steve wrote:
> CAs are running OCSP responders up to the root tier. Once a CA is
> termi
On Wed, Jun 22, 2016 at 11:19 AM, Ryan Sleevi wrote:
> On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote:
>> It seems to me that requiring the registration of these subordinate CAs
>> bloats the Salesforce database unnecessarily.
>
> We've historically
On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote:
> It seems to me that requiring the registration of these subordinate CAs
> bloats the Salesforce database unnecessarily.
We've historically been at a chronic lack of data, rather than a
chronic glut. I think we should
CAs are running OCSP responders up to the root tier. Once a CA is
terminated in a standards-compliant and densely interoperable way from
participating in a trusted discovery path to an embedded root, it should no
longer be in the scope of business of root trust store owners.
On Wed, Jun 22,
On Tue, Jun 21, 2016 at 12:10 PM, Peter Bowen wrote:
> On Tue, Jun 21, 2016 at 8:26 AM, Rob Stradling
> wrote:
> > Revocation of a "parent intermediate" does not exempt "child
> intermediates"
> > from the disclosure requirement, AFAICT. So I think
, 2016 4:00 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On 21/06/16 17:56, Nick Lamb wrote:
> On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote:
>> If all paths from a trusted root to a given int
On 21/06/16 17:56, Nick Lamb wrote:
On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote:
If all paths from a trusted root to a given intermediate are revoked
or expired, then I don't think it "directly or transitively chain[s]
to a certificate included in Mozilla’s CA Certificate
inal Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org]
On Behalf Of Nick Lamb
Sent: Tuesday, June 21, 2016 10:56 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Intermediate certificate disclosure deadline in 2 w
On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote:
> If all paths from a trusted root to a given intermediate are revoked
> or expired, then I don't think it "directly or transitively chain[s]
> to a certificate included in Mozilla’s CA Certificate Program". It
> would be no different
Agreed. I don't see a reason to disclose anything where the parent is revoked.
I think it's a similar question as whether a CA has to disclose all the sub
case under a root where removal from the root program was requested. In both
cases the certs are not publicly trusted and don't affect the
On 21/06/16 15:55, Ben Wilson wrote:
Rob,
Ben, thanks for passing on the details. My analysis is below...
So far they are -
https://crt.sh/?sha1=e12ba5aeb7613a72cc9652f1673017a5d8fc7479
- technically constrained warning
https://crt.sh/?sha1=8c6c7a20b48ef3bcb0fcb203008773846611486a
-
-Original Message-
From: Rob Stradling [mailto:rob.stradl...@comodo.com]
Sent: Monday, June 20, 2016 4:17 PM
To: Ben Wilson <ben.wil...@digicert.com>
Cc: Peter Bowen <pzbo...@gmail.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Intermediate certificate disc
On 21/06/16 04:03, Jeremy Rowley wrote:
Whether they are currently issuing is irrelevant.
Indeed. Having no intent to issue certificates is not going to stop the
sort of attack that DigiNotar experienced!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust
[mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On
Behalf Of Peter Bowen
Sent: Monday, June 20, 2016 11:59 AM
To: Rob Stradling <rob.stradl...@comodo.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Intermediate certificate disclosure deadline in 2 w
do.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Intermediate certificate disclosure deadline in 2 weeks
On Fri, Jun 17, 2016 at 4:12 AM, Rob Stradling <rob.stradl...@comodo.com>
wrote:
> Friendly reminder to all CA representatives:
>
> Don't forget the June
Friendly reminder to all CA representatives:
Don't forget the June 30th deadline! And don't leave it until the last
minute if you have lots of intermediate certificates to disclose!
50 matches
Mail list logo