Re: Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)

Hello again Rob, "ISRG Root X1" is listed as "Unconstrained id-kp-serverAuth Trust: Disclosure is required!" I believe this root is now (or shortly will be) trusted directly by NSS, and so isn't an intermediate and shouldn't appear on the list. Before it was added to NSS, it simply wasn't

Re: Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)

On 09/08/16 00:16, Kathleen Wilson wrote: It seems to me that as long as a revoked intermediate certificate has been disclosed (i.e. in Salesforce) that the certificates that it signed do not need to be disclosed. I've just changed "Probably!" to "Unknown" (for the "Unconstrained, but all

Re: Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)

On 08/08/16 10:25, Rob Stradling wrote: Nick, Peter, I looked at https://crt.sh/mozilla-disclosures immediately after the Symantec cross-cert expired, and I was surprised to see no change. I was on holiday all last week, so I'm only just investigating it properly now. I suspect crt.sh is

Re: Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)

On 02/08/16 14:46, Peter Bowen wrote: On Tue, Aug 2, 2016 at 5:11 AM, Nick Lamb wrote: Rob, today I examined https://crt.sh/mozilla-disclosures because I was interested to see if the now expired signature from Symantec's "VeriSign Class 3 SSP Intermediate CA - G2" of

Intermediate certificate disclosure deadline was 2 weeks ago!! (was Re: Salesforce offline Tuesday, June 28, for data import)

On 27/06/16 23:56, Kathleen Wilson wrote: I understand that many of you are working to get your intermediate certificate data entered by the end of June, so I will grant a reprieve of a few days for those of you who are impacted by the system being down tomorrow. Also, I had to postpone some of

Re: Intermediate certificate disclosure deadline in 2 weeks

On Saturday, 9 July 2016 00:21:27 UTC+1, Rick Andrews wrote: > GSA which governs FPKI recently approved Symantec’s proposal for one-way > cross-certification with the FBCA and to remove the cross-certificate from > the Symantec CA to the FBCA. The cross certificate is expiring on June 31, >

Re: Intermediate certificate disclosure deadline in 2 weeks

On Friday, July 8, 2016 at 4:21:27 PM UTC-7, Rick Andrews wrote: > GSA which governs FPKI recently approved Symantec’s proposal for one-way > cross-certification with the FBCA and to remove the cross-certificate from > the Symantec CA to the FBCA. The cross certificate is expiring on June 31, >

Re: Intermediate certificate disclosure deadline in 2 weeks

GSA which governs FPKI recently approved Symantec’s proposal for one-way cross-certification with the FBCA and to remove the cross-certificate from the Symantec CA to the FBCA. The cross certificate is expiring on June 31, 2016 and Symantec does not intend to renew the certificate going

Re: Intermediate certificate disclosure deadline in 2 weeks

On Thursday, 30 June 2016 09:29:15 UTC+1, Rob Stradling wrote: > The cross-certificate issued by Symantec to "Federal Bridge CA 2013" > (https://crt.sh/?id=12638543) expires in 1 month. I'm wondering if > there's any point in revoking this intermediate or the two other > intermediates that

Re: Intermediate certificate disclosure deadline in 2 weeks

On 30/06/16 06:34, Peter Bowen wrote: I think there is confusion over the generic term “Symantec”. There is no issue for Symantec (the company) to be an affiliate of the USG FPKI and to operate CAs mutually cross-certified with the USG FPKI. Additionally there is no issue with Symantec (or

Re: Intermediate certificate disclosure deadline in 2 weeks

I think there is confusion over the generic term “Symantec”. There is no issue for Symantec (the company) to be an affiliate of the USG FPKI and to operate CAs mutually cross-certified with the USG FPKI. Additionally there is no issue with Symantec (or anyone else) to operate CAs included in

Re: FW: Intermediate certificate disclosure deadline in 2 weeks

onday, June 27, 2016 09:01 > To: Myers, Kenneth (10421) <kenneth.my...@protiviti.com>; > dev-security-policy@lists.mozilla.org > Subject: Re: Intermediate certificate disclosure deadline in 2 weeks > > On 27/06/16 12:13, Myers, Kenneth (10421) wrote: > > The Federa

Re: FW: Intermediate certificate disclosure deadline in 2 weeks

t; category of cross-sign, but could you spell out explicitly how this > > differs from e.g. the Identrust cross-sign issue that Richard linked to? > > > > -- Eric > > > > On Thu, Jun 23, 2016 at 4:39 PM, Ben Wilson > > <ben.wil...@digicert.com<mailto:ben

Re: FW: Intermediate certificate disclosure deadline in 2 weeks

om] Sent: Monday, June 27, 2016 09:01 To: Myers, Kenneth (10421) <kenneth.my...@protiviti.com>; dev-security-policy@lists.mozilla.org Subject: Re: Intermediate certificate disclosure deadline in 2 weeks On 27/06/16 12:13, Myers, Kenneth (10421) wrote: The Federal PKI has a tool to help ident

FW: Intermediate certificate disclosure deadline in 2 weeks

stradl...@comodo.com] Sent: Monday, June 27, 2016 09:01 To: Myers, Kenneth (10421) <kenneth.my...@protiviti.com>; dev-security-policy@lists.mozilla.org Subject: Re: Intermediate certificate disclosure deadline in 2 weeks On 27/06/16 12:13, Myers, Kenneth (10421) wrote: > The Federal PKI has a tool t

Re: Intermediate certificate disclosure deadline in 2 weeks

ert.com>>; Steve <steve.me...@gmail.com<mailto:steve.me...@gmail.com>>; mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>; Kathleen Wilson <kwil...@mozilla.com<mailto:kwil...@mozilla.com>>; Rob Stradling <rob

Re: Intermediate certificate disclosure deadline in 2 weeks

On 27/06/16 01:07, Nick Lamb wrote: On Sunday, 26 June 2016 21:26:06 UTC+1, Ben Laurie wrote: My concern is that is is trivial to demonstrate an intermediate is revoked, yet still validate a chain that includes that "revoked" certificate. Sure. If you decide not to check for revocation, then

Re: Intermediate certificate disclosure deadline in 2 weeks

On Sunday, 26 June 2016 21:26:06 UTC+1, Ben Laurie wrote: > My concern is that is is trivial to demonstrate an intermediate is > revoked, yet still validate a chain that includes that "revoked" > certificate. Sure. If you decide not to check for revocation, then you won't know if it's revoked.

Re: Intermediate certificate disclosure deadline in 2 weeks

And for the benefit of readers of the thread not already familiar with this, below are the two documented browser approaches to revocation of intermediates that I'm aware of, for Firefox and Chrome. Both require browser-maintained (not CA-maintained) lists of revoked certificates to be updated

Re: Intermediate certificate disclosure deadline in 2 weeks

On Sat, Jun 25, 2016 at 3:50 AM, Ben Laurie wrote: > On 25 June 2016 at 00:56, Rob Stradling wrote: >> On 24/06/16 14:38, Rob Stradling wrote: >>> >>> I've just updated https://crt.sh/mozilla-disclosures. >>> >>> There's now a separate grouping for

Re: Intermediate certificate disclosure deadline in 2 weeks

gt;> -Original Message- >>> From: Peter Bowen [mailto:pzbo...@gmail.com] >>> Sent: Thursday, June 23, 2016 3:35 PM >>> To: Eric Mill <e...@konklone.com> >>> Cc: Ben Wilson <ben.wil...@digicert.com>; Kurt Roeckx >>> <k...@roeckx.be

Re: Intermediate certificate disclosure deadline in 2 weeks

zilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson <kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks DigiCert didn't cross-sign the Federal PKI with their Mozilla trusted CAs. I'm sure Ben will tell m

Re: Intermediate certificate disclosure deadline in 2 weeks

On 6/21/16 8:26 AM, Rob Stradling wrote: On 21/06/16 15:55, Ben Wilson wrote: Rob, Ben, thanks for passing on the details. My analysis is below... So far they are - https://crt.sh/?sha1=e12ba5aeb7613a72cc9652f1673017a5d8fc7479 - technically constrained warning

Re: Intermediate certificate disclosure deadline in 2 weeks

according to this: https://test4.fpki.18f.gov/ https://github.com/18F/fpki-testing Symantec is the second cross-signer of the Federal Bridge, with a root CA that was supposed to be dormant according to the description here: https://www.symantec.com/theme/roots Root 10 VeriSign Universal Root

Re: Intermediate certificate disclosure deadline in 2 weeks

t;k...@roeckx.be>; Richard Barnes <rbar...@mozilla.com>; Jeremy Rowley <jeremy.row...@digicert.com>; Steve <steve.me...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson <kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com> Subject:

RE: Intermediate certificate disclosure deadline in 2 weeks

il...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks DigiCert didn't cross-sign the Federal PKI with their Mozilla trusted CAs. I'm sure Ben will tell me I have my terminology wrong, but DigiCert basically operat

RE: Intermediate certificate disclosure deadline in 2 weeks

il.com>; mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson <kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks Peter, I think I get what you're saying about this being a different category of cr

Re: Intermediate certificate disclosure deadline in 2 weeks

> Barnes <rbar...@mozilla.com>; Jeremy Rowley <jeremy.row...@digicert.com>; > Steve <steve.me...@gmail.com>; > mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson < > kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com> > Subject: Re:

Re: Intermediate certificate disclosure deadline in 2 weeks

, June 22, 2016 9:19 PM > *To:* Kurt Roeckx <k...@roeckx.be> > *Cc:* Peter Bowen <pzbo...@gmail.com>; Richard Barnes <rbar...@mozilla.com>; > Jeremy Rowley <jeremy.row...@digicert.com>; Steve <steve.me...@gmail.com>; > mozilla-dev-security-pol...@lists.mozilla

RE: Intermediate certificate disclosure deadline in 2 weeks

com>; Steve <steve.me...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson <kwil...@mozilla.com>; Rob Stradling <rob.stradl...@comodo.com>; Ben Wilson <ben.wil...@digicert.com> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks

Re: Intermediate certificate disclosure deadline in 2 weeks

On Wed, Jun 22, 2016 at 6:11 PM, Kurt Roeckx wrote: > On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote: > > I think there are two things getting conflated here: > > > > 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA > > > > 2) Disclosure of

Re: Intermediate certificate disclosure deadline in 2 weeks

On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote: > I think there are two things getting conflated here: > > 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA > > 2) Disclosure of CA certificates signed by CAs that are the subject of #1 > > Imagine the

Re: Intermediate certificate disclosure deadline in 2 weeks

I think there are two things getting conflated here: 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA 2) Disclosure of CA certificates signed by CAs that are the subject of #1 Imagine the following heirarchy: Univercert Root CA (in trust store) --(CA Cert A)-->

Re: Intermediate certificate disclosure deadline in 2 weeks

gt;; Peter Bowen <pzbo...@gmail.com>; Ben Wilson > <ben.wil...@digicert.com> > Subject: Re: Intermediate certificate disclosure deadline in 2 weeks > >> On Wed, Jun 22, 2016 at 06:18:51PM +, Steve wrote: >> CAs are running OCSP responders up to the root ti

RE: Intermediate certificate disclosure deadline in 2 weeks

odo.com>; Peter Bowen <pzbo...@gmail.com>; Ben Wilson <ben.wil...@digicert.com> Subject: Re: Intermediate certificate disclosure deadline in 2 weeks On Wed, Jun 22, 2016 at 06:18:51PM +, Steve wrote: > CAs are running OCSP responders up to the root tier. Once a CA is > termi

Re: Intermediate certificate disclosure deadline in 2 weeks

On Wed, Jun 22, 2016 at 11:19 AM, Ryan Sleevi wrote: > On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote: >> It seems to me that requiring the registration of these subordinate CAs >> bloats the Salesforce database unnecessarily. > > We've historically

Re: Intermediate certificate disclosure deadline in 2 weeks

On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote: > It seems to me that requiring the registration of these subordinate CAs > bloats the Salesforce database unnecessarily. We've historically been at a chronic lack of data, rather than a chronic glut. I think we should

Re: Intermediate certificate disclosure deadline in 2 weeks

CAs are running OCSP responders up to the root tier. Once a CA is terminated in a standards-compliant and densely interoperable way from participating in a trusted discovery path to an embedded root, it should no longer be in the scope of business of root trust store owners. On Wed, Jun 22,

Re: Intermediate certificate disclosure deadline in 2 weeks

On Tue, Jun 21, 2016 at 12:10 PM, Peter Bowen wrote: > On Tue, Jun 21, 2016 at 8:26 AM, Rob Stradling > wrote: > > Revocation of a "parent intermediate" does not exempt "child > intermediates" > > from the disclosure requirement, AFAICT. So I think

RE: Intermediate certificate disclosure deadline in 2 weeks

, 2016 4:00 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Intermediate certificate disclosure deadline in 2 weeks On 21/06/16 17:56, Nick Lamb wrote: > On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote: >> If all paths from a trusted root to a given int

Re: Intermediate certificate disclosure deadline in 2 weeks

On 21/06/16 17:56, Nick Lamb wrote: On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote: If all paths from a trusted root to a given intermediate are revoked or expired, then I don't think it "directly or transitively chain[s] to a certificate included in Mozilla’s CA Certificate

RE: Intermediate certificate disclosure deadline in 2 weeks

inal Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org] On Behalf Of Nick Lamb Sent: Tuesday, June 21, 2016 10:56 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Intermediate certificate disclosure deadline in 2 w

Re: Intermediate certificate disclosure deadline in 2 weeks

On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote: > If all paths from a trusted root to a given intermediate are revoked > or expired, then I don't think it "directly or transitively chain[s] > to a certificate included in Mozilla’s CA Certificate Program". It > would be no different

Re: Intermediate certificate disclosure deadline in 2 weeks

Agreed. I don't see a reason to disclose anything where the parent is revoked. I think it's a similar question as whether a CA has to disclose all the sub case under a root where removal from the root program was requested. In both cases the certs are not publicly trusted and don't affect the

Re: Intermediate certificate disclosure deadline in 2 weeks

On 21/06/16 15:55, Ben Wilson wrote: Rob, Ben, thanks for passing on the details. My analysis is below... So far they are - https://crt.sh/?sha1=e12ba5aeb7613a72cc9652f1673017a5d8fc7479 - technically constrained warning https://crt.sh/?sha1=8c6c7a20b48ef3bcb0fcb203008773846611486a -

RE: Intermediate certificate disclosure deadline in 2 weeks

-Original Message- From: Rob Stradling [mailto:rob.stradl...@comodo.com] Sent: Monday, June 20, 2016 4:17 PM To: Ben Wilson <ben.wil...@digicert.com> Cc: Peter Bowen <pzbo...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Intermediate certificate disc

Re: Intermediate certificate disclosure deadline in 2 weeks

On 21/06/16 04:03, Jeremy Rowley wrote: Whether they are currently issuing is irrelevant. Indeed. Having no intent to issue certificates is not going to stop the sort of attack that DigiNotar experienced! -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust

Re: Intermediate certificate disclosure deadline in 2 weeks

[mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On Behalf Of Peter Bowen Sent: Monday, June 20, 2016 11:59 AM To: Rob Stradling <rob.stradl...@comodo.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Intermediate certificate disclosure deadline in 2 w

RE: Intermediate certificate disclosure deadline in 2 weeks

do.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Intermediate certificate disclosure deadline in 2 weeks On Fri, Jun 17, 2016 at 4:12 AM, Rob Stradling <rob.stradl...@comodo.com> wrote: > Friendly reminder to all CA representatives: > > Don't forget the June

Intermediate certificate disclosure deadline in 2 weeks

Friendly reminder to all CA representatives: Don't forget the June 30th deadline! And don't leave it until the last minute if you have lots of intermediate certificates to disclose!