Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-09-01 Thread identrust--- via dev-security-policy
On Thursday, August 31, 2017 at 11:31:48 PM UTC-4, Eric Mill wrote: > Thank you for the continued updates, and for relaying the deadline by which > these will be revoked. > > On Thu, Aug 31, 2017 at 9:35 PM, identrust--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: >

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-31 Thread Eric Mill via dev-security-policy
Thank you for the continued updates, and for relaying the deadline by which these will be revoked. On Thu, Aug 31, 2017 at 9:35 PM, identrust--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Monday, August 28, 2017 at 3:28:01 PM UTC-4, iden...@gmail.com wrote: > >

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-31 Thread identrust--- via dev-security-policy
On Monday, August 28, 2017 at 3:28:01 PM UTC-4, iden...@gmail.com wrote: > On Friday, August 18, 2017 at 7:22:06 PM UTC-4, iden...@gmail.com wrote: > > On Thursday, August 17, 2017 at 2:35:15 PM UTC-4, Jonathan Rudenberg wrote: > > > > On Aug 17, 2017, at 14:24, identrust--- via

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-28 Thread identrust--- via dev-security-policy
On Friday, August 18, 2017 at 7:22:06 PM UTC-4, iden...@gmail.com wrote: > On Thursday, August 17, 2017 at 2:35:15 PM UTC-4, Jonathan Rudenberg wrote: > > > On Aug 17, 2017, at 14:24, identrust--- via dev-security-policy > > > wrote: > > > > > > Hello, In

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-18 Thread identrust--- via dev-security-policy
On Thursday, August 17, 2017 at 2:35:15 PM UTC-4, Jonathan Rudenberg wrote: > > On Aug 17, 2017, at 14:24, identrust--- via dev-security-policy > > wrote: > > > > Hello, In reference to 3)"Certificates that appear to be intended as client > >

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-18 Thread identrust--- via dev-security-policy
On Wednesday, August 16, 2017 at 1:45:12 PM UTC-4, Jonathan Rudenberg wrote: > > On Aug 16, 2017, at 12:52, Jonathan Rudenberg via dev-security-policy > > wrote: > > > > I looked through the CT logs and found 15 more unexpired unrevoked > > certificates

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-18 Thread Ryan Sleevi via dev-security-policy
Doesn't RFC 5280 clearly indicate that already, through its normative description of the EKU? That is, I can understand there being confusion or misinterpretation, but I'm not sure that the problem itself is rooted in the documents, and thus, may not be something the documents need to address. :)

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-18 Thread Jeremy Rowley via dev-security-policy
I don't (as these are the exact type of cert I've been trying to kill for years), but Identrust did based on their response. Looking at it from their POV, the language could probably be clarified to state thar any cert with no equipment, sever Auth, or anyEKU is considered a BR cert regardless

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-18 Thread Ryan Sleevi via dev-security-policy
Do you believe https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md#11-scope is ambiguous in this context? That is what is referenced in the text. It sounds as if you're suggesting they're in scope, via 1.1, but that they're out of scope, because the policy does not state that

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-18 Thread Jeremy Rowley via dev-security-policy
Right, but can you call these SSL certs without an FQDN? * Insofar as the Baseline Requirements attempt to define their own scope, the scope of this policy (section 1.1) overrides that. Mozilla thus requires CA operations relating to issuance of all SSL certificates in the scope of this

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-18 Thread Gervase Markham via dev-security-policy
On 17/08/17 20:31, Jeremy Rowley wrote: > Without an FQDN, I doubt they are in scope for the baseline requirements. Not according to the BRs themselves. However, the Mozilla Policy 2.5 specifically says: "Insofar as the Baseline Requirements attempt to define their own scope, the scope of this

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-17 Thread Jeremy Rowley via dev-security-policy
Without an FQDN, I doubt they are in scope for the baseline requirements. They are in scope for the Mozilla policy. The BRs require the cert to be intended for web tls. These are not. The Mozilla policy covers client certs as well as tls. > On Aug 17, 2017, at 12:27 PM, identrust--- via

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-17 Thread identrust--- via dev-security-policy
On Wednesday, August 16, 2017 at 1:45:12 PM UTC-4, Jonathan Rudenberg wrote: > > On Aug 16, 2017, at 12:52, Jonathan Rudenberg via dev-security-policy > > wrote: > > > > I looked through the CT logs and found 15 more unexpired unrevoked > > certificates

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-17 Thread identrust--- via dev-security-policy
On Wednesday, August 16, 2017 at 1:45:12 PM UTC-4, Jonathan Rudenberg wrote: > > On Aug 16, 2017, at 12:52, Jonathan Rudenberg via dev-security-policy > > wrote: > > > > I looked through the CT logs and found 15 more unexpired unrevoked > > certificates

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-17 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 17, 2017, at 14:24, identrust--- via dev-security-policy > wrote: > > Hello, In reference to 3)"Certificates that appear to be intended as client > certificates, but have the anyExtendedKeyUsage EKU, putting them in scope for > the Mozilla Root

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-17 Thread identrust--- via dev-security-policy
On Wednesday, August 16, 2017 at 1:45:12 PM UTC-4, Jonathan Rudenberg wrote: > > On Aug 16, 2017, at 12:52, Jonathan Rudenberg via dev-security-policy > > wrote: > > > > I looked through the CT logs and found 15 more unexpired unrevoked > > certificates

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-17 Thread identrust--- via dev-security-policy
On Wednesday, August 16, 2017 at 2:06:21 PM UTC-4, Jonathan Rudenberg wrote: > > On Aug 16, 2017, at 13:44, Jonathan Rudenberg via dev-security-policy > > wrote: > > > > After looking into this more, I’ve found that the majority of certificates > > issued

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-16 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 16, 2017, at 13:44, Jonathan Rudenberg via dev-security-policy > wrote: > > After looking into this more, I’ve found that the majority of certificates > issued by the "IdenTrust ACES CA 2” and "IdenTrust ACES CA 1” intermediates > are not

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-16 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 16, 2017, at 12:52, Jonathan Rudenberg via dev-security-policy > wrote: > > I looked through the CT logs and found 15 more unexpired unrevoked > certificates that are trusted by NSS and appear to have the same inaccurate > organizationName of

Re: O=U.S. Government for non-USG entity (IdenTrust)

2017-08-16 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 15, 2017, at 14:53, identrust--- via dev-security-policy > wrote: > > On Friday, August 11, 2017 at 6:05:29 PM UTC-4, paul.l...@gmail.com wrote: >> On Friday, August 11, 2017 at 3:43:17 PM UTC-5, iden...@gmail.com wrote: >>> IdenTrust is fully