On January 18, 2019, Entrust discovered that 9 SSL certificates with underscore
characters which were issued for more than 30 days were not revoked before 15
January 2019. All certificates were revoked on 18 January 2019.
Details of the incident report can be found here,
https
On Thu, Dec 27, 2018 at 8:22 PM Ryan Sleevi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> I can't speak for Mozilla here, but I tried to lay out some clear
> expectations:
> 1) This is an extension of an existing incident, rather than treating it as
> an exception to
On Fri, Dec 28, 2018 at 03:19:19AM +, Jeremy Rowley via dev-security-policy
wrote:
> > I'm not sure I'd call it "leniency", but I think you're definitely asking
> > for "special treatment" -- pre-judgment on a potential incident so you can
> > decide whether or not it's worth it (to DigiCert
>> I think Matt provided a pretty clear moral hazard here - of customers
>> suggesting their CAs didn't do enough (e.g. should have tried harder to
>> intentionally violated by not revoking). One significant way to mitigating
>> that risk is to take meaningful steps to ensure that "We couldn't r
On Thu, Dec 27, 2018 at 10:00 PM Jeremy Rowley
wrote:
> The risk Matt identified is too nebulous of an issue to address, tbh. How
> do you address a moral issue? The only way I can think of to address the
> moral issue is to say “we promise to be good”. But the weight that carries
> depends on h
> I don't think there's *any* result from all this that everyone would
> consider desirable -- otherwise we wouldn't need to have this conversation.
+ 1 to that.
> I'm not sure I'd call it "leniency", but I think you're definitely asking
> for "special treatment" -- pre-judgment on a potential i
concrete and quantifiable steps as to how to improve.
Thanks Ryan. This post was really nice. Appreciate it.
From: Ryan Sleevi
Sent: Thursday, December 27, 2018 7:15 PM
To: Jeremy Rowley
Cc: James Burton ; Ryan Sleevi ;
mozilla-dev-security-policy
Subject: Re: Underscore characters
On Thu, Dec 27, 2018 at 11:56:41PM +, Jeremy Rowley via dev-security-policy
wrote:
> The risk is primarily outages of major sites across the web, including
> certs used in Google wallet. We’re thinking that is a less than desirable
> result, but we weren’t sure how the Mozilla community would
On Thu, Dec 27, 2018 at 6:56 PM Jeremy Rowley
wrote:
> The risk is primarily outages of major sites across the web, including
> certs used in Google wallet. We’re thinking that is a less than desirable
> result, but we weren’t sure how the Mozilla community would feel/react.
>
I don’t think that
Palmer ; mozilla-dev-security-policy
Subject: Re: Underscore characters
I'm not sure if you're allowed to state this publicly. Has Microsoft giving you
the go ahead?
On Fri, Dec 28, 2018 at 1:05 AM Jeremy Rowley via dev-security-policy
mailto:dev-security-policy@lists.m
27;d
> have a firm answer I can go back with. No risk, but no exception.
>
> Well except moral risk of course
>
> -Original Message-
> From: dev-security-policy
> On
> Behalf Of Matt Palmer via dev-security-policy
> Sent: Thursday, December 27, 2018 5:55 PM
> To
o: dev-security-policy@lists.mozilla.org
Subject: Re: Underscore characters
On Fri, Dec 28, 2018 at 12:12:03AM +, Jeremy Rowley via
dev-security-policy wrote:
> This is very helpful. If I had those two options, we'd just revoke all
> the certs, screw outages. Unfortunately, the op
formation the company has
provided should be the guiding light?
From: Ryan Sleevi
Sent: Thursday, December 27, 2018 1:16 PM
To: Jeremy Rowley
Cc: mozilla-dev-security-policy
Subject: Re: Underscore characters
I'm not trying to throw you under the bus here, but I think it's
On Fri, Dec 28, 2018 at 12:12:03AM +, Jeremy Rowley via dev-security-policy
wrote:
> This is very helpful. If I had those two options, we'd just revoke all the
> certs, screw outages. Unfortunately, the options are much broader than that.
> If I could know what the risk v. benefit is, then you
n its
audit - outages seem worse. Make sense?
-Original Message-
From: dev-security-policy On
Behalf Of thomas.gh.horn--- via dev-security-policy
Sent: Thursday, December 27, 2018 1:50 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Underscore characters
As to why
8 2:19 PM
To: thomas.gh.h...@gmail.com
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Underscore characters
On Thu, Dec 27, 2018 at 12:53 PM thomas.gh.horn--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> As to why these certificates have to b
-policy
Subject: Re: Underscore characters
On Thu, Dec 27, 2018 at 9:00 PM Ryan Sleevi mailto:r...@sleevi.com> > wrote:
I'm not really sure I understand this response at all. I'm hoping you can
clarify.
On Thu, Dec 27, 2018 at 3:45 PM James Burton mailto:j...@0.me.uk&
On Thu, Dec 27, 2018 at 01:19:26PM -0800, Peter Bowen via dev-security-policy
wrote:
> I don't see how this follows. DigiCert has made it clear they are able to
> technically revoke these certificates and presumably are contractually able
> to revoke them as well. What is being said is that thei
On Thu, Dec 27, 2018 at 9:00 PM Ryan Sleevi wrote:
> I'm not really sure I understand this response at all. I'm hoping you can
> clarify.
>
> On Thu, Dec 27, 2018 at 3:45 PM James Burton wrote:
>
>> For a CA to intentionally state that they are going to violate the BR
>> requirements means that
On Thu, Dec 27, 2018 at 12:53 PM thomas.gh.horn--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> As to why these certificates have to be revoked, you should see this the
> other way round: as a very generous service of the community to you and
> your customers!
>
> Ce
I'm not really sure I understand this response at all. I'm hoping you can
clarify.
On Thu, Dec 27, 2018 at 3:45 PM James Burton wrote:
> For a CA to intentionally state that they are going to violate the BR
> requirements means that that CA is under immense pressure to comply with
> demands or f
As to why these certificates have to be revoked, you should see this the other
way round: as a very generous service of the community to you and your
customers!
Certificates with (pseudo-)hostnames in them are clearly invalid, so a
conforming implementation should not accept them for anything
". Wait until you have all the information? That's a paddlin'. File
> > before you have enough information? That's a paddlin'. I'd appreciate
> > better guidance on what Mozilla expects from these incident reports
> > timing-wise.
> >
> > ---
dev-security-policy
> On Behalf Of Jeremy Rowley via dev-security-policy
> Sent: Thursday, December 27, 2018 11:47 AM
> To: r...@sleevi.com
> Cc: dev-security-policy@lists.mozilla.org
> Subject: RE: Underscore characters
>
> The original incident report contained all of the de
pects from these incident reports timing-wise.
-Original Message-
From: dev-security-policy On
Behalf Of Jeremy Rowley via dev-security-policy
Sent: Thursday, December 27, 2018 11:47 AM
To: r...@sleevi.com
Cc: dev-security-policy@lists.mozilla.org
Subject: RE: Underscore characters
The
: Ryan Sleevi
Sent: Thursday, December 27, 2018 11:24 AM
To: Jeremy Rowley
Cc: r...@sleevi.com; dev-security-policy@lists.mozilla.org
Subject: Re: Underscore characters
On Wed, Dec 26, 2018 at 1:03 PM Jeremy Rowley mailto:jeremy.row...@digicert.com> > wrote:
Much better to trea
On Wed, Dec 26, 2018 at 1:03 PM Jeremy Rowley
wrote:
> Much better to treat this question as “We know X is going to happen.
> What’s the best way to mitigate the concerns of the community?” Exception
> was the wrong word in my original post. I should have used “What would you
> like us to do to
On Wed, Dec 26, 2018 at 04:13:40PM +, Jeremy Rowley via dev-security-policy
wrote:
> The trust stores are always free to ignore the CAB Forum mandates and make
> their own rules. Mozilla has in the past (see the Mozilla audit
> criteria).
Whilst the trust stores *can* make their own rules, m
On Wed, Dec 26, 2018 at 06:02:57PM +, Jeremy Rowley via dev-security-policy
wrote:
> Much better to treat this question as “We know X is going to happen.
> What’s the best way to mitigate the concerns of the community?” Exception
> was the wrong word in my original post. I should have used
On Wed, Dec 26, 2018 at 1:03 PM Jeremy Rowley
wrote:
> I don’t think I’m arguing that CAs should ever ignore the BRs. I’m arguing
> that deciding the consequences of failing to follow the BRs falls in the
> hands of the browsers. But I think you definitely highlighted why this
> discussion is co
do to mitigate when we miss the Jan 15ht
deadline?” instead. Apologies for the confusion there.
Jeremy
From: Ryan Sleevi
Sent: Wednesday, December 26, 2018 10:00 AM
To: Jeremy Rowley
Cc: dev-security-policy@lists.mozilla.org
Subject: Re: Underscore characters
On Wed, Dec 26, 2018 at
ompromised key. Explaining key
> compromise to executive management for an emergency exception to a blackout
> period is a lot different than explaining why hundreds of certificates
> require replacement because they contain underscores. I think everyone
> would benefit (myself included)
ores. I think everyone would benefit
(myself included) if I could get more information about why underscore
characters themselves present an actual risk. If we could get a statement on
that, you'd see a lot less confusion.
Jeremy
-Original Message-
From: dev-security-policy On
On Fri, Dec 21, 2018 at 4:43 PM Jeremy Rowley
wrote:
> But this part isn't true "Browsers are not capable of granting
> 'exceptions' to the Baseline Requirements", at least for Mozilla. See the
> Mozilla auditor requirements for example. Perhaps better stated that they
> don't have to implement
#x27;t like?
-Original Message-
From: dev-security-policy On
Behalf Of Ryan Sleevi via dev-security-policy
Sent: Friday, December 21, 2018 2:22 PM
To: Wayne Thayer
Cc: mozilla-dev-security-policy
Subject: Re: Statement on the Sunset of Underscore Characters
On Fri, Dec 21, 2018 at 1:54 PM W
On Fri, Dec 21, 2018 at 1:54 PM Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Since a number of questions and concerns have been raised regarding the
> sunset of underscore characters in dNSNames, I would like to summarize
> Mozilla’s positi
Since a number of questions and concerns have been raised regarding the
sunset of underscore characters in dNSNames, I would like to summarize
Mozilla’s position on the issue as follows:
In early November, the CA/Browser Forum passed ballot SC12 [1], creating a
sunset period aimed at ending the
On Thu, Dec 20, 2018 at 4:54 PM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, Dec 20, 2018 at 10:34:21PM +, Jeremy Rowley via
> dev-security-policy wrote:
> > Here’s the first of the companies. Figured I’d do one and see if it has
> the informati
On Thu, Dec 20, 2018 at 10:34:21PM +, Jeremy Rowley via dev-security-policy
wrote:
> Here’s the first of the companies. Figured I’d do one and see if it has the
> information you want.
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1515788
Complete side-note: when the customer said you c
detail is required or if you’d like
additional info included?
Thanks!
Jeremy
From: Wayne Thayer
Sent: Thursday, December 20, 2018 12:25 PM
To: Ryan Sleevi
Cc: Jeremy Rowley ; mozilla-dev-security-policy
Subject: Re: Underscore characters
Jeremy,
It's good to hear that y
: Ryan Sleevi
Cc: Jeremy Rowley ; mozilla-dev-security-policy
Subject: Re: Underscore characters
Jeremy,
It's good to hear that you do believe you can provide the necessary level of
information prior to 15-Jan. Given that, I'm now thinking of this as if it were
a normal incid
Jeremy,
It's good to hear that you do believe you can provide the necessary level
of information prior to 15-Jan. Given that, I'm now thinking of this as if
it were a normal incident except that we're moving the reporting prior to
the incident actually occurring. With 15 affected customers, and pe
Thanks for filing this, Jeremy.
If I understand correctly, the request DigiCert is asking is: "If we
submitted this as an incident report, would it be likely that conversations
about distrusting DigiCert would begin?", and that's what you're trying to
gauge from the community?
I think Wayne's alr
eremy Rowley
Cc: r...@sleevi.com; mozilla-dev-security-policy
Subject: Re: Underscore characters
Jeremy,
On Wed, Dec 19, 2018 at 10:55 PM Jeremy Rowley via dev-security-policy
mailto:dev-security-policy@lists.mozilla.org> > wrote:
Done:
https://bugzilla.mozilla.org/show_bug.cgi
ct that you can provide the level of detail that
Ryan and I are requesting prior to 15-Jan?
> From: Ryan Sleevi
> Sent: Wednesday, December 19, 2018 11:05 AM
> To: Jeremy Rowley
> Cc: r...@sleevi.com; mozilla-dev-security-policy <
> mozilla-dev-security-pol...@lists.mozilla.org>
-security-policy
Subject: Re: Underscore characters
Look forward to seeing and discussing once the full scope of the request is
shared.
On Wed, Dec 19, 2018 at 12:21 PM Jeremy Rowley mailto:jeremy.row...@digicert.com> > wrote:
We will post the full list of exceptions today.
One
here’s no need to know the
> exact certs to talk about what the risk associated with underscore
> characters is. Could you please explain the risk to the community in a
> revocation delay as the “unreasonable” argument isn’t really supported
> without that understanding.
I think an
ertificates aren’t revoked. Perhaps we can identify what the risk to the
> community is in revocation delays first? There’s no need to know the exact
> certs to talk about what the risk associated with underscore characters is.
> Could you please explain the risk to the community in
about what the risk associated with underscore characters is.
Could you please explain the risk to the community in a revocation delay as the
“unreasonable” argument isn’t really supported without that understanding.
From: Ryan Sleevi
Sent: Wednesday, December 19, 2018 7:17 AM
To: Jeremy Rowley
notices were complete.
>
>
>
> Ballot 202 failed. I’m not sure how it’s relevant other than to indicate
> there was definite disagreement about whether underscores were permitted or
> not. As previously mentioned, I didn’t consider underscore characters
> prohibited until the
disagreement about whether underscores were permitted or
>> not. As previously mentioned, I didn’t consider underscore characters
>> prohibited until the ballot was proposed eliminating them in Oct. I know
>> the general Mozilla population disagrees but, right or wrong, that’s the
>&g
. As previously mentioned, I didn’t consider underscore characters
> prohibited until the ballot was proposed eliminating them in Oct. I know
> the general Mozilla population disagrees but, right or wrong, that’s the
> root cause of it all. I can explain my reasoning again here, but I doubt it
were permitted or not. As
previously mentioned, I didn’t consider underscore characters prohibited until
the ballot was proposed eliminating them in Oct. I know the general Mozilla
population disagrees but, right or wrong, that’s the root cause of it all. I
can explain my reasoning again here, but
c 18, 2018 at 5:43 PM Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> The total number of certs impacted is about 2200. Just more info.
>
> -Original Message-
> From: dev-security-policy
> On
> Behalf Of Jeremy Rowley via dev-secur
The total number of certs impacted is about 2200. Just more info.
-Original Message-
From: dev-security-policy On
Behalf Of Jeremy Rowley via dev-security-policy
Sent: Tuesday, December 18, 2018 3:28 PM
To: mozilla-dev-security-policy
Subject: Underscore characters
We're looking a
We're looking at the feasibility of replacing the certificates with
underscore characters by Jan 15th. Revoking all of the certificates will
cause pretty bad outages. We're prepared to revoke them but would like to
discuss (before the date) what should happen if we don't revoke. The
ev-security-policy@lists.mozilla.org> wrote:
>
>> Can we request removal of these roots now? This seems very similar to the
>> SHA1 situation where CAs requested root removal and then treated the root
>> as
>> private, regardless of the trust in older platforms.
>&g
inal Message-
> From: dev-security-policy
> On
> Behalf Of Wayne Thayer via dev-security-policy
> Sent: Thursday, December 13, 2018 3:11 PM
> To: mozilla-dev-security-policy
>
> Subject: Re: Underscore characters and DigiCert
>
> There are currently no program requirem
-security-policy
Sent: Thursday, December 13, 2018 3:11 PM
To: mozilla-dev-security-policy
Subject: Re: Underscore characters and DigiCert
There are currently no program requirements for roots that have had their
websites trust bit turned off or been removed from NSS, but this is an open
area of
e're working towards revoking certs with underscore characters in the
> domain name, per SC12, but I had a question about legacy Symantec systems
> and Mozilla. These particular roots are no longer trusted for TLS certs in
> Google or Mozilla, which means the applicability of the BR
Hey all,
We're working towards revoking certs with underscore characters in the
domain name, per SC12, but I had a question about legacy Symantec systems
and Mozilla. These particular roots are no longer trusted for TLS certs in
Google or Mozilla, which means the applicability of the B
61 matches
Mail list logo
