Re: Revoking Trust in one ANSSI Certificate
Le 11/12/13 01:08, Kathleen Wilson a écrit : Based on the list that Rob provided, there may be other domains that we might consider including. For example: *.ac-martinique.fr *.ac-creteil.fr *.ac-orleans-tours.fr *.education.fr *.ac-poitiers.fr As this list includes domains from the ministry of education (the ac- prefix is for academy), I feel obliged to point out the following : http://www.education.gouv.fr/cid3/les-rectorats-et-services-departementaux-de-l-education-nationale.html According to this page (from the french national education administration, which is one of the biggest, if not the biggest administrative body in France), there are actually 30 academies (regional bodies of the ministry of education), whose domains are : *.ac-aix-marseille.fr *.ac-amiens.fr *.ac-besancon.fr *.ac-bordeaux.fr *.ac-caen.fr *.ac-clermont.fr *.ac-corse.fr *.ac-creteil.fr *.ac-dijon.fr *.ac-grenoble.fr *.ac-guadeloupe.fr *.ac-guyane.fr *.ac-lille.fr *.ac-limoges.fr *.ac-lyon.fr *.ac-martinique.fr *.ac-mayotte.fr *.ac-montpellier.fr *.ac-nancy-metz.fr *.ac-nantes.fr *.ac-nice.fr *.ac-orleans-tours.fr *.ac-noumea.nc *.ac-paris.fr (and *.sorbonne.fr as well ?) *.ac-poitiers.fr *.ac-polynesie.pf *.ac-reims.fr *.ac-rennes.fr *.ac-reunion.fr *.ac-rouen.fr *.ac-spm.fr *.ac-strasbourg.fr *.ac-toulouse.fr *.ac-versailles.fr *.ac-wf.wf Or maybe they all should be put under *.education.fr ? S. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Revoking Trust in one ANSSI Certificate
On Wed, Dec 11, 2013 at 1:49 AM, Samuel L samuel.la...@sealweb.eu wrote: Le 11/12/13 01:08, Kathleen Wilson a écrit : Based on the list that Rob provided, there may be other domains that we might consider including. For example: *.ac-martinique.fr *.ac-creteil.fr *.ac-orleans-tours.fr *.education.fr *.ac-poitiers.fr [snip] According to this page (from the french national education administration, which is one of the biggest, if not the biggest administrative body in France), there are actually 30 academies (regional bodies of the ministry of education), whose domains are : snip Thanks for the very helpful information. I think we should first ask ANSSI to help those academies migrate to a different CA. My understanding is that the French government already has used certificates from other CAs: Entrust: https://www.amendes.gouv.fr/portail/index.jsp?lang=en Certplus/Certinomis: https://www.tresor.economie.gouv.fr/autorisations-prealables-des-investissements-etrangers-en-france So, it seems reasonable to think we could work with ANSSI to coordinate the migration of websites that aren't serving critical government functions to the other CAs that the French government is already using, in a reasonably fast timeframe. I'd like us to try that first. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Exceptions to 1024-bit cert revocation requirement
On 12/12/2013 12:31 AM, From Kathleen Wilson: I understand that this is not fair to the CAs who have done a great job of transitioning off of 1024-bit certs. Right - potential customers knock at various doors in respect to such certificates and I believe to have given the right answers to them that it's not possible to obtain such certificates anymore when approached. Indeed if this isn't something applied equally it might be very difficult to enforce other requirements in the future if at the first opportunity there is yet another exception to the previous exception etc...if experience shows that it doesn't pay out to comply to requirements, than why care next time? -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Exceptions to 1024-bit cert revocation requirement
If you are granting more time, I have a whole bunch of customers who are not happy about the 2013 cutoff. Extending it for some CAs is patently unfair to those of us who have taken a hard stance on the deadline and not requested extensions of time. If you are granting some CAs an extension, you'll probably get a lot more requests from the rest of us. Jeremy -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kathleen Wilson Sent: Wednesday, December 11, 2013 3:32 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Exceptions to 1024-bit cert revocation requirement All, There are a few cases where customers are asking CAs for more time to transition off of their 1024-bit certificates. According to the Baseline Requirements, 1024-bit Subscriber Certificates are supposed to be no longer valid by 31 Dec 2013. According to https://wiki.mozilla.org/CA:MD5and1024 All end-entity certificates with RSA key size smaller than 2048 bits must expire by the end of 2013. Under no circumstances should any party expect continued support for RSA key size smaller than 2048 bits past December 31, 2013. This date could get moved up substantially if necessary to keep our users safe. We recommend all parties involved in secure transactions on the web move away from 1024-bit moduli as soon as possible. According to http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ policy/maintenance/ We consider the following algorithms and key sizes to be acceptable and supported in Mozilla products: ... RSA 1024 bits (only until December 31, 2013). Starting a few months ago, CAs began contacting me with their concerns about meeting this deadline, and needing a little bit longer for customers to complete their transitions. I understand that this is not fair to the CAs who have done a great job of transitioning off of 1024-bit certs. But I also understand some of the timing issues that CAs' customers are running into. We have not yet made the code change to prohibit 1024-bit certs, so for Mozilla this is a question of policy. I am inclined to grant more time to CAs for customers who are working hard to transition off of 1024-bit certs, but need a little more time to complete their transition. Rather than creating another date for folks to complete their transitions off of 1024-bit certs, I think I'd prefer to handle time extensions on a case-by-case basis. I'll appreciate your constructive input on this. Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Exceptions to 1024-bit cert revocation requirement
On 11/12/13 14:31, Kathleen Wilson wrote: There are a few cases where customers are asking CAs for more time to transition off of their 1024-bit certificates. What exactly are CAs asking for? Are they asking for permission to continue issuing such certs? Or are they asking for permission to not revoke such certs? Are the certs concerned ones which are in environments where the servers using them would be accessed by a consumer web browser? According to the Baseline Requirements, 1024-bit Subscriber Certificates are supposed to be no longer valid by 31 Dec 2013. So such CAs would fail a BR audit if one were to take place between 31st Dec 2013 and the time when those certs expire or are revoked? Starting a few months ago, CAs began contacting me with their concerns about meeting this deadline, and needing a little bit longer for customers to complete their transitions. Are we able to say roughly how many CAs are involved? And of those CAs, how many customers have problems? And for those customers, how many certs are involved? Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Exceptions to 1024-bit cert revocation requirement
On Wed, Dec 11, 2013 at 2:48 PM, Jeremy Rowley jeremy.row...@digicert.com wrote: If you are granting more time, I have a whole bunch of customers who are not happy about the 2013 cutoff. Extending it for some CAs is patently unfair to those of us who have taken a hard stance on the deadline and not requested extensions of time. If you are granting some CAs an extension, you'll probably get a lot more requests from the rest of us. Indeed, it would be unfair — and unwise. No exceptions. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Revoking Trust in one ANSSI Certificate
On 10/12/13 06:20, Jan Schejbal wrote: The third sub-ca cert (Subject AC DGTPE Signature Authentification) includes a CRL DP for a CRL issued by sub-ca 2, validity 2011-09-09 to 2014-09-13. The CRL is empty. Look again. It seems that it now contains 1106 certificates (!), with widely varying revocation dates. It would be interesting to know by what process this happened. Were these certs revoked in the past but the CRL not updated due to some technical issue? Or have they just decided to do a blanket revocation of every cert issued? Or something else? Am I correct in the assumption that this means that the only way this CA can deal with Sub-CA compromises effectively is asking for an emergency update of all software relying on the certificates? AIUI, yes. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Exceptions to 1024-bit cert revocation requirement
Well let's be clear about one thing: in Firefox land (as in others) there is no such thing as revocation; there is only changing the code.I think what Kathleen is saying is that starting Jan 1, Mozilla would like to take out the code supporting certs with small keys. What needs to be negotiated then is when end-entity cert holders will be prepared for their small keys to no longer work on _future_ versions of Mozilla products.A 1024-bit cert will always work with FF 24, for example. It may or may not work on version 30. If a cert holder is ok with that, I don't think there is really a problem.PKI gymnastics anyone?From: Rob StradlingSent: Wednesday, December 11, 2013 5:15 PMTo: Kathleen Wilson; mozilla-dev-security-pol...@lists.mozilla.orgSubject: Re: Exceptions to 1024-bit cert revocation requirementOn 11/12/13 22:31, Kathleen Wilson wrote:snip According to https://wiki.mozilla.org/CA:MD5and1024 "All end-entity certificates with RSA key size smaller than 2048 bits must expire by the end of 2013.Kathleen, are you saying that "must expire by the end of 2013" is a "revocation requirement" ?Expiration != Revocation.Is there actually a requirement that says "By the end of 2013, CAs MUST revoke all unexpired certificates with 2048-bit RSA keys" ?If so, where is it written and when was it communicated to the CAs?(If it's not actually written anywhere, then can you actually enforce it?)-- Rob StradlingSenior Research Development ScientistCOMODO - Creating Trust Online___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Exceptions to 1024-bit cert revocation requirement
On 12/11/13 2:55 PM, Gervase Markham wrote: On 11/12/13 14:31, Kathleen Wilson wrote: There are a few cases where customers are asking CAs for more time to transition off of their 1024-bit certificates. What exactly are CAs asking for? Are they asking for permission to continue issuing such certs? Or are they asking for permission to not revoke such certs? They are asking for permission to not revoke such certs. Are the certs concerned ones which are in environments where the servers using them would be accessed by a consumer web browser? According to the Baseline Requirements, 1024-bit Subscriber Certificates are supposed to be no longer valid by 31 Dec 2013. Correct, but the effective date of the BRs was 01-Jul-12... So such CAs would fail a BR audit if one were to take place between 31st Dec 2013 and the time when those certs expire or are revoked? Yes. https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements The first BR audit for each CA and subCA may include a reasonable list of BRs that the CA (or subCA) is not yet in compliance with. The second BR audit (the following year) is expected to confirm that the issues that were listed in the previous BR audit have been resolved. Starting a few months ago, CAs began contacting me with their concerns about meeting this deadline, and needing a little bit longer for customers to complete their transitions. Are we able to say roughly how many CAs are involved? And of those CAs, how many customers have problems? And for those customers, how many certs are involved? Well, I received an influx of emails from CAs as soon as I posted this. I thought it was 3 or 4 CAs that would need longer, but now it looks like more. From Jeremy: If you are granting more time, I have a whole bunch of customers who are not happy about the 2013 cutoff. Extending it for some CAs is patently unfair to those of us who have taken a hard stance on the deadline and not requested extensions of time. If you are granting some CAs an extension, you'll probably get a lot more requests from the rest of us. Good point. So, if we are going to grant any extended timelines, we should set another date. The dates I've heard cluster around the May 2014 time frame. From Rob: Kathleen, are you saying that must expire by the end of 2013 is a revocation requirement ? Expiration != Revocation. Is there actually a requirement that says By the end of 2013, CAs MUST revoke all unexpired certificates with 2048-bit RSA keys ? If so, where is it written and when was it communicated to the CAs? (If it's not actually written anywhere, then can you actually enforce it?) In BR Appendix A Subscriber Certificates Minimum RSA modulus Validity period ending on or before 31 Dec 2013 1024 Validity period ending after 31 Dec 2013 2048 From Peter: A 1024-bit cert will always work with FF 24, for example. It may or may not work on version 30. If a cert holder is ok with that, I don't think there is really a problem. Correct. Mozilla policy and wiki pages say Under no circumstances should any party expect continued support for RSA key size smaller than 2048 bits past December 31, 2013 Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Exceptions to 1024-bit cert revocation requirement
The only criteria on the Webtrust BR audit (http://www.webtrust.org/homepage-documents/item27839.aspx) is section 11. Since the BRs will only apply to certificates issued since the last audit, and the MS policy prohibited issuance after Dec 2010, there shouldn't be many/any audits with a qualification because of non-revoked 1024 bit certs. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Jeremy Rowley Sent: Wednesday, December 11, 2013 6:01 PM To: 'Rob Stradling'; 'Kathleen Wilson'; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Exceptions to 1024-bit cert revocation requirement The requirement is from Mozilla's policy, not the BRs: https://wiki.mozilla.org/CA:MD5and1024 Note that the Microsoft policy doesn't require revocation. Instead, they required all CAs to stop issuing 1024 bit certs as of Dec 31, 2010 (http://technet.microsoft.com/en-us/library/cc751157.aspx). The certificates are expiring naturally. Jeremy -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Rob Stradling Sent: Wednesday, December 11, 2013 5:44 PM To: Kathleen Wilson; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Exceptions to 1024-bit cert revocation requirement On 12/12/13 00:25, Kathleen Wilson wrote: snip From Rob: Kathleen, are you saying that must expire by the end of 2013 is a revocation requirement ? Expiration != Revocation. Is there actually a requirement that says By the end of 2013, CAs MUST revoke all unexpired certificates with 2048-bit RSA keys ? If so, where is it written and when was it communicated to the CAs? (If it's not actually written anywhere, then can you actually enforce it?) In BR Appendix A Subscriber Certificates Minimum RSA modulus Validity period ending on or before 31 Dec 2013 1024 Validity period ending after 31 Dec 2013 2048 Sure, and BRs Section 13.1.5 says: The CA SHALL revoke a (Subscriber) Certificate within 24 hours if ... 9. The CA is made aware that the Certificate was not issued in accordance with these Requirements... Sorry, I should have mentioned that I'm thinking primarily about long-lived certificates that were issued before the BRs became effective. BRs Section 1 says: Except where explicitly stated otherwise, these requirements apply only to relevant events that occur on or after the Effective Date. Where is it written that 2048-bit certs that predate the BRs need to be revoked by end of 2013? -- Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy