Re: Google Trust Services roots

2017-02-09 Thread Jakob Bohm via dev-security-policy
On 10/02/2017 05:42, Ryan Sleevi wrote: On Thu, Feb 9, 2017 at 3:39 PM, Jakob Bohm via dev-security-policy > wrote: Additional issue #2: The information at https://pki.goog/ about how to report

Re: Google Trust Services roots

2017-02-09 Thread Peter Bowen via dev-security-policy
On Thu, Feb 9, 2017 at 9:56 PM, Richard Wang via dev-security-policy wrote: > I can't see this sentence > " I highlight this because we (the community) see the occasional remark like > this; most commonly, it's directed at organizations in particular

RE: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

2017-02-09 Thread Richard Wang via dev-security-policy
I think Mozilla should have a very clear policy for: (1) If a company that not a public trusted CA acquired a trusted root key, what the company must do? (2) If a company is a public trusted CA that acquired a trusted root key, what the company must do? (3) If a company is a public trusted CA,

RE: Google Trust Services roots

2017-02-09 Thread Richard Wang via dev-security-policy
I can't see this sentence " I highlight this because we (the community) see the occasional remark like this; most commonly, it's directed at organizations in particular countries, on the basis that we shouldn't trust "them" because they're in one of "those countries". However, the Mozilla

Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

2017-02-09 Thread Peter Bowen via dev-security-policy
On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham via dev-security-policy wrote: > On 09/02/17 14:32, Gijs Kruitbosch wrote: >> Would Mozilla's root program consider changing this requirement so that >> it *does* require public disclosure, or are there

Re: Google Trust Services roots

2017-02-09 Thread Ryan Sleevi via dev-security-policy
On Thu, Feb 9, 2017 at 3:39 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Additional issue #2: The information at https://pki.goog/ about how to > report misissuance directs visitors to a generic reporting page for > code vulnerabilities, which (by

Re: Google Trust Services roots

2017-02-09 Thread Jakob Bohm via dev-security-policy
On 09/02/2017 20:55, Ryan Hurst wrote: Peter, Thank you very much for your, as always, thorough review. Let me start by saying I agree there is an opportunity for improving the policies around how key transfers such your recent transfer and Google's are handled. It is my hope we can,

Re: Taiwan GRCA Root Renewal Request

2017-02-09 Thread horn917--- via dev-security-policy
Kathleen Wilson於 2017年2月3日星期五 UTC+8上午6時36分54秒寫道: > On Tuesday, December 13, 2016 at 2:36:15 PM UTC-8, Kathleen Wilson wrote: > > Thanks to all of you who have reviewed and commented on this request from > > Government of Taiwan, Government Root Certification Authority (GRCA), to > > include

Re: Misissued/Suspicious Symantec Certificates

2017-02-09 Thread Nick Lamb via dev-security-policy
On Thursday, 9 February 2017 03:08:14 UTC, Ryan Sleevi wrote: > 19) Can you confirm that Certsuperior, Certisign, CrossCert, and Certisur > are the only Delegated Third Parties utilized by Symantec, across all > Symantec operated CAs that are trusted by Mozilla products? Maybe Ryan has better

Re: Google Trust Services roots

2017-02-09 Thread Peter Bowen via dev-security-policy
Ryan, Thank you for the quick reply. My comments and questions are inline. On Thu, Feb 9, 2017 at 11:55 AM, Ryan Hurst via dev-security-policy wrote: > Peter, > > Thank you very much for your, as always, thorough review. > > Let me start by saying I agree

Re: Policy 2.4 Proposal: Implement "proper" SHA-1 ban

2017-02-09 Thread Jakob Bohm via dev-security-policy
On 09/02/2017 18:20, Jakob Bohm wrote: On 09/02/2017 10:59, Gervase Markham wrote: On 08/02/17 11:25, Jakob Bohm wrote: My logic is that adding additional entropy to a serial number whose length is fully controlled by CA procedures can increase the mitigations against SHA-1 weaknesses. For

Re: Talk at FOSDEM

2017-02-09 Thread Martin Heaps via dev-security-policy
Thank you for the link, Gerv. That was a very interesting watch. Curious correlation [post video] between Earnst and Young re:Wosign and Earnst and Young re: CrossCert (although I assume this CrossCert relationship was only forthcoming after your talk). And the gent around the 38

Re: Google Trust Services roots

2017-02-09 Thread Ryan Hurst via dev-security-policy
Peter, Thank you very much for your, as always, thorough review. Let me start by saying I agree there is an opportunity for improving the policies around how key transfers such your recent transfer and Google's are handled. It is my hope we can, through our respective recent experiences

Re: Google Trust Services roots

2017-02-09 Thread Ryan Hurst via dev-security-policy
Peter, Thank you very much for your, as always, thorough review. Let me start by saying I agree there is an opportunity for improving the policies around how key transfers such your recent transfer and Google's are handled. It is my hope we can, through our respective recent experiences

Re: Policy 2.4 Proposal: Implement "proper" SHA-1 ban

2017-02-09 Thread Jakob Bohm via dev-security-policy
On 09/02/2017 10:59, Gervase Markham wrote: On 08/02/17 11:25, Jakob Bohm wrote: My logic is that adding additional entropy to a serial number whose length is fully controlled by CA procedures can increase the mitigations against SHA-1 weaknesses. For example if the existing CA setup uses all

Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

2017-02-09 Thread Gervase Markham via dev-security-policy
On 09/02/17 14:32, Gijs Kruitbosch wrote: > Would Mozilla's root program consider changing this requirement so that > it *does* require public disclosure, or are there convincing reasons not > to? At first glance, it seems like 'guiding' CAs towards additional > transparency in the CA