Re: Symantec Issues List

On Fri, Mar 31, 2017 at 4:38 PM, Ryan Sleevi via dev-security-policy wrote: > On Fri, Mar 31, 2017 at 2:39 PM, Gervase Markham wrote: > >> As we continue to consider how best to react to the most recent incident >> involving Symantec, and given that there is

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> On Mar 31, 2017, at 6:01 PM, Daniel Baxter via dev-security-policy > wrote: > > On Saturday, April 1, 2017 at 6:27:27 AM UTC+11, Jakob Bohm wrote: >> Oh, come on, if that's her job title, that's her job title, and at any >> CA, that is actually an

Re: Grace Period for Sub-CA Disclosure

On Fri, Mar 31, 2017 at 12:24 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > As previously stated, I think this will be too short if the issuance > happens at a time when a non-CCADB root program (or the CCADB > infrastructure) is closed for holidays,

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Saturday, April 1, 2017 at 6:51:30 AM UTC+11, Vincent Lynch wrote: > > It is simply a bug, related to an OID included in the certificate. This has > been documented by Chrome > . OK, I'll update that, thanks.

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Saturday, April 1, 2017 at 6:27:27 AM UTC+11, Jakob Bohm wrote: > Oh, come on, if that's her job title, that's her job title, and at any > CA, that is actually an important job that /someone/ should have. I meant the content of her reply, not her job title. > Unfortunately, when initially

Re: Symantec Issues List

On Fri, Mar 31, 2017 at 2:39 PM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As we continue to consider how best to react to the most recent incident > involving Symantec, and given that there is a question of whether it is > part of a pattern of

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

Maybe I'm alone in this but, while entertaining, I'm taken aback a bit if this is official Symantec communication in a forum like m.d.s.p. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> > Yeah OK, I got a few things wrong on my blog post, I can fix that shortly. > It's no big deal. At least I'm informing people about security - claiming > that we're just "looking for hits" is ridiculous. Most people pay no > attention to security, I can't speak for others but I'm trying to

Re: Next CA Communication

I have moved the draft of the April 2017 CA Communication to production, so the link has changed to: https://mozillacaprogram.secure.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a05o03WrzBC It is also available here:

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> > Finally, what have you actually done to address EV revocation? You clearly > didn't bother to tell Commonwealth Bank: > > https://www.commbank.com.au/ > > One of the largest banks in Australia that their EV status would evaporate > in Chrome. So what did you do to inform your customers about

Re: Criticism of Google Re: Google Trust Services roots

The revised example is not entirely what I had in mind (more on that in a minute) but as written now is mostly OK by me. I do have a question as to whether the public discussion as mentioned must take place before the actual transfer? In other words, will Mozilla require that whatever entity is

Symantec Issues List

As we continue to consider how best to react to the most recent incident involving Symantec, and given that there is a question of whether it is part of a pattern of behaviour, it seemed best to produce an issues list as we did with WoSign. This means Symantec has proper opportunity to respond to

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

> Yep, but there must have been an API (at some level) for generating or > processing the QuickInvite URL. That was what I was suggesting might > have been the issue. So, it's hard for me to answer this question because I didn't see any POC, but 1) it's not physically possible for private keys

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On 31/03/2017 19:31, tarah.syman...@gmail.com wrote: On Friday, March 31, 2017 at 9:51:03 AM UTC-7, Jakob Bohm wrote: Dear Tarah, Below some friendly speculation as to what the parts that some bloggers claimed was included (if those claims were somehow true) might have been (i.e. where *you*

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

On Friday, March 31, 2017 at 9:51:03 AM UTC-7, Jakob Bohm wrote: > Dear Tarah, > > Below some friendly speculation as to what the parts that some bloggers > claimed was included (if those claims were somehow true) might have > been (i.e. where *you* might look for it in internal Symantec >

Re: Criticism of Google Re: Google Trust Services roots

On 31/03/17 17:39, Peter Bowen wrote: >>> For example, how frequently should roots >>> be allowed to change hands? What would Mozilla's response be if >>> GalaxyTrust (an operator not in the program) >>> were to say that they are acquiring the HARICA root? >> >> From the above URL: "In addition,

Re: Criticism of Google Re: Google Trust Services roots

On Fri, Mar 31, 2017 at 8:18 AM, Gervase Markham via dev-security-policy wrote: > On 30/03/17 15:01, Peter Kurrasch wrote: >> By "not new", are you referring to Google being the second(?) >> instance where a company has purchased an individual root cert from

Re: Criticism of Google Re: Google Trust Services roots

On 30/03/17 15:01, Peter Kurrasch wrote: > By "not new", are you referring to Google being the second(?) > instance where a company has purchased an individual root cert from > another company? It's fair enough to say that Google isn't the first > but I'm not aware of any commentary or airing of

Re: Criticism of Google Re: Google Trust Services roots

On 30/03/2017 08:08, Gervase Markham wrote: On 29/03/17 20:42, Jakob Bohm wrote: That goal would be equally (in fact better) served by new market entrants getting cross-signed by incumbents, like Let's encrypt did. Google will be issuing from Google-branded intermediates under the

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

在 2017年3月30日星期四 UTC+8下午10:34:00，Patrick Tronnier写道： > On Sunday, March 26, 2017 at 11:48:43 PM UTC-4, wangs...@gmail.com wrote: > > We compiled an analysis document on our CP/CPS’s Compliance with the BRs > > for everyone to review and comment. You can find the document at the > > following

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

在 2017年3月30日星期四 UTC+8下午10:34:00，Patrick Tronnier写道： > On Sunday, March 26, 2017 at 11:48:43 PM UTC-4, wangs...@gmail.com wrote: > > We compiled an analysis document on our CP/CPS’s Compliance with the BRs > > for everyone to review and comment. You can find the document at the > > following

RE: Criticism of Google Re: Google Trust Services roots

Qihoo 360 CSO Mr. Tan updated this in the recent CAB Forum meeting in USA : CEO of WoSign is NA, Richard Wang is the COO. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of

Re: Criticism of Google Re: Google Trust Services roots

* Peter Kurrasch via dev-security-policy: > By "not new", are you referring to Google being the second(?) instance > where a company has purchased an individual root cert from another > company? It's fair enough to say that Google isn't the first but I'm > not aware of any commentary or airing of