Re: [EXT] Re: Questions for Symantec

2017-04-27 Thread Ryan Sleevi via dev-security-policy
On Thu, Apr 27, 2017 at 6:50 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 21/04/17 18:19, Eric Mill wrote: > > The FPKI cross-signs at issue in Issue L are now expired (and so don't > show > > on the links above). They do show when expired

Re: Symantec Conclusions and Next Steps

2017-04-27 Thread Ryan Sleevi via dev-security-policy
Hi Richard, On Thu, Apr 27, 2017 at 6:13 AM, Richard Wang via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I like to share the experience we suffered from distrust, it is disastrous > for CA and its customers to replace the certificate that exceed your > imagination that

Google's past discussions with Symantec

2017-04-27 Thread Ryan Sleevi via dev-security-policy
(Wearing a Google Hat, if only to share what has transpired) Symantec has recently shared in https://www.symantec.com/ connect/blogs/symantec-ca-proposal , as well as https://groups.google.com/d/ msg/mozilla.dev.security.policy/LRvzF2ZPyeM/OpvBXviOAQAJ , a plan for what they believe is an

Re: [EXT] Re: Questions for Symantec

2017-04-27 Thread Gervase Markham via dev-security-policy
On 21/04/17 18:19, Eric Mill wrote: > The FPKI cross-signs at issue in Issue L are now expired (and so don't show > on the links above). They do show when expired certificates are included -- > there are 6 of them with OU=FPKI: > https://crt.sh/?Identity=%25=1384 > > Each of those certificates

RE: Symantec Conclusions and Next Steps

2017-04-27 Thread Inigo Barreira via dev-security-policy
No problem at all. I thought that while distrusted no needed to follow nor update the CCADB. Will do asap. Best regards Iñigo Barreira CEO StartCom CA Limited -Original Message- From: Rob Stradling [mailto:rob.stradl...@comodo.com] Sent: jueves, 27 de abril de 2017 13:08 To: Inigo

Re: Symantec Conclusions and Next Steps

2017-04-27 Thread wizard--- via dev-security-policy
I don't know about others, but I am quite disappointed by Symantec's proposed remediation plan. Intentional or not, these response seems to indicate they don't really understand the potential consequences of many of their past actions. Essentially, they promise to: 1) Have a third party audit

Re: Symantec Conclusions and Next Steps

2017-04-27 Thread Rob Stradling via dev-security-policy
On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote: (Note: A few of the non-Symantec entries currently listed by https://crt.sh/mozilla-disclosures#undisclosed are false positives, I think. It looks like Kathleen has marked some roots as "Removed" on CCADB ahead of the

RE: Symantec Conclusions and Next Steps

2017-04-27 Thread Inigo Barreira via dev-security-policy
Good to know that our new certs are there :-) Regarding StartCom, these are the new certs we´ve generated and will be used to apply for inclusion in the Mozilla root program. Nothing to disclose at the moment I guess. We´ve not been audited yet nor applied. Best regards Iñigo Barreira CEO

Re: Symantec Conclusions and Next Steps

2017-04-27 Thread Rob Stradling via dev-security-policy
On 27/04/17 11:56, Inigo Barreira wrote: Good to know that our new certs are there :-) Regarding StartCom, these are the new certs we´ve generated and will be used to apply for inclusion in the Mozilla root program. Nothing to disclose at the moment I guess. We´ve not been audited yet nor

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-27 Thread okaphone.elektronika--- via dev-security-policy
On Thursday, 27 April 2017 00:42:20 UTC+2, Ryan Sleevi wrote: > On Wed, Apr 26, 2017 at 5:17 PM, okaphone.elektronika--- via > dev-security-policy wrote: > > > > If this is about the possible consequences of compromise, then I'd say you > > should try to

RE: Symantec Conclusions and Next Steps

2017-04-27 Thread Richard Wang via dev-security-policy
I like to share the experience we suffered from distrust, it is disastrous for CA and its customers to replace the certificate that exceed your imagination that we are still working for this since October 2016 that nearly six months now. Due to the quantity of Symantec customers is more than

Re: Google's past discussions with Symantec

2017-04-27 Thread Jakob Bohm via dev-security-policy
Note that according to the below post, the one thing Symantec has not decided to obey Google on is a request to completely stop operating as a CA, except in name and a few minor related aspects. This was the final, microscopic, out offered to WoSign after they completely and deliberately

Re: Symantec Conclusions and Next Steps

2017-04-27 Thread Alex Gaynor via dev-security-policy
On Thu, Apr 27, 2017 at 3:52 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Your post made me realize that we never publicly posted the status of these > last few CAs. Sorry about that. Here's the plan: > > 1. ABB - ABB was supposed to be technically

RE: Symantec Conclusions and Next Steps

2017-04-27 Thread Jeremy Rowley via dev-security-policy
Your post made me realize that we never publicly posted the status of these last few CAs. Sorry about that. Here's the plan: 1. ABB - ABB was supposed to be technically constrained (and is restricted to certain names). However, the technical constraints were added incorrectly and didn't exclude

RE: Symantec Conclusions and Next Steps

2017-04-27 Thread Jeremy Rowley via dev-security-policy
Thanks Alex. Greatly appreciated. From: Alex Gaynor [mailto:agay...@mozilla.com] Sent: Thursday, April 27, 2017 2:05 PM To: Jeremy Rowley Cc: Rob Stradling ; mozilla-dev-security-policy