Re: Policy 2.6 Proposal: Audit requirements for new subCA certificates

As an alternative to requiring newly-issued subCA Certificates to be listed in the relevant CP/CPS prior to issuing certificates, would it be reasonable for Mozilla to require the Certificate Policies extension in these certificates to contain a URL pointing to the relevant policy document(s)? I

Re: Policy 2.6 Proposal: Remove obsolete ETSI audit requirements

I've gone ahead and removed references to ETSI TS 101 456 and TS 102 042 from the 2.6 branch of the policy: https://github.com/mozilla/pkipolicy/commit/49a07119a1fd5c887d4b506f60e210fad941b26a - Wayne On Tue, Mar 27, 2018 at 12:44 PM, Wayne Thayer wrote: > There has been

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

Isn't that question a little disingenuous? There was massive controversy in the mainstream tech press and throughout the InfoSec press and elsewhere when a certificate with this EV indication for this entity name for this website and purpose previously issued. It invites trouble in the sense

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

I'm not sure why it can't be evidence of both. Is it an offense by GoDaddy for which there should be repercussions from the root programs towards GoDaddy? No. You're correct that it illustrates that EV has an enormous value gap in its current form. My own opinion is that I would rather see

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

On Wed, Apr 11, 2018, at 15:27, Matthew Hardeman via dev-security-policy wrote: > It was injudicious of a CA to issue another certificate in this name for > this entity after the already well documented controversy. Did they just > not care that it would invite trouble or did they not know that

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

This absolutely appears to be valid issuance. And if it's valid issuance, that raises questions about the value of EV, if we accept that the definition of EV is static and unchangeable. What I propose is that the community of CAs either recognize that it's worthless and give up on it - or -

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

I disagree on what this is evidence of: It's evidence that the claimed benefits of EV (by CA, WRT phishing) do not match the technical reality. As Ryan noted, as far as I'm aware this certificate violates neither the BRs, nor the EVG. Alex On Wed, Apr 11, 2018 at 2:48 PM, Matthew Hardeman via

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

On Wed, Apr 11, 2018, at 14:48, Matthew Hardeman via dev-security-policy wrote: > Additionally, I think it's fair to say that I'm aghast that another CA > (who by their inclusion in the Mozilla root program has agreed to stay > abreast of developments on this list) has issued for the exact same

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

Additionally, I think it's fair to say that I'm aghast that another CA (who by their inclusion in the Mozilla root program has agreed to stay abreast of developments on this list) has issued for the exact same entity and name that already led to significant controversy covered on this list less

Re: Policy 2.6 Proposal: Require audits back to first issuance

Thank you for responding Matthias. On Wed, Apr 11, 2018 at 10:52 AM, m.wiedenhorst--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Hi Wayne > > > Can anyone say if an equivalent public-facing > > report exists for ETSI audits? If so, I think we should require CAs

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

On Wed, Apr 11, 2018 at 1:51 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi, > > I'm merely an interested community member. > > I'm writing because I'm aghast that yet another CA has issued a > certificate for Stripe, Inc of Kentucky. > It

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

> an EV certificate issued and fairly promptly revoked by Comodo. Just to clarify, Comodo revoked it at least four months after it was issued (https://crt.sh/?id=273634647). It was not "promptly" revoked. ___ dev-security-policy mailing list

Re: Policy 2.6 Proposal: Require audits back to first issuance

Hi Wayne > Can anyone say if an equivalent public-facing > report exists for ETSI audits? If so, I think we should require CAs to > provide these reports with their root inclusion requests. ETSI does require reports on key ceremonies (ETSI EN 319 411-1, 6.5.1 g). But ETSI does NOT require

Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

Hi, I'm merely an interested community member. I'm writing because I'm aghast that yet another CA has issued a certificate for Stripe, Inc of Kentucky. One would think that the various commercial CAs would consider their communal self-interests in today's marketplace. The commercial CA

Re: Do Not Accept WebTrust Audit from Deloitte Anjin South Korea

I've asked the Government of Korea to comment on this news article in their inclusion request (https://bugzilla.mozilla.org/show_bug.cgi?id=1377389). - Wayne On Wed, Apr 11, 2018 at 7:26 AM, jumping2gether--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > According to

RE: CCADB disclosure of id-kp-emailProtection intermediates

Hi One of the non-technically-constrained intermediate certificates on the list [2] below is issued by Buypass and this was revoked today - see https://crt.sh/?id=157337628. This was done to be compliant with Section 5.3.1 of Mozilla Root Store Policy v 2.5 [1] - as specified in Action 1 of

Re: Do Not Accept WebTrust Audit from Deloitte Anjin South Korea

Your inquiry was posted with unsubstantiated information. crt.sh logged that a certificate including www.testssl.com was issued by a CA certificate (CN: CA134100031) on 2017-02-17, but already revoked. Deloitte Anjin didn't issue a WTCA-SSL report on the CA certificate after 2017-01-01.

Re: Do Not Accept WebTrust Audit from Deloitte Anjin South Korea

According to the official briefing by the Government of Korea on April 9 2018, The government CA discovered suspicious misissuance on April 5. They revoked the certificate on April 6 and began investigating all valid SSL certificates. src (in Korean):

Re: Do Not Accept WebTrust Audit from Deloitte Anjin South Korea

Your information is incorrect. According to crt.sh, Ministry of Education CA(CA134100031)issued a mis-issued certificate to www.testssl.com on 2017-04-03 but already revoked. Deloitte Anjin didn't issue a WTCA-SSL report to the CA certificate after 2017-01-01.