As an alternative to requiring newly-issued subCA Certificates to be listed
in the relevant CP/CPS prior to issuing certificates, would it be
reasonable for Mozilla to require the Certificate Policies extension in
these certificates to contain a URL pointing to the relevant policy
document(s)? I
I've gone ahead and removed references to ETSI TS 101 456 and TS 102 042
from the 2.6 branch of the policy:
https://github.com/mozilla/pkipolicy/commit/49a07119a1fd5c887d4b506f60e210fad941b26a
- Wayne
On Tue, Mar 27, 2018 at 12:44 PM, Wayne Thayer wrote:
> There has been
Isn't that question a little disingenuous?
There was massive controversy in the mainstream tech press and throughout
the InfoSec press and elsewhere when a certificate with this EV indication
for this entity name for this website and purpose previously issued. It
invites trouble in the sense
I'm not sure why it can't be evidence of both.
Is it an offense by GoDaddy for which there should be repercussions from
the root programs towards GoDaddy? No.
You're correct that it illustrates that EV has an enormous value gap in its
current form. My own opinion is that I would rather see
On Wed, Apr 11, 2018, at 15:27, Matthew Hardeman via dev-security-policy wrote:
> It was injudicious of a CA to issue another certificate in this name for
> this entity after the already well documented controversy. Did they just
> not care that it would invite trouble or did they not know that
This absolutely appears to be valid issuance.
And if it's valid issuance, that raises questions about the value of EV, if
we accept that the definition of EV is static and unchangeable.
What I propose is that the community of CAs either recognize that it's
worthless and give up on it - or -
I disagree on what this is evidence of:
It's evidence that the claimed benefits of EV (by CA, WRT phishing) do not
match the technical reality. As Ryan noted, as far as I'm aware this
certificate violates neither the BRs, nor the EVG.
Alex
On Wed, Apr 11, 2018 at 2:48 PM, Matthew Hardeman via
On Wed, Apr 11, 2018, at 14:48, Matthew Hardeman via dev-security-policy wrote:
> Additionally, I think it's fair to say that I'm aghast that another CA
> (who by their inclusion in the Mozilla root program has agreed to stay
> abreast of developments on this list) has issued for the exact same
Additionally, I think it's fair to say that I'm aghast that another CA (who by
their inclusion in the Mozilla root program has agreed to stay abreast of
developments on this list) has issued for the exact same entity and name that
already led to significant controversy covered on this list less
Thank you for responding Matthias.
On Wed, Apr 11, 2018 at 10:52 AM, m.wiedenhorst--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> Hi Wayne
>
> > Can anyone say if an equivalent public-facing
> > report exists for ETSI audits? If so, I think we should require CAs
On Wed, Apr 11, 2018 at 1:51 PM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi,
>
> I'm merely an interested community member.
>
> I'm writing because I'm aghast that yet another CA has issued a
> certificate for Stripe, Inc of Kentucky.
>
It
> an EV certificate issued and fairly promptly revoked by Comodo.
Just to clarify, Comodo revoked it at least four months after it was issued
(https://crt.sh/?id=273634647). It was not "promptly" revoked.
___
dev-security-policy mailing list
Hi Wayne
> Can anyone say if an equivalent public-facing
> report exists for ETSI audits? If so, I think we should require CAs to
> provide these reports with their root inclusion requests.
ETSI does require reports on key ceremonies (ETSI EN 319 411-1, 6.5.1 g).
But ETSI does NOT require
Hi,
I'm merely an interested community member.
I'm writing because I'm aghast that yet another CA has issued a certificate for
Stripe, Inc of Kentucky.
One would think that the various commercial CAs would consider their communal
self-interests in today's marketplace.
The commercial CA
I've asked the Government of Korea to comment on this news article in their
inclusion request (https://bugzilla.mozilla.org/show_bug.cgi?id=1377389).
- Wayne
On Wed, Apr 11, 2018 at 7:26 AM, jumping2gether--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> According to
Hi
One of the non-technically-constrained intermediate certificates on the list
[2] below is issued by Buypass and this was revoked today - see
https://crt.sh/?id=157337628.
This was done to be compliant with Section 5.3.1 of Mozilla Root Store Policy v
2.5 [1] - as specified in Action 1 of
Your inquiry was posted with unsubstantiated information. crt.sh logged that a
certificate including www.testssl.com was issued by a CA certificate (CN:
CA134100031) on 2017-02-17, but already revoked.
Deloitte Anjin didn't issue a WTCA-SSL report on the CA certificate after
2017-01-01.
According to the official briefing by the Government of Korea on April 9 2018,
The government CA discovered suspicious misissuance on April 5. They revoked
the certificate on April 6 and began investigating all valid SSL certificates.
src (in Korean):
Your information is incorrect.
According to crt.sh, Ministry of Education CA(CA134100031)issued a mis-issued
certificate to www.testssl.com on 2017-04-03 but already revoked.
Deloitte Anjin didn't issue a WTCA-SSL report to the CA certificate after
2017-01-01.
19 matches
Mail list logo