Re: Time to distrust
Gijs Kruitboschwrites: >(Some) People who "do" Firefox UI read this group. If you have concrete/ >constructive suggestions, please file bugs or write to more topical mailing >lists - especially if you think there are things we should do "frontend"- >wise to improve the security of end users. Oh, it's not the security UI, it's the look and feel of Firefox as a whole, which has seen almost uniformly negative response from users in public forums for several years now (Mozilla's own Firefox feedback forum was running about 80-90% negative the last time I checked a link to it). Just to pick one random location, go to Slashdot and find any thread on Firefox, anything at all, and try and find anyone with a positive comment to make about it. What I was commenting on was that what the Firefox *security* devs were doing made perfect sense, it wasn't meant to start yet another Firefox-post-3.x-sucks thread, they're all over the place as it is. Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Updating Production Common CA Database
On Tuesday, September 27, 2016 at 3:12:20 AM UTC-7, Rob Stradling wrote: > How about "CA Fingerprint"? > > Peter's "CA ID" suggestion is definitely better than "Certificate ID". > However, since crt.sh already has an integer "CA ID" field, I'd prefer > to call this Salesforce field "CA Fingerprint" to avoid potential > confusion for folks who use both systems. I've added to our to-do list: Change "Certificate ID" to "CA Fingerprint". Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Second Discussion of LuxTrust Root Inclusion Request
On Thursday, August 4, 2016 at 10:51:58 AM UTC-7, Kathleen Wilson wrote: > On Wednesday, March 23, 2016 at 2:08:19 PM UTC-7, Kathleen Wilson wrote: > > On 12/17/15 5:34 PM, Kathleen Wilson wrote: > > > The first discussion of LuxTrust's root inclusion request was here: > > > https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/sT1wTJ2RIEMJ > > > > > The CA has resolved the questions and concerns raised during the first > discussion, and has provided an updated root certificate with corresponding > updated documentation and audit statement. > > Please review this request from LuxTrust to include the "LuxTrust Global Root > 2" certificate, turn on the Websites trust bit, and enable EV treatment. > > The request is documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=944783 > > Summary of Information Gathered and Verified: > https://bugzilla.mozilla.org/attachment.cgi?id=8777892 > > This root signs internally-operated subordinate CAs that issue SSL and code > signing certificates. > > Documents are in French and English. > CA Document Repository: https://repository.luxtrust.lu > CP: > https://www.luxtrust.lu/upload/data/repository/LuxTrust%20Global%20Root%20CA%20-%20Certificate%20Profiles%20v1%2022.pdf > CPS: > https://www.luxtrust.lu/upload/data/repository/LuxTrust_Global_Root%20CA_Certification_Practice_Statements_v1_09.pdf > SSL CPS: SSL CPS: > https://www.luxtrust.lu/upload/data/repository/LuxTrust%20SSL%20CA%20CPS%20v1.3.pdf > Thanks again to those of you who participated in the discussions about LuxTrust's root inclusion request. The updated request is to include the "LuxTrust Global Root 2" certificate, turn on the Websites trust bit, and enable EV treatment. I am now closing this discussion and will recommend approval in the bug. https://bugzilla.mozilla.org/show_bug.cgi?id=944783 Any further follow-up on this request should be added directly to the bug. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Re: WoSign and StartCom
FYI-Tyro is not the company referenced on the CA/B Forum agenda.Dean CoclinCA/B Forum Chair On 09/28/16, Nick Lambwrote: On Wednesday, 28 September 2016 18:33:07 UTC+1, Percy wrote:> I'm assuming WoSign/StartCom pressured Tyro to remove the blog post. WoSign/StartCom has previously publicly threatened legal actions over the secret purchase. I would say it's just as likely that Tyro's executives decided that the blog post doesn't match up with the current story they want to start telling.Tomorrow's CA/B agenda, the new Symantec-issued wildcard for Tyro, and other factors suggest that Tyro now intends to pursue the SHA-1 exception process. On the whole there's no overwhelming reason they shouldn't be able to qualify for that process, but it may be a lot easier if they can manage to come up with one coherent story for how they got here which avoids contradicting the known facts or their own previous assertions, such as those in the blog post.___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign and StartCom
On Wednesday, 28 September 2016 18:33:07 UTC+1, Percy wrote: > I'm assuming WoSign/StartCom pressured Tyro to remove the blog post. > WoSign/StartCom has previously publicly threatened legal actions over the > secret purchase. I would say it's just as likely that Tyro's executives decided that the blog post doesn't match up with the current story they want to start telling. Tomorrow's CA/B agenda, the new Symantec-issued wildcard for Tyro, and other factors suggest that Tyro now intends to pursue the SHA-1 exception process. On the whole there's no overwhelming reason they shouldn't be able to qualify for that process, but it may be a lot easier if they can manage to come up with one coherent story for how they got here which avoids contradicting the known facts or their own previous assertions, such as those in the blog post. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign and StartCom
On Wednesday, September 28, 2016 at 12:16:51 AM UTC-7, Peter Gutmann wrote: > Percywrites: > >On Tuesday, September 27, 2016 at 2:15:38 AM UTC-7, Gervase Markham wrote: > >> Participants may be interested in this blog post from Tyro: > >> https://tyro.com/blog/merchant-security-is-tyros-priority/ > > > >So this is almost proof that WoSign/StartCom has been intentionally back- > >dating certificates to avoid blocks on SHA-1 issuance in browsers. > > Did anyone keep a copy of that post? Looks like they took it down pretty > quickly, possibly in response to the above. > > Peter. I'm assuming WoSign/StartCom pressured Tyro to remove the blog post. WoSign/StartCom has previously publicly threatened legal actions over the secret purchase. Are those suppression attempts factored in when making trust decisions? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign and StartCom
On 28/09/16 12:23, Nick Lamb wrote: > On Tuesday, 27 September 2016 10:15:38 UTC+1, Gervase Markham wrote: >> https://tyro.com/blog/merchant-security-is-tyros-priority/ > > This site reproduces what I guess is an email from Tyro (can't find similar > text on their website) that suggests very strongly they weren't prepared for > SHA-1 deprecation at all and hadn't previously even notified their customers > of the necessary upgrades. > > http://www.newsagencyblog.com.au/2016/06/02/if-you-are-running-windows-xp/ > > If May was really the first time they realised they had a problem that's > pretty damning. Presumably this... "The certificate that we use to secure our integration system expires on the 6th of June, 2016 and the new certificate cannot be accepted by POSs that run on Windows XP Service pack 2 or earlier." ...is referring to https://crt.sh/?id=1455926 and https://crt.sh/?id=20031959. If so, that would seem to imply that https://crt.sh/?id=21427475 had not been issued when that article was posted. (The alternative, and I would suggest unlikely, explanation is that Tyro did possess https://crt.sh/?id=21427475 when that article was posted, but for some reason they'd already made the decision to not use it). BTW, I found a couple of other references: http://www.possolutions.com.au/blog/windows-xp-sp2-expires http://www.possolutions.com.au/blog/if-you-are-running-windows-xp-or-server-2003 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign and StartCom
On 28/09/16 12:23, Nick Lamb wrote: > This site reproduces what I guess is an email from Tyro (can't find > similar text on their website) that suggests very strongly they > weren't prepared for SHA-1 deprecation at all and hadn't previously > even notified their customers of the necessary upgrades. > > http://www.newsagencyblog.com.au/2016/06/02/if-you-are-running-windows-xp/ Very interesting. Thank you :-) Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign and StartCom
On Tuesday, 27 September 2016 10:15:38 UTC+1, Gervase Markham wrote: > https://tyro.com/blog/merchant-security-is-tyros-priority/ This site reproduces what I guess is an email from Tyro (can't find similar text on their website) that suggests very strongly they weren't prepared for SHA-1 deprecation at all and hadn't previously even notified their customers of the necessary upgrades. http://www.newsagencyblog.com.au/2016/06/02/if-you-are-running-windows-xp/ If May was really the first time they realised they had a problem that's pretty damning. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign and StartCom
> On Sep 28, 2016, at 3:16 AM, Peter Gutmannwrote: > > Did anyone keep a copy of that post? Looks like they took it down pretty > quickly, possibly in response to the above. Thankfully it was still in Bing’s cache (thanks to Ryan Hurst for reminding me to check there); here’s an Archive.org copy of Bing’s cached copy: https://web.archive.org/web/20160928082744/http://cc.bingj.com/cache.aspx?q=url%3ahttps%3a%2f%2ftyro.com%2fblog%2fmerchant-security-is-tyros-priority%2f=3142275970384=en-US=en-US=CXAExr3p_O5p0vSMb-OFFm7Vt8ZUhoMF -- Adam Caudill a...@adamcaudill.com http://adamcaudill.com/ signature.asc Description: Message signed with OpenPGP using GPGMail ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign and StartCom
One question, Since WoSign and StartCom have certification which is cross signed by Certum CA(https://wiki.mozilla.org/CA:WoSign_Issues#Cross_Signing), does that mean browser will still trust any certification signed by "Certification Authority of WoSign G2" if the website owner sends a certification chain indicates this cross signed certification? Is there any way to distrust intermediate certification by its common name? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign and StartCom
Percywrites: >On Tuesday, September 27, 2016 at 2:15:38 AM UTC-7, Gervase Markham wrote: >> Participants may be interested in this blog post from Tyro: >> https://tyro.com/blog/merchant-security-is-tyros-priority/ > >So this is almost proof that WoSign/StartCom has been intentionally back- >dating certificates to avoid blocks on SHA-1 issuance in browsers. Did anyone keep a copy of that post? Looks like they took it down pretty quickly, possibly in response to the above. Peter. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy