Re: Time to distrust

[Peter Gutmann]

Gijs Kruitbosch  writes:

>(Some) People who "do" Firefox UI read this group. If you have concrete/
>constructive suggestions, please file bugs or write to more topical mailing 
>lists - especially if you think there are things we should do "frontend"-
>wise to improve the security of end users.

Oh, it's not the security UI, it's the look and feel of Firefox as a whole,
which has seen almost uniformly negative response from users in public
forums for several years now (Mozilla's own Firefox feedback forum was 
running about 80-90% negative the last time I checked a link to it).  Just
to pick one random location, go to Slashdot and find any thread on Firefox,
anything at all, and try and find anyone with a positive comment to make
about it.  What I was commenting on was that what the Firefox *security* 
devs were doing made perfect sense, it wasn't meant to start yet another
Firefox-post-3.x-sucks thread, they're all over the place as it is.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Updating Production Common CA Database

[Kathleen Wilson]

On Tuesday, September 27, 2016 at 3:12:20 AM UTC-7, Rob Stradling wrote:
> How about "CA Fingerprint"?
> 
> Peter's "CA ID" suggestion is definitely better than "Certificate ID".
> However, since crt.sh already has an integer "CA ID" field, I'd prefer
> to call this Salesforce field "CA Fingerprint" to avoid potential
> confusion for folks who use both systems.


I've added to our to-do list: Change "Certificate ID" to "CA Fingerprint".

Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Second Discussion of LuxTrust Root Inclusion Request

[Kathleen Wilson]

On Thursday, August 4, 2016 at 10:51:58 AM UTC-7, Kathleen Wilson wrote:
> On Wednesday, March 23, 2016 at 2:08:19 PM UTC-7, Kathleen Wilson wrote:
> > On 12/17/15 5:34 PM, Kathleen Wilson wrote:
> > > The first discussion of LuxTrust's root inclusion request was here:
> > > https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4RI/sT1wTJ2RIEMJ
> > >
> 
> The CA has resolved the questions and concerns raised during the first 
> discussion, and has provided an updated root certificate with corresponding 
> updated documentation and audit statement.
> 
> Please review this request from LuxTrust to include the "LuxTrust Global Root 
> 2" certificate, turn on the Websites trust bit, and enable EV treatment.
> 
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=944783
> 
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=8777892
> 
> This root signs internally-operated subordinate CAs that issue SSL and code 
> signing certificates.
> 
> Documents are in French and English.
> CA Document Repository: https://repository.luxtrust.lu
> CP: 
> https://www.luxtrust.lu/upload/data/repository/LuxTrust%20Global%20Root%20CA%20-%20Certificate%20Profiles%20v1%2022.pdf
> CPS: 
> https://www.luxtrust.lu/upload/data/repository/LuxTrust_Global_Root%20CA_Certification_Practice_Statements_v1_09.pdf
> SSL CPS:  SSL CPS: 
> https://www.luxtrust.lu/upload/data/repository/LuxTrust%20SSL%20CA%20CPS%20v1.3.pdf
>   


Thanks again to those of you who participated in the discussions about 
LuxTrust's root inclusion request. The updated request is to include the 
"LuxTrust Global Root 2" certificate, turn on the Websites trust bit, and 
enable EV treatment.

I am now closing this discussion and will recommend approval in the bug.

https://bugzilla.mozilla.org/show_bug.cgi?id=944783

Any further follow-up on this request should be added directly to the bug.

Thanks,
Kathleen 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Re: WoSign and StartCom

[Dean Coclin]

FYI-Tyro is not the company referenced on the CA/B Forum agenda.Dean CoclinCA/B Forum Chair   On 09/28/16, Nick Lamb wrote: On Wednesday, 28 September 2016 18:33:07 UTC+1, Percy  wrote:> I'm assuming WoSign/StartCom pressured Tyro to remove the blog post. WoSign/StartCom has previously publicly threatened legal actions over the secret purchase. I would say it's just as likely that Tyro's executives decided that the blog post doesn't match up with the current story they want to start telling.Tomorrow's CA/B agenda, the new Symantec-issued wildcard for Tyro, and other factors suggest that Tyro now intends to pursue the SHA-1 exception process. On the whole there's no overwhelming reason they shouldn't be able to qualify for that process, but it may be a lot easier if they can manage to come up with one coherent story for how they got here which avoids contradicting the known facts or their own previous assertions, such as those in the blog post.___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Nick Lamb]

On Wednesday, 28 September 2016 18:33:07 UTC+1, Percy  wrote:
> I'm assuming WoSign/StartCom pressured Tyro to remove the blog post. 
> WoSign/StartCom has previously publicly threatened legal actions over the 
> secret purchase. 

I would say it's just as likely that Tyro's executives decided that the blog 
post doesn't match up with the current story they want to start telling.

Tomorrow's CA/B agenda, the new Symantec-issued wildcard for Tyro, and other 
factors suggest that Tyro now intends to pursue the SHA-1 exception process. On 
the whole there's no overwhelming reason they shouldn't be able to qualify for 
that process, but it may be a lot easier if they can manage to come up with one 
coherent story for how they got here which avoids contradicting the known facts 
or their own previous assertions, such as those in the blog post.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Percy]

On Wednesday, September 28, 2016 at 12:16:51 AM UTC-7, Peter Gutmann wrote:
> Percy  writes:
> >On Tuesday, September 27, 2016 at 2:15:38 AM UTC-7, Gervase Markham wrote:
> >> Participants may be interested in this blog post from Tyro:
> >> https://tyro.com/blog/merchant-security-is-tyros-priority/
> >
> >So this is almost proof that WoSign/StartCom has been intentionally back-
> >dating certificates to avoid blocks on SHA-1 issuance in browsers. 
> 
> Did anyone keep a copy of that post?  Looks like they took it down pretty
> quickly, possibly in response to the above.
> 
> Peter.

I'm assuming WoSign/StartCom pressured Tyro to remove the blog post. 
WoSign/StartCom has previously publicly threatened legal actions over the 
secret purchase. 

Are those suppression attempts factored in when making trust decisions?  
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Rob Stradling]

On 28/09/16 12:23, Nick Lamb wrote:
> On Tuesday, 27 September 2016 10:15:38 UTC+1, Gervase Markham  wrote:
>> https://tyro.com/blog/merchant-security-is-tyros-priority/
> 
> This site reproduces what I guess is an email from Tyro (can't find similar 
> text on their website) that suggests very strongly they weren't prepared for 
> SHA-1 deprecation at all and hadn't previously even notified their customers 
> of the necessary upgrades.
> 
> http://www.newsagencyblog.com.au/2016/06/02/if-you-are-running-windows-xp/
> 
> If May was really the first time they realised they had a problem that's 
> pretty damning.

Presumably this...

  "The certificate that we use to secure our integration system expires
   on the 6th of June, 2016 and the new certificate cannot be accepted
   by POSs that run on Windows XP Service pack 2 or earlier."

...is referring to https://crt.sh/?id=1455926 and
https://crt.sh/?id=20031959.  If so, that would seem to imply that
https://crt.sh/?id=21427475 had not been issued when that article was
posted.

(The alternative, and I would suggest unlikely, explanation is that Tyro
did possess https://crt.sh/?id=21427475 when that article was posted,
but for some reason they'd already made the decision to not use it).

BTW, I found a couple of other references:

http://www.possolutions.com.au/blog/windows-xp-sp2-expires

http://www.possolutions.com.au/blog/if-you-are-running-windows-xp-or-server-2003

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Gervase Markham]

On 28/09/16 12:23, Nick Lamb wrote:
> This site reproduces what I guess is an email from Tyro (can't find
> similar text on their website) that suggests very strongly they
> weren't prepared for SHA-1 deprecation at all and hadn't previously
> even notified their customers of the necessary upgrades.
> 
> http://www.newsagencyblog.com.au/2016/06/02/if-you-are-running-windows-xp/

Very interesting. Thank you :-)

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Nick Lamb]

On Tuesday, 27 September 2016 10:15:38 UTC+1, Gervase Markham  wrote:
> https://tyro.com/blog/merchant-security-is-tyros-priority/

This site reproduces what I guess is an email from Tyro (can't find similar 
text on their website) that suggests very strongly they weren't prepared for 
SHA-1 deprecation at all and hadn't previously even notified their customers of 
the necessary upgrades.

http://www.newsagencyblog.com.au/2016/06/02/if-you-are-running-windows-xp/

If May was really the first time they realised they had a problem that's pretty 
damning.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Adam Caudill]

> On Sep 28, 2016, at 3:16 AM, Peter Gutmann  wrote:
> 
> Did anyone keep a copy of that post?  Looks like they took it down pretty
> quickly, possibly in response to the above.



Thankfully it was still in Bing’s cache (thanks to Ryan Hurst for reminding me 
to check there); here’s an Archive.org copy of Bing’s cached copy:

https://web.archive.org/web/20160928082744/http://cc.bingj.com/cache.aspx?q=url%3ahttps%3a%2f%2ftyro.com%2fblog%2fmerchant-security-is-tyros-priority%2f=3142275970384=en-US=en-US=CXAExr3p_O5p0vSMb-OFFm7Vt8ZUhoMF

--
Adam Caudill
a...@adamcaudill.com
http://adamcaudill.com/


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Shengjing Zhu]

One question,
Since WoSign and StartCom have certification which is cross signed by Certum 
CA(https://wiki.mozilla.org/CA:WoSign_Issues#Cross_Signing), does that mean 
browser will still trust any certification signed by "Certification Authority 
of WoSign G2" if the website owner sends a certification chain indicates this 
cross signed certification?

Is there any way to distrust intermediate certification by its common name?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Peter Gutmann]

Percy  writes:
>On Tuesday, September 27, 2016 at 2:15:38 AM UTC-7, Gervase Markham wrote:
>> Participants may be interested in this blog post from Tyro:
>> https://tyro.com/blog/merchant-security-is-tyros-priority/
>
>So this is almost proof that WoSign/StartCom has been intentionally back-
>dating certificates to avoid blocks on SHA-1 issuance in browsers. 

Did anyone keep a copy of that post?  Looks like they took it down pretty
quickly, possibly in response to the above.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy