Re: Remediation Plan for WoSign and StartCom

Kurt Roeckx wrote: > Since the previous audit wasn't one that covered a whole year, I > expect the new audit to start where the previous one stopped and > have it a year from that point. this might be more of a question for cabforum but why do audits have to be non-overlapping? i would think

Re: Remediation Plan for WoSign and StartCom

On Tue, 18 Oct 2016 15:49:26 -0700 Gervase Markham wrote: > On 18/10/16 15:42, Ryan Hurst wrote: > > I do not understand the desire to require StartCom / WoSign to not > > utilize their own logs as part of the associated quorum policy. > > My original logic was that it could

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 23:49, Gervase Markham wrote: > On 18/10/16 15:42, Ryan Hurst wrote: >> I do not understand the desire to require StartCom / WoSign to not >> utilize their own logs as part of the associated quorum policy. > > My original logic was that it could be seen that the log owner is >

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 16:04, Han Yuwei wrote: > For the CT support, is there any plan to implement it into effect in > Firefox? And if implemented, what would happen if server's > certificate don't have enough SCTs? The mechanism is being implemented. When it's closer to being implemented, there will be a

Re: Remediation Plan for WoSign and StartCom

在 2016年10月19日星期三 UTC+8上午6:42:18，Ryan Hurst写道： > All, > > I do not understand the desire to require StartCom / WoSign to not utilize > their own logs as part of the associated quorum policy. > > Certificate Transparency's idempotency is for not dependent on the practices > of the operator. By

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 15:42, Ryan Hurst wrote: > I do not understand the desire to require StartCom / WoSign to not > utilize their own logs as part of the associated quorum policy. My original logic was that it could be seen that the log owner is trustworthy. However, you are right that CT does not

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 14:33, Ryan Sleevi wrote: > I think there's some confusion there. CNNIC's audits "expire" on Feb > "29" 2017 (I say "29" because of ambiguity on "1 year"). That is, > within 3 months of Feb "29", 2017, CNNIC would be expected to provide > a new audit, which covers February 29, 2016

Participants list

Just a reminder: people participating here more than occasionally are encouraged to add themselves to: https://wiki.mozilla.org/CA:Policy_Participants Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Remediation Plan for WoSign and StartCom

All, I do not understand the desire to require StartCom / WoSign to not utilize their own logs as part of the associated quorum policy. Certificate Transparency's idempotency is for not dependent on the practices of the operator. By requiring the use of a third-party log (in this case

Re: Remediation Plan for WoSign and StartCom

On Tue, Oct 18, 2016 at 01:35:59PM -0700, Gervase Markham wrote: > On 18/10/16 12:46, Kurt Roeckx wrote: > > Are you saying you're expecting an audit report from November 2015 > > to November 2016, and so have the period from November to March > > covered twice? > > There seems to be a persistent

Re: Remediation Plan for WoSign and StartCom

On Tue, Oct 18, 2016 at 2:33 PM, Ryan Sleevi wrote: > > I think there's some confusion there. CNNIC's audits "expire" on Feb "29" > 2017 (I say "29" because of ambiguity on "1 year"). That is, within 3 months > of Feb "29", 2017, CNNIC would be expected to provide a new audit,

Re: Remediation Plan for WoSign and StartCom

On Tuesday, October 18, 2016 at 1:36:37 PM UTC-7, Gervase Markham wrote: > On 18/10/16 12:46, Kurt Roeckx wrote: > > Are you saying you're expecting an audit report from November 2015 > > to November 2016, and so have the period from November to March > > covered twice? > > There seems to be a

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 12:46, Kurt Roeckx wrote: > Are you saying you're expecting an audit report from November 2015 > to November 2016, and so have the period from November to March > covered twice? There seems to be a persistent misunderstanding here. https://cert.webtrust.org/SealFile?seal=2092=pdf

Re: Remediation Plan for WoSign and StartCom

On Tue, Oct 18, 2016 at 10:02:00AM -0700, Gervase Markham wrote: > On 18/10/16 09:03, Kurt Roeckx wrote: > > You said the period was until February 29, 2016. I assume the next > > period starts on March 1, 2016 and is for 1 year. I don't expect it to > > from from March to November, it would be an

Re: Globalsign accidental intermediate revocation incident

On 18/10/16 19:15, Ryan Sleevi wrote: > On Tuesday, October 18, 2016 at 10:52:19 AM UTC-7, Rob Stradling wrote: >> AIUI, it's permissible to "un-revoke" any certificate via OCSP, but it's >> only permissible to "un-revoke" a certificate via CRL if it was revoked >> with the reason code

Re: Mozilla Root Store Elsewhere (Was Re: StartCom & Qihoo Incidents)

On Tuesday, October 18, 2016 at 11:42:17 AM UTC-7, Eric Mill wrote: > I guess there's actually an RFC for something like this? > https://tools.ietf.org/html/rfc5914 But I haven't looked at it in depth to > see whether it's a good solution for this problem. I also don't think it > requires an RFC

Re: Globalsign accidental intermediate revocation incident

On Monday, October 17, 2016 at 4:19:34 PM UTC-7, Jakob Bohm wrote: > On 16/10/2016 09:59, Adrian R. wrote: > > Hello > > > > i read in the news (but not here on m.d.s.p) that a few days ago Globalsign > > revoked one of their intermediary roots and then un-revoked it (well, the > > revocation is

Re: Mozilla Root Store Elsewhere (Was Re: StartCom & Qihoo Incidents)

The first thing that comes to mind is to define an intermediate representation of per-root constraints, that Mozilla can distribute alongside certdata.txt. The simplest piece would be name constraints, but incorporating things like CT constraints and date-based constraints would clearly be

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

Hi Hanno. The questions that you and others have posted are entirely reasonable. Sorry for the delay. Robin intends to post a reply this week. On 15/10/16 16:56, Hanno Böck wrote: > Hello, > > I think I have asked two reasonable questions here. > Can we get an answer? > > On Tue, 4 Oct 2016

Re: Globalsign accidental intermediate revocation incident

On Tuesday, October 18, 2016 at 10:52:19 AM UTC-7, Rob Stradling wrote: > AIUI, it's permissible to "un-revoke" any certificate via OCSP, but it's > only permissible to "un-revoke" a certificate via CRL if it was revoked > with the reason code certificateHold. Which "permissible" are we talking

Re: Mozilla Root Store Elsewhere (Was Re: StartCom & Qihoo Incidents)

Tom, On the topic of tooling I have a console tool, and library, that can be used to parse and filter various certificate stores, you can find it here: https://github.com/PeculiarVentures/tl-create Ryan ___ dev-security-policy mailing list

Mozilla Root Store Elsewhere (Was Re: StartCom & Qihoo Incidents)

On 18 October 2016 at 08:00, Jakob Bohm wrote: > On 18/10/2016 14:35, Gervase Markham wrote: >> >> On 17/10/16 16:35, Jakob Bohm wrote: >>> >>> In the not so distant past, the Mozilla root program was much more >>> useful due to different behavior: >>> >>> 1. Mozilla

Re: Globalsign accidental intermediate revocation incident

On 17/10/16 15:36, Gervase Markham wrote: > On 16/10/16 08:59, Adrian R. wrote: >> is this revival/un-revocation of an intermediary CA allowed by the >> BRs? > > I agree that the wording is a little loose but I think the intended > purpose of the clause in question was as Peter interprets it -

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 06:02, Peter Bowen wrote: > I think making it clear which entries in certdata.txt have additional > constraints would be very helpful. Here's a start: https://wiki.mozilla.org/CA:Root_Store_Trust_Mods I believe the ANSSI root has now been removed and so CNNIC is the only one

Re: Remediation Plan for WoSign and StartCom

Measure with a micrometer, mark with chalk and cut with an axe... it's the best you can do. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remediation Plan for WoSign and StartCom

Hi Peter, On 18/10/16 06:02, Peter Bowen wrote: > I think making it clear which entries in certdata.txt have additional > constraints would be very helpful. Is it maybe possible to do so by > adding new attributes to the NSS_TRUST object instead of simply > putting it on a webpage? That way it

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 09:03, Kurt Roeckx wrote: > You said the period was until February 29, 2016. I assume the next > period starts on March 1, 2016 and is for 1 year. I don't expect it to > from from March to November, it would be an 8 month period. Surely if audits last one year, one would be auditing

Re: Remediation Plan for WoSign and StartCom

On 2016-10-18 17:26, Gervase Markham wrote: On 18/10/16 07:17, Kurt Roeckx wrote: On 2016-10-18 14:51, Gervase Markham wrote: The audit report CNNIC has submitted covers the period from November 2, 2015 to February 29, 2016. Therefore, we would expect them to be starting the process of

Re: Remediation Plan for WoSign and StartCom

在 2016年10月18日星期二 UTC+8下午10:38:07，Inigo Barreira写道： > Hi all, > > > I´ve been reading some emails that need clarification form both sides. > > Firstly I´d like to remind, if I´m not wrong, that Kathleen proposed an > action plan for distrusting StartCom, which has been taken as the final >

Re: Remediation Plan for WoSign and StartCom

Hi Inigo, On 18/10/16 07:34, Inigo Barreira wrote: > So, regarding the situation of StartCom I think that some people has > lost what happened and it´s considering Wosign and Startcom the same. Kathleen may also respond, but my understanding is that (based on her consideration of the arguments

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 07:17, Kurt Roeckx wrote: > On 2016-10-18 14:51, Gervase Markham wrote: >> >> The audit report CNNIC has submitted covers the period from November 2, >> 2015 to February 29, 2016. Therefore, we would expect them to be >> starting the process of getting another yearly audit in about 2

Re: StartCom & Qihoo Incidents

On 18/10/16 06:00, Jakob Bohm wrote: > Non-https TLS is not (and should not be) a separate trust bit from > https, but sometimes the logic applicable to trust policies, BRs etc. > will be slightly different if one doesn't ignore non-https use of TLS. > I have encountered arguments and policies

Re: Remediation Plan for WoSign and StartCom

Hi all, I´ve been reading some emails that need clarification form both sides. Firstly I´d like to remind, if I´m not wrong, that Kathleen proposed an action plan for distrusting StartCom, which has been taken as the final decission, but with a small option to regain the trust for StartCom

Re: Remediation Plan for WoSign and StartCom

On 2016-10-18 14:51, Gervase Markham wrote: The audit report CNNIC has submitted covers the period from November 2, 2015 to February 29, 2016. Therefore, we would expect them to be starting the process of getting another yearly audit in about 2 weeks anyway, although it won't be done until next

Re: StartCom & Qihoo Incidents

Ryan, can you tell us something about Google's plans concerning WoSign and StartCom? cheers Mathias On Son, 2016-10-16 at 11:55 -0700, Ryan Sleevi wrote: > On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote: > > > > On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann

Re: StartCom & Qihoo Incidents

On 18/10/2016 14:35, Gervase Markham wrote: On 17/10/16 16:35, Jakob Bohm wrote: In the not so distant past, the Mozilla root program was much more useful due to different behavior: 1. Mozilla managed the root program based on an assumption that relying parties would use the common standard

Re: Remediation Plan for WoSign and StartCom

On 17/10/16 16:26, Kathleen Wilson wrote: > ones who use NSS validation. I’m not sure what we can do about other > consumers of the NSS root store, other than publish what we are doing > and hope those folks read the news and update their version of their > root store as they see appropriate for

Re: Remediation Plan for WoSign and StartCom

Hi Ryan, Kathleen has responded, but here are my two cents: On 14/10/16 13:21, Ryan Sleevi wrote: > It seems to accomplish this, you're willing to continue to trust that > WoSign will not demonstrate any of the past behaviours it already > demonstrated - such as backdating and misissuance, but

Re: Remediation Plan for WoSign and StartCom

On Tuesday, 18 October 2016 00:27:09 UTC+1, Kathleen Wilson wrote: > I’m not sure what I could reasonably require (and enforce) of the CA in > regards to communicating with their customers. As I understand it QiHoo 360 says they intend to co-operate in order to eventually get the new StartCom