Re: Remediation Plan for WoSign and StartCom

2016-10-19 Thread Kathleen Wilson
On Wednesday, October 19, 2016 at 3:13:50 PM UTC-7, okaphone.e...@gmail.com wrote: > Perhaps "haste" is not what you want here. How about "urgency"? > Yep. Changed in the wiki page. Thanks, Kathleen ___ dev-security-policy mailing list

Re: Remediation Plan for WoSign and StartCom

2016-10-19 Thread okaphone . elektronika
Perhaps "haste" is not what you want here. How about "urgency"? CU Hans ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remediation Plan for WoSign and StartCom

2016-10-19 Thread Kathleen Wilson
On Wednesday, October 19, 2016 at 11:50:55 AM UTC-7, Gervase Markham wrote: > > Today at the CAB Forum I outlined some of Mozilla's thinking on how we > rate the severity of incidents. It might be helpful to reproduce that > here. This is what I said: > Thanks, Gerv! I added that text to the

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-10-19 Thread Andrew R. Whalley
Hello, Thank you for the links. I note, however, that there's at least one difference between the native language version and the English translation: http://www.gdca.com.cn/cps/cps version 4.3 has a section 4.2.4 covering CAA. https://bug1128392.bmoattachments.org/attachment.cgi?id=8795091

Re: Remediation Plan for WoSign and StartCom

2016-10-19 Thread Gervase Markham
On 19/10/16 11:35, longol...@gmail.com wrote: > Hey Kathleen, hey list, > > I really don't get why Mozilla is pushing so hard on the Chinese and > at the same time let others get away. For example the Comodo case > from today. Isn't that a much worse incident than what has happened > here.

Re: Remediation Plan for WoSign and StartCom

2016-10-19 Thread Ryan Hurst
On Wednesday, October 19, 2016 at 12:58:49 AM UTC-7, Kurt Roeckx wrote: > I at least have some concerns about the current gossip draft and talked > a little to dkg about this. I should probably bring this up on the trans > list. > Please do, we would like to see this brought to closure soon

Incident Report - OCR

2016-10-19 Thread Robin Alden
SUMMARY: Comodo was informed by security researchers Florian Heinz and Martin Kluge that on 23rd September 2016 they had been able to obtain a server authentication certificate [1] from Comodo for a domain which they did not own or control. The researchers shared their discovery with Comodo and

Re: Remediation Plan for WoSign and StartCom

2016-10-19 Thread Tom Ritter
On 19 October 2016 at 02:58, Kurt Roeckx wrote: > On 2016-10-19 01:37, Rob Stradling wrote: >> >> On 18/10/16 23:49, Gervase Markham wrote: >>> >>> On 18/10/16 15:42, Ryan Hurst wrote: I do not understand the desire to require StartCom / WoSign to not utilize their

Re: StartCom & Qihoo Incidents

2016-10-19 Thread Michael Ströder
Peter Gutmann wrote: > Ryan Sleevi writes: > >> What is the goal of the root program? Should there be a higher bar for >> removing CAs than adding them? Does trust increase or decrease over time? > > Another thing I'd like to bring up is the absolute silence of the CAB forum >

Re: Remediation Plan for WoSign and StartCom

2016-10-19 Thread Kurt Roeckx
On 2016-10-19 01:37, Rob Stradling wrote: On 18/10/16 23:49, Gervase Markham wrote: On 18/10/16 15:42, Ryan Hurst wrote: I do not understand the desire to require StartCom / WoSign to not utilize their own logs as part of the associated quorum policy. My original logic was that it could be

Re: Remediation Plan for WoSign and StartCom

2016-10-19 Thread Ryan Hurst
It is true, that without gossip, CT is dependent on browsers monitoring the log ecosystem, this is one reason why in the Chrome policy the one Google log is required. I would argue, with the monitoring Google does and the one Google log policy that this risk is mitigated sufficiently, even