Re: Policy 2.4 Proposal: Require full CP/CPS in English

In general, I'm in strong agreement with this change, for all the reasons described. One nit to pick with the proposed draft text: On Tue, Jan 24, 2017 at 03:02:45PM +, Gervase Markham wrote: > So the draft text might be something like: > > "CAs must provide English versions of all

Re: Question about Baseline Requirements section #7.1.4.2

On Mon, Jan 23, 2017 at 04:01:58PM -0800, Peter Bowen wrote: > On Mon, Jan 23, 2017 at 3:32 PM, Kathleen Wilson wrote: > > Does section 7.1.4.2 of the CA/Browser Forum's Baseline Requirements only > > apply to end-entity certificates? > > > > If yes, where does it specify

RE: Appropriate role for lists of algorithms and key sizes

Why not just make the changes at the CAB Forum? That's the purpose of the CAB Forum afterall - to discuss these policies. Seems like it would be better to add restrictions there first before creating a separate policy. -Original Message- From: dev-security-policy

RE: I found some SHA-1 certificates issued by Symantec

I disagree. If the CA has requested removal of the root and added it to OneCRL, then I don't see how there is an obligation to continue operating the root under the Mozilla policy. If the browser doesn't update the root store/revocation list to remove the root, then the browser is accepting the

Re: Misissued/Suspicious Symantec Certificates

Hi Hanno, On Tue, 24 Jan 2017 10:38:01 +0100 Hanno B__ck wrote: > Hello, > > I have a few observations to share about this incident, not sure how > relevant they are. Thanks for sharing these. I found them interesting. > There are 4 "example.com" certificates related to

Re: Appropriate role for lists of algorithms and key sizes

On 24/01/17 16:26, Richard Barnes wrote: My gut reaction is 0+1, maybe 2. - The CAB Forum should specify the overall envelope of what is acceptable in the Web PKI - Firefox will enforce restrictions that are mores strict than the BRs requirements The BRs say that SHA-1 has been unacceptable

Re: I found some SHA-1 certificates issued by Symantec

On 24/01/17 16:19, Rob Stradling wrote: On 24/01/17 16:11, Richard Barnes wrote: If the root was removed in Firefox 51, and they were issuing SHA-1 off of it before 51 shipped, then they were issuing SHA-1 certificates under a root trusted by Firefox. You can use SHA-1 under a pulled root,

Re: I found some SHA-1 certificates issued by Symantec

On 24/01/17 16:08, Peter Bowen wrote: >> Indeed, if they issued these before yesterday, this seems like a problem. > > I'm a little surprised to read this. This SHA-1 "private" hierarchy > is not new news and has been discussed in various forums over the year > or 18 months. At least one other

Re: I found some SHA-1 certificates issued by Symantec

On 24/01/17 16:11, Richard Barnes wrote: If the root was removed in Firefox 51, and they were issuing SHA-1 off of it before 51 shipped, then they were issuing SHA-1 certificates under a root trusted by Firefox. You can use SHA-1 under a pulled root, but it has to actually be pulled first. I

Re: I found some SHA-1 certificates issued by Symantec

On Tue, Jan 24, 2017 at 11:08 AM, Peter Bowen wrote: > On Tue, Jan 24, 2017 at 8:00 AM, Richard Barnes > wrote: > > On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham > wrote: > >> > >> This helpful spreadsheet shows that they were

Re: Question about Baseline Requirements section #7.1.4.2

On Tue, Jan 24, 2017 at 8:05 AM, Gervase Markham wrote: > On 24/01/17 15:48, Peter Bowen wrote: >> I think it would be completely reasonable for Mozilla to require a >> commonName in an update to the policy. I thought it was there, but a >> CA pushed back on a cablint error

Re: I found some SHA-1 certificates issued by Symantec

On Tue, Jan 24, 2017 at 8:00 AM, Richard Barnes wrote: > On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham wrote: >> >> This helpful spreadsheet shows that they were removed in Firefox 47 and >> 51 respectively: >>

Re: Question about Baseline Requirements section #7.1.4.2

On 24/01/17 15:48, Peter Bowen wrote: > I think it would be completely reasonable for Mozilla to require a > commonName in an update to the policy. I thought it was there, but a > CA pushed back on a cablint error about not having one a while ago and > I wasn't able to find any proof it was

Re: I found some SHA-1 certificates issued by Symantec

On 24/01/17 16:00, Richard Barnes wrote: > Except of course the non-zero slice of users that haven't updated yet. True, although I think it's unreasonable to give CAs a dependency on the quality of our automatic update infrastructure. We can have a discussion about whether "checked into master"

Re: I found some SHA-1 certificates issued by Symantec

On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham wrote: > On 24/01/17 14:11, w...@gmail.com wrote: > > I was searching on crt.sh and I found something confusing by accident. > > View this page : https://crt.sh/?Identity=%25=7198 > > I can see many SHA-1 certificates issued

Re: I found some SHA-1 certificates issued by Symantec

On 24/01/17 15:48, Gervase Markham wrote: Rob: is the "Trusted by Mozilla" stuff based on the root store on Mozilla's master branch? Hi Gerv. Yes, I aim to keep crt.sh's view of "Trusted by Mozilla" in sync with mozilla-central [1]. [1] was last updated a few days ago, and I pushed the

Re: I found some SHA-1 certificates issued by Symantec

On 24/01/17 14:11, w...@gmail.com wrote: > I was searching on crt.sh and I found something confusing by accident. > View this page : https://crt.sh/?Identity=%25=7198 > I can see many SHA-1 certificates issued in 2016 and one is issued in 2017. Your list is a list of certificates issued by

Re: Question about Baseline Requirements section #7.1.4.2

On Tue, Jan 24, 2017 at 12:28 AM, Inigo Barreira wrote: > Yes, I´m also agree. This was also taken into account when writting the ETSI > standards, and for the CA certs, the minumun is what Peter has indicated > plus the common name. We indicate that "... shall contain at

I found some SHA-1 certificates issued by Symantec

I was searching on crt.sh and I found something confusing by accident. View this page : https://crt.sh/?Identity=%25=7198 I can see many SHA-1 certificates issued in 2016 and one is issued in 2017. I think it was banned before so someone could tell me why they can issue these SHA-1 certificates?

Re: I found some SHA-1 certificates issued by Symantec

On 24/01/17 14:11, w...@gmail.com wrote: I was searching on crt.sh and I found something confusing by accident. View this page : https://crt.sh/?Identity=%25=7198 I can see many SHA-1 certificates issued in 2016 and one is issued in 2017. I think it was banned before so someone could tell me

Appropriate role for lists of algorithms and key sizes

A discussion inspired by https://github.com/mozilla/pkipolicy/issues/5 Should Mozilla's root store policy contain any list of approved and/or disapproved algorithms/key sizes, or not? Possible positions include at least: 0) No; what algorithms and/or key sizes are supported by Firefox and/or NSS

Policy 2.4 Proposal: Require full CP/CPS in English

The proposal is to require that all CP and CPS documents be provided in English, in addition to whatever original language they were written in. The reason for this is that the working language of the Mozilla root program is English, and Mozilla's root program staff cannot be expected to read the

Policy 2.4 Proposal: Codify requirements relating to Common CA Database into the policy

Mozilla has started using the Common CA Database to track root certificates in its root program, and the intermediate certificates which chain up to those roots. This has led to substantial changes to the practical processes that CAs must follow. In addition, it is hoped and anticipated that other

Re: Certificate validation phishing

On 24/01/17 09:08, Nick Lamb wrote: > That's absolutely key to understanding why this trick works. Such an > understanding is completely absent from the patent, because the > patent isn't describing what the Baseline Requirements call a Request > Token but only a Random Value which it calls the

Re: Incident Report – Certificates issued without proper domain validation

On Thursday, January 19, 2017 at 6:05:22 PM UTC-8, Jakob Bohm wrote: > On 20/01/2017 00:35, Nick Lamb wrote: > > On Thursday, 19 January 2017 20:20:24 UTC, Jakob Bohm wrote: > >> Google's CT initiative in its current form has serious privacy problems > >> for genuine certificate holders. I

Re: Misissued/Suspicious Symantec Certificates

Hello, I have a few observations to share about this incident, not sure how relevant they are. There are 4 "example.com" certificates related to this incident. There are 114 "O=test" certificates that I assume are related to this incident. This includes all certificates with a "Not Before" date

Re: Certificate validation phishing

On Tuesday, 24 January 2017 04:40:12 UTC, Jeremy Rowley wrote: > And why wouldn't a request token fit the patent's interpretation of a "Pass > String"? The only definition I saw in the patent was something generated by > the validating entity and forwarded to the requester. The digest of the key

RE: Question about Baseline Requirements section #7.1.4.2

Yes, I´m also agree. This was also taken into account when writting the ETSI standards, and for the CA certs, the minumun is what Peter has indicated plus the common name. We indicate that "... shall contain at least the following attributes ": countryName, organizationName and commonName