RE: CA Validation quality is failing

2017-04-19 Thread Jeremy Rowley via dev-security-policy
FYI - still looking into this. I should have a report tomorrow. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org] On Behalf Of Jeremy Rowley via dev-security-policy Sent: Wednesday, April 19, 2017 2:27 PM To:

Re: CA Validation quality is failing

2017-04-19 Thread Kurt Roeckx via dev-security-policy
On Wed, Apr 19, 2017 at 09:00:22PM -0400, Ryan Sleevi wrote: > On Wed, Apr 19, 2017 at 7:53 PM, Kurt Roeckx via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > (It was a code sign certificate, but I expect if it's labeled EV > > that the same things apply.) > > > >

Re: CA Validation quality is failing

2017-04-19 Thread Kurt Roeckx via dev-security-policy
On Wed, Apr 19, 2017 at 11:58:28PM +, Jeremy Rowley wrote: > That was changed in ballot 127. Which is adopted in july 2014. This was somewhere in 2016. As I understood it, they didn't ask for the HR department, just someone else. That might of course be a misunderstanding of what was asked,

Re: CA Validation quality is failing

2017-04-19 Thread Ryan Sleevi via dev-security-policy
On Wed, Apr 19, 2017 at 7:53 PM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > (It was a code sign certificate, but I expect if it's labeled EV > that the same things apply.) > Not necessarily. A separate set of guidelines cover those -

RE: CA Validation quality is failing

2017-04-19 Thread Jeremy Rowley via dev-security-policy
That was changed in ballot 127. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kurt Roeckx via dev-security-policy Sent: Wednesday, April 19, 2017 5:54 PM To: Peter Gutmann

Re: CA Validation quality is failing

2017-04-19 Thread Kurt Roeckx via dev-security-policy
On Wed, Apr 19, 2017 at 10:41:33PM +, Peter Gutmann via dev-security-policy wrote: > Kurt Roeckx via dev-security-policy > writes: > > >Both the localityName and stateOrProvinceName are Almere, while the province > >is Flevoland. > > How much

Re: Symantec Response L

2017-04-19 Thread Peter Bachman via dev-security-policy
I probably need some additional information to see if my partners can effectively share PHI at LOA 3 and I don't want to burden the list on whether the healthcare use cases defined by the Federal Health Architecture is covered by ACES 2017 Jan policy. It's very important that the community

Re: CA Validation quality is failing

2017-04-19 Thread Vincent Lynch via dev-security-policy
Hi Peter, EV requirements are actually dictated by a separate set of guidelines: https://cabforum.org/extended-validation/ They do go into detail about how to verify applicant information. It covers how you verify the company is legally established, where its physically operating, etc. As you

Re: CA Validation quality is failing

2017-04-19 Thread Ryan Sleevi via dev-security-policy
On Wed, Apr 19, 2017 at 6:41 PM, Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Kurt Roeckx via dev-security-policy > writes: > > >Both the localityName and stateOrProvinceName are Almere, while the > province > >is

Re: CA Validation quality is failing

2017-04-19 Thread Peter Gutmann via dev-security-policy
Kurt Roeckx via dev-security-policy writes: >Both the localityName and stateOrProvinceName are Almere, while the province >is Flevoland. How much checking is a CA expected to do here? I know that OV and DV certs are just "someone at this site responded

Re: CA Validation quality is failing

2017-04-19 Thread Mike vd Ent via dev-security-policy
I hope you could investigate it even further as this might be just the beginning. I just did a random quick lookup so far. And I guess there are over a thousand or more Digicert certificates issued for Dutch websites and companies. Does this mean the validation process is lacking proper

RE: CA Validation quality is failing

2017-04-19 Thread Jeremy Rowley via dev-security-policy
I’m looking into it right now. I’ll report back shortly. Jeremy From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Wednesday, April 19, 2017 2:25 PM To: Mike vd Ent Cc: mozilla-dev-security-policy ; Jeremy Rowley

Re: CA Validation quality is failing

2017-04-19 Thread Ryan Sleevi via dev-security-policy
On Wed, Apr 19, 2017 at 3:47 PM, Mike vd Ent via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Ryan, > > My answers on the particular issues are stated inline. > But the thing I want to address is how could (in this case Digicert) > validate such data and issues

Re: CA Validation quality is failing

2017-04-19 Thread Mike vd Ent via dev-security-policy
Ryan, My answers on the particular issues are stated inline. But the thing I want to address is how could (in this case Digicert) validate such data and issues certificates? I am investigation more of them and afraid even linked company names or registration numbers could be false. Shouldn't

Re: CA Validation quality is failing

2017-04-19 Thread Kurt Roeckx via dev-security-policy
On Wed, Apr 19, 2017 at 12:28:16PM -0700, Ryan Sleevi via dev-security-policy wrote: > > https://portal.mobilitymixx.nl > > I'm not sure I understand enough to know what the issues are here. Could you > explain? Both the localityName and stateOrProvinceName are Almere, while the province is

CA Validation quality is failing

2017-04-19 Thread Mike Pasarella via dev-security-policy
I found out that often the OV or EV validation of CA's is lacking and concerning the baseline requirements data submitted for a TLS certificate should be valid and thus validated. So when a country is Amsterdam, that should fail or a city Utrecht is placed in the province Zuid-Holland, that

Re: Symantec Response L

2017-04-19 Thread Myers, Kenneth (10421) via dev-security-policy
IdenTrust operates an issuing CA for the US Federal Government - General Services Administration - Access Certificates for Electronic Services Program (ACES). It is a government sponsored PKI program separate from the Non-Federal issuer programs under the Federal Bridge. ACES certificates are

Re: Email sub-CAs

2017-04-19 Thread Rob Stradling via dev-security-policy
On 15/04/17 17:05, Peter Bowen via dev-security-policy wrote: On Thu, Apr 13, 2017 at 9:33 AM, douglas.beattie--- via dev-security-policy wrote: On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote: On 13/04/17 14:23, Doug Beattie