RE: [EXT] Re: Questions for Symantec

2017-04-20 Thread Steve Medin via dev-security-policy
> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Tuesday, April 11, 2017 6:42 AM > To: Steve Medin ; Rick Andrews > ; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: [EXT] Re: Questions for

RE: [EXT] Re: Questions for Symantec

2017-04-20 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Tuesday, April 04, 2017 9:06 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: [EXT] Re: Questions for Symantec

2017-04-20 Thread Steve Medin via dev-security-policy
> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Thursday, April 13, 2017 9:13 AM > To: Steve Medin ; Rick Andrews > ; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: [EXT] Re: Questions for

RE: [EXT] Re: Questions for Symantec

2017-04-20 Thread Steve Medin via dev-security-policy
Gerv, In the interest of an easy to read set of responses to your questions and many submitted in response to our recent posts, we have prepared a PDF and attached it to the Bugzilla tracking this discussion. That PDF is available at https://bugzilla.mozilla.org/attachment.cgi?id=8860216. >

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-20 Thread Matt Palmer via dev-security-policy
On Thu, Apr 20, 2017 at 02:02:59PM +0100, Gervase Markham via dev-security-policy wrote: > I propose this section be removed from the document. My name is Matt Palmer, and I endorse this proposal. - Matt ___ dev-security-policy mailing list

Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

2017-04-20 Thread Matt Palmer via dev-security-policy
On Thu, Apr 20, 2017 at 02:39:12PM +0100, Gervase Markham via dev-security-policy wrote: > So I propose removing it, and reformatting the section accordingly. Do t. Do t nw! (That's me strongly agreeing with the proposal, in case my faux-Ren accent is impenetrable) - Matt

Re: Policy 2.5 Proposal: Remove BR duplication: reasons for revocation

2017-04-20 Thread Jakob Bohm via dev-security-policy
On 21/04/2017 00:36, Ryan Sleevi wrote: On Thu, Apr 20, 2017 at 6:15 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Technically, the part after the @ could also be a bang!path, though this is rare these days. No, technically, it could not. RFC 5280,

Re: Policy 2.5 Proposal: Remove BR duplication: reasons for revocation

2017-04-20 Thread Ryan Sleevi via dev-security-policy
On Thu, Apr 20, 2017 at 6:15 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Technically, the part after the @ could also be a bang!path, though > this is rare these days. > No, technically, it could not. RFC 5280, Section 4.2.1.6. Subject Alternative

Re: Policy 2.5 Proposal: Remove BR duplication: reasons for revocation

2017-04-20 Thread Jakob Bohm via dev-security-policy
On 20/04/2017 21:15, Ryan Sleevi wrote: Gerv, I must admit, I'm not sure I understand what you consider irrelevant reasons for 4.9.1 in the context of e-mail addresses. The only one I can think of is "7. The CA is made aware that a Wildcard Certificate has been used to authenticate a

Re: Policy 2.5 Proposal: Remove BR duplication: reasons for revocation

2017-04-20 Thread Ryan Sleevi via dev-security-policy
Gerv, I must admit, I'm not sure I understand what you consider irrelevant reasons for 4.9.1 in the context of e-mail addresses. The only one I can think of is "7. The CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified

Re: Policy 2.5 Proposal: Remove BR duplication: reasons for revocation

2017-04-20 Thread Gervase Markham via dev-security-policy
On 20/04/17 15:10, Jakob Bohm wrote: > Note that some reasons applicable to domain names would be equally > applicable to the domain name part of e-mail addresses. So can you read section 4.9.1 of the BRs and help me to define wording which excludes the irrelevant items while including all the

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2017-04-20 Thread Patrick Tronnier via dev-security-policy
On Thursday, April 20, 2017 at 9:30:31 AM UTC-4, wangs...@gmail.com wrote: > We have just published the updated CP/CPS documents, this version has been > revised according to the latest Baseline Requirements and has been reviewed > internally, meanwhile, the points our “Analysis on the

Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

2017-04-20 Thread Ryan Sleevi via dev-security-policy
+1 to what sounds like a perfectly reasonable position ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

2017-04-20 Thread Gervase Markham via dev-security-policy
Section 7.1 of the policy says that we reserve the right not to include certificates from a CA which has: "knowingly issue certificates that appear to be intended for fraudulent use." There are a few problems with this. * It's only in the inclusion section. * It's really subjective - how could

Re: Policy 2.5 Proposal: Fix definition of constraints for id-kp-emailProtection

2017-04-20 Thread Gervase Markham via dev-security-policy
On 12/04/17 10:47, Gervase Markham wrote: > We don't have any "Email BRs" to refer to, but I think we want something > like this: > > "If the certificate includes the id-kp-emailProtection extended key > usage, it MUST include the Name Constraints X.509v3 extension with > constraints on

Policy 2.5 Proposal: Merge Mozilla CCADB policy into main Root Store policy

2017-04-20 Thread Gervase Markham via dev-security-policy
We currently have 3 policy documents - the main policy, the CCADB policy, and a "Mozilla CCADB policy", which contains some CCADB stuff which isn't in the CCADB policy because it's not been agreed by all CCADB participants. We should consider whether we can just put that stuff into the CCADB

Re: Policy 2.5 Proposal: Fix definition of constraints for id-kp-emailProtection

2017-04-20 Thread Gervase Markham via dev-security-policy
On 12/04/17 10:47, Gervase Markham wrote: > "If the certificate includes the id-kp-emailProtection extended key > usage, it MUST include the Name Constraints X.509v3 extension with > constraints on rfc822Name, with at least one name in permittedSubtrees." As worded, this would allow for a set

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-20 Thread Alex Gaynor via dev-security-policy
+1 on removal, that paragraph doesn't square with current ideas about what's problematic in the WebPKI; as you've noted wildcards and DV are really orthogonal concerns. Alex On Thu, Apr 20, 2017 at 9:02 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:

Re: Policy 2.5 Proposal: Expand requirements about what an Audit Statement must include

2017-04-20 Thread Gervase Markham via dev-security-policy
On 12/04/17 10:47, Gervase Markham wrote: > The proposal is to add the following bullets to section 3.1.3 ("Public > Audit Information"), perhaps reordering the list as appropriate: Adopted as proposed, with the exception (for simplicity) of removing the option of providing a "SHA1" fingerprint.

Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-20 Thread Gervase Markham via dev-security-policy
There is an entry on Mozilla's Potentially Problematic CA Practices list for Wildcard DV certs: https://wiki.mozilla.org/CA:Problematic_Practices#Wildcard_DV_SSL_Certificates This text was added by Frank Hecker when this page was very new back in 2008, and has been basically unchanged since then:

Re: CA Validation quality is failing

2017-04-20 Thread Ryan Sleevi via dev-security-policy
On Thu, Apr 20, 2017 at 6:42 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > One thing: > > Could this be a result of the common (among CAs) bug of requiring entry > of a US/Canada State/Province regardless of country, forcing applicants > to fill in

Re: CA Validation quality is failing

2017-04-20 Thread Jakob Bohm via dev-security-policy
One thing: Could this be a result of the common (among CAs) bug of requiring entry of a US/Canada State/Province regardless of country, forcing applicants to fill in random data in that field? On 20/04/2017 03:48, Jeremy Rowley wrote: FYI - still looking into this. I should have a report

Re: Email sub-CAs

2017-04-20 Thread Gervase Markham via dev-security-policy
On 15/04/17 17:05, Peter Bowen wrote: > Should the Mozilla policy change to require disclosure of all CA > certificates issued by an unconstrained CA (but not necessarily > require audits, CP/CPS, etc)? This would help identify unintentional > gaps in policy.

Re: CA Validation quality is failing

2017-04-20 Thread Peter Gutmann via dev-security-policy
Ryan Sleevi writes: >For an EV cert, you look in  >https://cabforum.org/wp-content/uploads/EV-V1_6_1.pdf It was meant as a rhetorical question, the OP asked whether doing XYZ in an EV certificate was allowed and I was pointing out that the CAB Forum guidelines should