Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

2017-05-02 Thread 袁剑波 via dev-security-policy
thanks 发自网易邮箱大师 在2017年05月03日 10:15,Jakob Bohm via dev-security-policy 写道: On 02/05/2017 12:46, Gervase Markham wrote: > On 02/05/17 01:55, Peter Kurrasch wrote: >> I was thinking that fraud takes many forms generally speaking and that >> the PKI space is no different. Given that Mozilla (and

Re: CA Validation quality is failing

2017-05-02 Thread Jakob Bohm via dev-security-policy
On 02/05/2017 17:30, Rob Stradling wrote: On 02/05/17 16:11, Alex Gaynor via dev-security-policy wrote: I know several CAs are using certlint (https://github.com/awslabs/certlint) as a pre-issuance check that the cert they're about to issue doesn't have any programmatically detectable

Re: Policy 2.5 Proposal: Fix definition of constraints for id-kp-emailProtection

2017-05-02 Thread Jakob Bohm via dev-security-policy
On 01/05/2017 10:55, Gervase Markham wrote: Does anyone have any thoughts about this issue, below? I sent out a message saying that I had adopted this change as proposed, but that was an error. It has not yet been adopted, because I am concerned about the below. The first option is simpler,

RE: [EXT] Re: Symantec: Draft Proposal

2017-05-02 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > wizard--- via dev-security-policy > Sent: Tuesday, May 02, 2017 7:10 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: [EXT]

RE: CA Validation quality is failing

2017-05-02 Thread Jeremy Rowley via dev-security-policy
Okay – we’ll add them all to CT over the next couple of days. From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Tuesday, May 2, 2017 9:08 AM To: Jeremy Rowley Cc: r...@sleevi.com; Gervase Markham ; mozilla-dev-security-pol...@lists.mozilla.org

RE: CA Validation quality is failing

2017-05-02 Thread Jeremy Rowley via dev-security-policy
Thanks! The revocation timeline changes are coming today/tomorrow morning. -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, May 2, 2017 4:55 AM To: r...@sleevi.com; Jeremy Rowley ; mozilla-dev-security-pol...@lists.mozilla.org

Re: [EXT] Symantec: Draft Proposal

2017-05-02 Thread Gervase Markham via dev-security-policy
Hi Steve, On 02/05/17 18:39, Steve Medin wrote: > Gerv- Thank you for the thoughtful analysis. We are reviewing and intend to > respond to your latest proposal shortly. Please understand that this is not (yet) Mozilla's response to Symantec. If we were a closed root program, this would be an

RE: [EXT] Symantec: Draft Proposal

2017-05-02 Thread Steve Medin via dev-security-policy
Gerv- Thank you for the thoughtful analysis. We are reviewing and intend to respond to your latest proposal shortly. > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via

Re: CA Validation quality is failing

2017-05-02 Thread Rob Stradling via dev-security-policy
On 02/05/17 16:11, Alex Gaynor via dev-security-policy wrote: I know several CAs are using certlint (https://github.com/awslabs/certlint) as a pre-issuance check that the cert they're about to issue doesn't have any programmatically detectable deficiencies; if it doesn't already cover some of

Re: CA Validation quality is failing

2017-05-02 Thread Alex Gaynor via dev-security-policy
I know several CAs are using certlint (https://github.com/awslabs/certlint) as a pre-issuance check that the cert they're about to issue doesn't have any programmatically detectable deficiencies; if it doesn't already cover some of these cases, it'd be great to add them as a technical means for

Re: CA Validation quality is failing

2017-05-02 Thread Ryan Sleevi via dev-security-policy
(Still wearing Google Hat in this context) I think sharing a list (in CT) of the certs is good and can help verify the assertions made here :) But overall, I think this sounds right and the risk is minimal to our users, so not revoking still sounds good :) On Mon, May 1, 2017 at 11:53 PM,

Cert pinning mismatch investigation

2017-05-02 Thread Gervase Markham via dev-security-policy
Group participants may be interested in David Keeler's analysis of why Firefox seemed to be seeing cert pinning mismatches for Mozilla properties: https://people-mozilla.org/~dkeeler/deployment-checker-analysis.html Gerv ___ dev-security-policy mailing

Re: Symantec: Draft Proposal

2017-05-02 Thread Kurt Roeckx via dev-security-policy
On 2017-05-02 12:55, Gervase Markham wrote: On 01/05/17 18:33, Alex Gaynor wrote: One idea that occurred to me (maybe novel, though I doubt it), is requiring mandatory _timely_ CT submission for intermediates/cross signatures. That is, to be compliant an issuers's (SCT-timestamp -

Re: Symantec: Draft Proposal

2017-05-02 Thread wizard--- via dev-security-policy
This seems like a very reasonable stance for Mozilla to take: strongly encourage a new Symantec PKI so they start with a clean slate, otherwise staged distrust of all existing certificates with the requirement that Symantec produce a full document/diagram of how the components of their PKI are

Re: Symantec: Draft Proposal

2017-05-02 Thread Gervase Markham via dev-security-policy
On 01/05/17 18:33, Alex Gaynor wrote: > One idea that occurred to me (maybe novel, though I doubt it), is requiring > mandatory _timely_ CT submission for intermediates/cross signatures. That > is, to be compliant an issuers's (SCT-timestamp - cert-not-before) must be > less than some period,

Re: CA Validation quality is failing

2017-05-02 Thread Gervase Markham via dev-security-policy
On 02/05/17 00:01, Ryan Sleevi wrote: > Thank you for > 1) Disclosing the details to a sufficient level of detail immediately > 2) Providing regular updates and continued investigation > 3) Confirming the acceptability of the plan before implementing it, and > with sufficient detail to understand

Re: Symantec: Draft Proposal

2017-05-02 Thread Rob Stradling via dev-security-policy
On 01/05/17 18:33, Alex Gaynor via dev-security-policy wrote: Hi Gerv, One idea that occurred to me (maybe novel, though I doubt it), is requiring mandatory _timely_ CT submission for intermediates/cross signatures. That is, to be compliant an issuers's (SCT-timestamp - cert-not-before) must be

Re: Policy 2.5 Proposal: Incorporate Root Transfer Policy

2017-05-02 Thread Gervase Markham via dev-security-policy
On 02/05/17 03:10, Peter Kurrasch wrote: > Your updates look good! One small quibble: The bottom of the Physical > Relocation section mentions the code signing trust bit, but I think that > is irrelevant now? I see that on https://wiki.mozilla.org/CA:RootTransferPolicy , but that's the document

Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

2017-05-02 Thread Gervase Markham via dev-security-policy
On 02/05/17 01:55, Peter Kurrasch wrote: > I was thinking that fraud takes many forms generally speaking and that > the PKI space is no different. Given that Mozilla (and everyone else) > work very hard to preserve the integrity of the global PKI and that the > PKI itself is an important tool to

Re: Policy 2.5 Proposal: Indicate direction of travel with respect to permitted domain validation methods

2017-05-02 Thread Gervase Markham via dev-security-policy
On 01/05/17 18:53, Lee wrote: > You seem to be replacing a "meets or exceeds" requirement with a > "strictly meets" requirement. That is not particularly the intention. I think that the Baseline nature of the Baseline Requirements means that CAs know it's generally OK to go above and beyond what