Re: CA Problem Reporting Mechanisms

> On May 17, 2017, at 07:24, Gervase Markham via dev-security-policy > wrote: > > On 16/05/17 02:26, userwithuid wrote: >> After skimming the responses and checking a few CAs, I'm starting to >> wonder: Wouldn't it be easier to just add another mandatory

RE: StartCom cross-signs disclosed by Certinomis

For adding Richard Wang back to StartCom UK director is for the completion separation, this is a temporally adding as director for signing bank document to change the bank signer person from Richard Wang to New CEO Inigo. It will be removed soon once the bank signer change is done. Mr. Jon Luk

Re: Certificates with invalidly long serial numbers

Ryan Sleevi via dev-security-policy writes: >>Pragmatically, does anything known break on the extra byte there? > >Yes. NSS does. Because NSS properly implements 5280. I would say that's probably more a flaw in NSS then. Does anyone's implementation

Re: Certificates with invalidly long serial numbers

Matthew Hardeman via dev-security-policy writes: >One question: the choice of 20 bytes of serial number is an unusual length >for an integer type. It's not a nice clean power of 2. It doesn't align to >any native integer data type length on any platform

Re: StartCom cross-signs disclosed by Certinomis

On Monday, August 7, 2017 at 2:36:10 PM UTC-7, Itzhak Daniel wrote: > On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote: > > 7. At Quihoo: Actually get rid of Richard Wang, not just change his > >title from CEO to COO. > > I didn't map the new hierarchy of the "Spanish"

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On Tuesday, August 8, 2017 at 6:31:34 AM UTC+9, Jakob Bohm wrote: > On 07/08/2017 23:05, Vincent Lynch wrote: > > Jakob, > > > > I don't see what is wrong with Jonathan reporting these issues. The authors > > and ratifiers of the BRs made the choice to specify these small details. > > While a

Re: Certificates with invalidly long serial numbers

On Tuesday, August 8, 2017 at 12:51:40 AM UTC+9, Matthew Hardeman wrote: > It is what it is, I'm sure, but that definition in RFC5280 is rather tortured > and leads to ambiguity as to whether or not the leading 0x00 is. In fact, I > would say that it is not part of the integer value but rather

Re: Certificates with invalidly long serial numbers

On Tuesday, August 8, 2017 at 5:27:13 AM UTC+9, Jakob Bohm wrote: > On 07/08/2017 22:12, Alex Gaynor wrote: > > You seem to be suggesting that the thoroughness of testing is somehow > > related to how long it takes. > > > > I'd expect any serious (or even not particularly serious...) to have a >

Re: Certificates with invalidly long serial numbers

On Monday, August 7, 2017 at 5:20:13 PM UTC-5, Ryan Sleevi wrote: > This is entirely unnecessary and would present serious stability issues due > to backwards compatibility. > > It may not be appropriate for this thread - discussing specific misissuances > - but there is zero benefit from

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

> Do we really want the CA community to be filled with bureaucratic > enforcement of harsh punishments for every slight misstep? This is the > important question that any organization (in this case this community) > needs to ask itself whenever new surveillance abilities make it possible > to

Re: Certificates with invalidly long serial numbers

On Tuesday, August 8, 2017 at 5:18:21 AM UTC+9, Jakob Bohm wrote: > On 07/08/2017 16:54, Peter Bowen wrote: > > On Mon, Aug 7, 2017 at 12:53 AM, Franck Leroy via dev-security-policy > > wrote: > >> Hello > >> > >> I checked only one but I think they are all

Re: StartCom cross-signs disclosed by Certinomis

On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote: > 7. At Quihoo: Actually get rid of Richard Wang, not just change his >title from CEO to COO. I didn't map the new hierarchy of the "Spanish" StartCom CA ("StartCom CA Spain Sociedad Limitada"), having trouble registering to

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On 07/08/2017 23:05, Vincent Lynch wrote: Jakob, I don't see what is wrong with Jonathan reporting these issues. The authors and ratifiers of the BRs made the choice to specify these small details. While a minor encoding error is certainly not as alarming as say, issuing an md5 signed

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

> On Aug 7, 2017, at 16:57, Jakob Bohm via dev-security-policy > wrote: > > On 07/08/2017 22:47, Jonathan Rudenberg wrote: >> “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder >> URL that has a HTTPS URI scheme. This is not valid,

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

Jakob, I don't see what is wrong with Jonathan reporting these issues. The authors and ratifiers of the BRs made the choice to specify these small details. While a minor encoding error is certainly not as alarming as say, issuing an md5 signed certificate, it is still an error and is worth

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

On 07/08/2017 22:47, Jonathan Rudenberg wrote: “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder URL that has a HTTPS URI scheme. This is not valid, the OCSP responder URI is required to have the plaintext HTTP scheme according to Baseline Requirements section

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

> On Aug 7, 2017, at 16:47, Jonathan Rudenberg via dev-security-policy > wrote: > > “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder URL > that has a HTTPS URI scheme. This is not valid, the OCSP responder URI is > required to

Certificates issued with HTTPS OCSP responder URL (IdenTrust)

“IdenTrust ACES CA 2” has issued five certificates with an OCSP responder URL that has a HTTPS URI scheme. This is not valid, the OCSP responder URI is required to have the plaintext HTTP scheme according to Baseline Requirements section 7.1.2.2(c). Here’s the list of certificates:

Re: Certificates with invalidly long serial numbers

On 07/08/2017 22:12, Alex Gaynor wrote: You seem to be suggesting that the thoroughness of testing is somehow related to how long it takes. I'd expect any serious (or even not particularly serious...) to have a comprehensive automated test suite that can verify that the software is regression

Re: Certificates with invalidly long serial numbers

On 07/08/2017 16:54, Peter Bowen wrote: On Mon, Aug 7, 2017 at 12:53 AM, Franck Leroy via dev-security-policy wrote: Hello I checked only one but I think they are all the same. The integer value of the serial number is 20 octets, but when encoded into

Re: Certificates with invalidly long serial numbers

You seem to be suggesting that the thoroughness of testing is somehow related to how long it takes. I'd expect any serious (or even not particularly serious...) to have a comprehensive automated test suite that can verify that the software is regression free and correct in minutes or hours. If

Re: Certificates with invalidly long serial numbers

On 07/08/2017 18:07, Hanno Böck wrote: On Mon, 7 Aug 2017 15:59:07 + Ben Wilson via dev-security-policy wrote: FWIW - In the case of Telecom Italia, they have a commercial CA product has a bug in it that occasionally causes this issue. They may need

Re: StartCom cross-signs disclosed by Certinomis

On 07/08/2017 11:21, Franck Leroy wrote: Hello I see many reactions that are not in line with the reality because you don’t have all the history on the subject. I’ll try to summarize. Approximately one year ago Inigo was CTO of Izenpe (CA of the Basque Country) and he left this company in

Re: StartCom cross-signs disclosed by Certinomis

To play the devil's advocate... If everything is as Mr. Leroy of Certinomis points out, I don't see the problem with the cross-sign. In that version of events, the vast majority of the issues in the new PKI (test certs, etc) had already been revoked and measures put in place to prevent that

Re: StartCom cross-signs disclosed by Certinomis

Trust is something you *gain*. I want to believe the internet has come a long way from PGP signing parties. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Certificates with invalidly long serial numbers

On Mon, 7 Aug 2017 15:59:07 + Ben Wilson via dev-security-policy wrote: > FWIW - In the case of Telecom Italia, they have a commercial CA > product has a bug in it that occasionally causes this issue. They > may need some time for the software to be

RE: Certificates with invalidly long serial numbers

FWIW - In the case of Telecom Italia, they have a commercial CA product has a bug in it that occasionally causes this issue. They may need some time for the software to be fixed/replaced. -Original Message- From: dev-security-policy

Re: Certificates with invalidly long serial numbers

It is what it is, I'm sure, but that definition in RFC5280 is rather tortured and leads to ambiguity as to whether or not the leading 0x00 is. In fact, I would say that it is not part of the integer value but rather an explicit sign flag required by the encoding mechanism. Wouldn't it have

Re: Certificates with invalidly long serial numbers

(inserted missed word; off to get coffee now) On Mon, Aug 7, 2017 at 7:54 AM, Peter Bowen wrote: > On Mon, Aug 7, 2017 at 12:53 AM, Franck Leroy via dev-security-policy > wrote: >> Hello >> >> I checked only one but I think they are all

Re: Certificates with invalidly long serial numbers

On Mon, Aug 7, 2017 at 12:53 AM, Franck Leroy via dev-security-policy wrote: > Hello > > I checked only one but I think they are all the same. > > The integer value of the serial number is 20 octets, but when encoded into > DER a starting 00 may be

Re: Certificates with common names not present in their SANs

Sorry, you're right -- I'd misunderstood the issue with Python. (FWIW, I'm one of the maintainers of the Python ssl module, and I anticipate us having a fix for IDNs by the next release). Alex On Sun, Aug 6, 2017 at 8:38 PM, Nick Lamb via dev-security-policy <

Re: StartCom cross-signs disclosed by Certinomis

Hello I see many reactions that are not in line with the reality because you don’t have all the history on the subject. I’ll try to summarize. Approximately one year ago Inigo was CTO of Izenpe (CA of the Basque Country) and he left this company in order to join StartCom. Not long after he

Re: Certificates with invalidly long serial numbers

Hello I checked only one but I think they are all the same. The integer value of the serial number is 20 octets, but when encoded into DER a starting 00 may be necessary to mark the integer as a positive value : 0 1606: SEQUENCE { 4 1070: SEQUENCE { 83: [0] { 101: