Re: Japan GPKI Root Renewal Request
We are a certificate authority controlled by the Government of Japan and issued only for servers operated by the government. For certificates that you point out concerning, they will expire and will be reissued, so we think that the problem will be solved. We will continue to take BR audits in the future so we will operate as a secure certification authority and we appreciate your continued support. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CA Program for security researchers
On 22/02/2018 23:27, James Burton wrote: It doesn't take that long for a CAs to do vetting checks for OV and EV certificates when everything is handed to them on a plate. Breaking CAs vetting procedures is not too hard. In principle, the vetting procedures is what customers pay for and relying parties depend on. The automated certificate signing and revocation systems are operational security critical infrastructure, but logically secondary to the vetting. The key here is that security research shouldn't cost the researcher thousands to prove a valid point. They should be entitled to some type of compensation from the CA. It would be great if CAs ran a program that allowed security researchers to get compensated after the research instead of before. That would be my option 2 below: Getting the tested CA to sponsor the operation. My option 3 below, if combined with the real vetting processes of that CA, would be another way to handle research probing (with no risk of being accused of causing actual dangers), provided the CA can be trusted not to do things correctly and more securely for the test certificates, but wrong/insecurely for the real certificates. James On Thu, Feb 22, 2018 at 10:10 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 22/02/2018 22:17, James Burton wrote: There needs to be a program that helps security researchers like myself get free or low cost certificates for research purposes. That EV research I did a while ago nearly set me back personally $4,297. James I think there are three main cases and an additional concern: 1. Getting real certificates from a real CA referring to real domains. Only secure option is to get the research sponsored by that CA, perhaps in exchange for giving them a longer than standard heads up of any results regarding their security. 2. Getting real certificates for a test/dummy domain. Perhaps a weakening rule can be introduced in the BRs (subject o a lot of discussions as this will be very controversial and potentially dangerous), that certificates for the .invalid TLD can be issued under special research terms. However I doubt the current BR maintainers or the leaders of this Mozilla group will agree to that. 3. Getting invalid/test certificates for a real domain to test procedures. Perhaps some CAs can be talked into setting up a special "test only, DO NOT TRUST" root CA running in parallel to their real trusted roots, allowing cheap issuance for tests and experiments. Such a test root would not be in the CCADB or any root program, nor be cross-signed by any real roots. Such a test hierarchy would also be useful for organizations setting up and testing automated certificate management systems prior to using those systems with real certificates. Additionally, for the manual step verified EV and OV certificates, issuance involves real man-hours at the CA organization. So for such higher grade certificates, getting them for free or on a 30 days-return policy would not be a good thing to allow. Even for testing. Especially since such research certificates are probably going to trigger additional manual revocation procedures (= more man-hours to be paid). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: TunRootCA2 root inclusion request
The TunrootCA2 root operates under the following CPS: http://www.certification.tn/pub/PC-PDC_AC_RACINE-NG-01-EN.pdf The TunserverCA2 subordinate CA operates under a different CPS: http://www.certification.tn/sites/default/files/documents/CPCPS-PTC-BR-EN-05.pdf I have reviewed the supplied BR Self Assessment, the CPSes, and related information, and have the following comments: ==Good== * Misissued certificates reported earlier in this thread have been revoked ==Meh== * Numerous warning level lint errors in issued certificates: https://crt.sh/?caid=5680&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01 * From the US, the server is returning an error or taking more than one minute to deliver the CRL at http://crl.certification.tn/TunServerCA2.crl (crt.sh is also timing out) * The great majority of certificates issued by this CA fall under the .tn TLD; however, the Government of Tunisia has not requested that the root be constrained to issuance for .tn names. * The subordinate CA certificate contains no EKU extension so is not constrained to issuing certain types of certificates. * Delegated 3rd parties are permitted. The CPS does not clearly state the BR requirement that domain validation may not be performed by a delegated third party. * The only method of domain validation specified in the BR Self Assessment is the now deprecated 3.2.2.4.5. How and when will the Government of Tunisia comply with CA/Browser Forum ballot 218? * The Government of Tunisia’s answer for wildcard domain validation in their BR Self Assessment implies the use of method 3.2.2.4.1, but they claim not to use that method in the same document. * CPS section 4.9.2 does not permit a person who controls a domain name contained in a certificate to request revocation unless they are the Subscriber or the Subscriber's legal representative. ==Bad== * Missing SAN entries: https://crt.sh/?cablint=25&iCAID=5680&minNotBefore=2017-01-01 This CA continues to misissue certificates, so the manual controls described earlier in this thread are inadequate. * The current subordinate CA CPS is dated October-2016. The current root CPS is dated July-2015. Mozilla policy requires annual CPS updates. * The CPS does not comply with the BR requirement to document support for Certificate Authority Authorization (CAA). Has CAA been implemented? * The CPS does not describe how domain validation is performed and which of the BR methods are utilized as required by Mozilla policy section 2.2. * The CPS claims in section 4.2.1 that the databases of regional IP address registries are used to verify domain control. Please explain how this is possible. Next steps: 1. I would ask a representative of the Government of Tunisia to answer the above questions. 2. The CPS issues need to be corrected and new versions published. 3. Given the ongoing misissuance, I would not recommend approval of this request until pre-issuance linting has been implemented. Wayne ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CA Program for security researchers
It doesn't take that long for a CAs to do vetting checks for OV and EV certificates when everything is handed to them on a plate. Breaking CAs vetting procedures is not too hard. The key here is that security research shouldn't cost the researcher thousands to prove a valid point. They should be entitled to some type of compensation from the CA. It would be great if CAs ran a program that allowed security researchers to get compensated after the research instead of before. James On Thu, Feb 22, 2018 at 10:10 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 22/02/2018 22:17, James Burton wrote: > >> There needs to be a program that helps security researchers like myself >> get >> free or low cost certificates for research purposes. That EV research I >> did >> a while ago nearly set me back personally $4,297. >> >> James >> >> > I think there are three main cases and an additional concern: > > 1. Getting real certificates from a real CA referring to real domains. > Only secure option is to get the research sponsored by that CA, > perhaps in exchange for giving them a longer than standard heads up of > any results regarding their security. > > 2. Getting real certificates for a test/dummy domain. > Perhaps a weakening rule can be introduced in the BRs (subject o a lot > of discussions as this will be very controversial and potentially > dangerous), that certificates for the .invalid TLD can be issued under > special research terms. However I doubt the current BR maintainers or > the leaders of this Mozilla group will agree to that. > > 3. Getting invalid/test certificates for a real domain to test > procedures. >Perhaps some CAs can be talked into setting up a special "test only, > DO NOT TRUST" root CA running in parallel to their real trusted roots, > allowing cheap issuance for tests and experiments. Such a test root > would not be in the CCADB or any root program, nor be cross-signed by > any real roots. >Such a test hierarchy would also be useful for organizations setting > up and testing automated certificate management systems prior to using > those systems with real certificates. > > Additionally, for the manual step verified EV and OV certificates, > issuance involves real man-hours at the CA organization. So for such > higher grade certificates, getting them for free or on a 30 days-return > policy would not be a good thing to allow. Even for testing. > Especially since such research certificates are probably going to > trigger additional manual revocation procedures (= more man-hours to be > paid). > > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CA Program for security researchers
On 22/02/2018 22:17, James Burton wrote: There needs to be a program that helps security researchers like myself get free or low cost certificates for research purposes. That EV research I did a while ago nearly set me back personally $4,297. James I think there are three main cases and an additional concern: 1. Getting real certificates from a real CA referring to real domains. Only secure option is to get the research sponsored by that CA, perhaps in exchange for giving them a longer than standard heads up of any results regarding their security. 2. Getting real certificates for a test/dummy domain. Perhaps a weakening rule can be introduced in the BRs (subject o a lot of discussions as this will be very controversial and potentially dangerous), that certificates for the .invalid TLD can be issued under special research terms. However I doubt the current BR maintainers or the leaders of this Mozilla group will agree to that. 3. Getting invalid/test certificates for a real domain to test procedures. Perhaps some CAs can be talked into setting up a special "test only, DO NOT TRUST" root CA running in parallel to their real trusted roots, allowing cheap issuance for tests and experiments. Such a test root would not be in the CCADB or any root program, nor be cross-signed by any real roots. Such a test hierarchy would also be useful for organizations setting up and testing automated certificate management systems prior to using those systems with real certificates. Additionally, for the manual step verified EV and OV certificates, issuance involves real man-hours at the CA organization. So for such higher grade certificates, getting them for free or on a 30 days-return policy would not be a good thing to allow. Even for testing. Especially since such research certificates are probably going to trigger additional manual revocation procedures (= more man-hours to be paid). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CA Program for security researchers
I didn't put this in the article because it's not relevant as an attacker wouldn't care nonetheless. James On Thu, Feb 22, 2018 at 9:29 PM, James Burton wrote: > They tried charging the card the amount the day after the certificate was > issued but the bank fraud department called me about the transaction and I > refused it because it was invalid as it was within the trial period and it > was clearly stipulated that I was only going to get charged after the 30 > days trial period is up. In the end, I managed to sort it out with them and > didn't have to pay anything and had evidence to support myself in case I > had to fight it in court or etc. > > James > > On Thu, Feb 22, 2018 at 9:17 PM, James Burton wrote: > >> There needs to be a program that helps security researchers like myself >> get free or low cost certificates for research purposes. That EV research I >> did a while ago nearly set me back personally $4,297. >> >> James >> >> >> > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CA Program for security researchers
They tried charging the card the amount the day after the certificate was issued but the bank fraud department called me about the transaction and I refused it because it was invalid as it was within the trial period and it was clearly stipulated that I was only going to get charged after the 30 days trial period is up. In the end, I managed to sort it out with them and didn't have to pay anything and had evidence to support myself in case I had to fight it in court or etc. James On Thu, Feb 22, 2018 at 9:17 PM, James Burton wrote: > There needs to be a program that helps security researchers like myself > get free or low cost certificates for research purposes. That EV research I > did a while ago nearly set me back personally $4,297. > > James > > > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
CA Program for security researchers
There needs to be a program that helps security researchers like myself get free or low cost certificates for research purposes. That EV research I did a while ago nearly set me back personally $4,297. James ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
