Re: Audits for new subCAs

2018-04-06 Thread Peter Bowen via dev-security-policy
On Mon, Apr 2, 2018 at 5:15 PM, Wayne Thayer via dev-security-policy wrote: > On Mon, Apr 2, 2018 at 4:36 PM, Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> >> While Entrust happens to do this, as a relying party, I

Re: Do Not Accept WebTrust Audit from Deloitte Anjin South Korea

2018-04-06 Thread Wayne Thayer via dev-security-policy
The Korea GPKI MOI CA certificates are in the inclusion process. As I noted in the bug, I've added information on the reported misissuance and OCSP errors to the inclusion request and I've noted the concerns raised about the auditor in their CCADB record. - Wayne On Thu, Apr 5, 2018 at 10:03 AM,

Re: Audits for new subCAs

2018-04-06 Thread Ryan Sleevi via dev-security-policy
On Thu, Apr 5, 2018 at 4:08 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 04/04/2018 16:01, Ryan Sleevi wrote: > >> On Tue, Apr 3, 2018 at 11:42 AM, Jakob Bohm via dev-security-policy < >> >> dev-security-policy@lists.mozilla.org> wrote: >> >> On

Do Not Accept WebTrust Audit from Deloitte Anjin South Korea

2018-04-06 Thread hstsrequest--- via dev-security-policy
Deloitte Anjin did the WebTrust audit for South Korea GPKI(Government Public Key Infrastructure). they audited two organization "Ministry of the Interior" and "Ministry of the Education" buy they did not follow CA/B Forum BR.. they issued certificate without domain validaion. ex)

Re: Submission to ct-logs of the final certificate when there is already a pre-certificate

2018-04-06 Thread Tim Shirley via dev-security-policy
That may well be the conclusion, that the benefits of total disclosure outweigh the costs in this type of scenario. I just wanted to point out that there IS a cost to at least consider. Yes, the certificate might have been seen in transmission between the CA and the customer, yes the customer

Re: Submission to ct-logs of the final certificate when there is already a pre-certificate

2018-04-06 Thread Alex Gaynor via dev-security-policy
I think (3) shouldn't be considered any different from (1) -- they're only meaningfully different if you make a lot of assumptions about how it's stored and transported at every point from when the HSM signs the TBS to the certificates final resting place (on someone's disk? in their email inbox?

Re: Submission to ct-logs of the final certificate when there is already a pre-certificate

2018-04-06 Thread Tim Shirley via dev-security-policy
#2 seems like an obvious "no" to me as, at that point, you're only compounding a mistake and making that mistake actually usable in the public PKI if you proceed to issue the certificate. In practice I can't imagine this scenario coming up much, but the policy shouldn't mandate doing this. I