Re: Policy 2.6 Proposal: Update Minimum Audit Versions

2018-05-10 Thread Dimitris Zacharopoulos via dev-security-policy 

Hello Peter,

These were very recently published however not everyone is tracking down 
ETSI updates by registering to the mailing lists. The main question is 
where can you find the authoritative document *list*? I though the 
official list is 
https://portal.etsi.org/TBSiteMap/ESI/TrustServiceProviders.aspx.


Also, were there any other versions published before 1.2.2? The 
recommendation says "1.2 or later". Where are the versions 1.2.0, 1.2.1 
published?


Thanks,
Dimitris.

On 11/5/2018 8:13 πμ, Peter Miškovič via dev-security-policy wrote:

There were published a new versions of both ETSI standards:

ETSI EN 319 411-1 V1.2.2 adopted on April 23, 2018
http://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.02.02_60/en_31941101v010202p.pdf

ETSI EN 319 411-2 V2.2.2 adopted on April 23, 2018
http://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.02.02_60/en_31941102v020202p.pdf

Peter

-Original Message-
From: dev-security-policy 
 On 
Behalf Of Wayne Thayer via dev-security-policy
Sent: Thursday, May 10, 2018 5:04 PM
To: mozilla-dev-security-policy 
Subject: Policy 2.6 Proposal: Update Minimum Audit Versions

After consulting with representatives from WebTrust and ETSI, I propose that we 
update the minimum required versions of audit criteria in section
3.1.1 as follows:

- WebTrust "Principles and Criteria for Certification Authorities - Extended 
Validation SSL" from 1.4.5 to 1.6.0 or later
- “Trust Service Providers practice” in ETSI EN 319 411-1 from 1.1.1 to 1.2 or 
later
- “Trust Service Providers practice” in ETSI EN 319 411-2  from 2.1.1 to
2.2 or later

These newer versions were all published last year and should be the minimum for 
audits completed from now on.

Please respond with any concerns you have about this update to our root store 
policy.

- Wayne
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy



___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Policy 2.6 Proposal: Update Minimum Audit Versions

2018-05-10 Thread Peter Miškovič via dev-security-policy 
There were published a new versions of both ETSI standards:

ETSI EN 319 411-1 V1.2.2 adopted on April 23, 2018
http://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.02.02_60/en_31941101v010202p.pdf

ETSI EN 319 411-2 V2.2.2 adopted on April 23, 2018
http://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.02.02_60/en_31941102v020202p.pdf

Peter

-Original Message-
From: dev-security-policy 
 On 
Behalf Of Wayne Thayer via dev-security-policy
Sent: Thursday, May 10, 2018 5:04 PM
To: mozilla-dev-security-policy 
Subject: Policy 2.6 Proposal: Update Minimum Audit Versions

After consulting with representatives from WebTrust and ETSI, I propose that we 
update the minimum required versions of audit criteria in section
3.1.1 as follows:

- WebTrust "Principles and Criteria for Certification Authorities - Extended 
Validation SSL" from 1.4.5 to 1.6.0 or later
- “Trust Service Providers practice” in ETSI EN 319 411-1 from 1.1.1 to 1.2 or 
later
- “Trust Service Providers practice” in ETSI EN 319 411-2  from 2.1.1 to
2.2 or later

These newer versions were all published last year and should be the minimum for 
audits completed from now on.

Please respond with any concerns you have about this update to our root store 
policy.

- Wayne
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Update Minimum Audit Versions

2018-05-10 Thread Dimitris Zacharopoulos via dev-security-policy 


This page https://portal.etsi.org/TBSiteMap/ESI/TrustServiceProviders.aspx
also displays EN 319 411-1 v1.1.1 
 
and EN 319 411-2 v2.1.1 
.



Dimitris.

On 10/5/2018 11:24 μμ, Dimitris Zacharopoulos via dev-security-policy wrote:


For ETSI EN 319 411-1, it seems that v1.1.1 is still listed as the 
official version. The list of ESI activities is 
https://portal.etsi.org//TBSiteMap/ESI/ESIActivities.aspx. There is an 
update for version 1.2.1 that is "on vote until 23 April".


Perhaps there is a more official page for these documents that I am 
not aware of.



Dimitris.

-Original Message-
From: Wayne Thayer via dev-security-policy 

To: mozilla-dev-security-policy 


Sent: Thu, 10 May 2018 18:04
Subject: Policy 2.6 Proposal: Update Minimum Audit Versions

After consulting with representatives from WebTrust and ETSI, I propose
that we update the minimum required versions of audit criteria in section
3.1.1 as follows:

- WebTrust "Principles and Criteria for Certification Authorities -
Extended Validation SSL" from 1.4.5 to 1.6.0 or later
- “Trust Service Providers practice” in ETSI EN 319 411-1 
 from 1.1.1 to 1.2

or later
- “Trust Service Providers practice” in ETSI EN 319 411-2 
  from 2.1.1 to

2.2 or later

These newer versions were all published last year and should be the 
minimum

for audits completed from now on.

Please respond with any concerns you have about this update to our root
store policy.

- Wayne
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org 


https://lists.mozilla.org/listinfo/dev-security-policy

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy



___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.6 Proposal: Update Minimum Audit Versions

2018-05-10 Thread Dimitris Zacharopoulos via dev-security-policy 


For ETSI EN 319 411-1, it seems that v1.1.1 is still listed as the 
official version. The list of ESI activities is 
https://portal.etsi.org//TBSiteMap/ESI/ESIActivities.aspx. There is an 
update for version 1.2.1 that is "on vote until 23 April".


Perhaps there is a more official page for these documents that I am not 
aware of.



Dimitris.

-Original Message-
From: Wayne Thayer via dev-security-policy 

To: mozilla-dev-security-policy 


Sent: Thu, 10 May 2018 18:04
Subject: Policy 2.6 Proposal: Update Minimum Audit Versions

After consulting with representatives from WebTrust and ETSI, I propose
that we update the minimum required versions of audit criteria in section
3.1.1 as follows:

- WebTrust "Principles and Criteria for Certification Authorities -
Extended Validation SSL" from 1.4.5 to 1.6.0 or later
- “Trust Service Providers practice” in ETSI EN 319 411-1  
from 1.1.1 to 1.2

or later
- “Trust Service Providers practice” in ETSI EN 319 411-2   
from 2.1.1 to

2.2 or later

These newer versions were all published last year and should be the minimum
for audits completed from now on.

Please respond with any concerns you have about this update to our root
store policy.

- Wayne
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org 


https://lists.mozilla.org/listinfo/dev-security-policy

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Policy 2.6 Proposal: Update Minimum Audit Versions

2018-05-10 Thread Wayne Thayer via dev-security-policy 
After consulting with representatives from WebTrust and ETSI, I propose
that we update the minimum required versions of audit criteria in section
3.1.1 as follows:

- WebTrust "Principles and Criteria for Certification Authorities -
Extended Validation SSL" from 1.4.5 to 1.6.0 or later
- “Trust Service Providers practice” in ETSI EN 319 411-1 from 1.1.1 to 1.2
or later
- “Trust Service Providers practice” in ETSI EN 319 411-2  from 2.1.1 to
2.2 or later

These newer versions were all published last year and should be the minimum
for audits completed from now on.

Please respond with any concerns you have about this update to our root
store policy.

- Wayne
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: FW: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition on CA key generation to policy)

2018-05-10 Thread Doug Beattie via dev-security-policy 
Hi Wayne,

I’m OK with this as long as this permits the password (fully or partially 
generated by the CA) and PKCS#12 file to be picked up by a user over HTTPS (a 
single channel).

Doug


From: Wayne Thayer [mailto:wtha...@mozilla.com]
Sent: Wednesday, May 9, 2018 11:43 PM
To: Doug Beattie 
Cc: mozilla-dev-security-policy 
Subject: Re: FW: Bit encoding (AW: Policy 2.6 Proposal: Add prohibition on CA 
key generation to policy)


I think we have settled on the following resolution to this issue:

Add the following to section 5.2 (Forbidden and Required Practices):

CAs MUST NOT generate the key pairs for end-entity certificates that have an 
EKU extension containing the KeyPurposeIds id-kp-serverAuth or
anyExtendedKeyUsage.

PKCS#12 files must employ an encryption key and algorithm that is sufficiently 
strong to protect the key pair for its useful life based on current guidelines 
published by a recognized standards body. PKCS#12 files MUST be encrypted and 
signed; or, MUST have a password that exhibits at least 112 bits of entropy, 
and the password MUST be transferred using a different channel than the PKCS#12 
file.

Unless there is further discussion, I will include this language in the final 
version of the policy.

- Wayne
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy