Re: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-22 Thread Nick Lamb via dev-security-policy
On 21 May 2018 14:59, Ryan Sleevi wrote:Given the TTLs and the key sizes in use on DNSSEC records, why do you believe this?This is a smoking gun because it's extremely strong circumstantial evidence. Why else would these records exist except that in fact the "victim" published these DNS records at

InfoCert Acquisition of Camerfirma

2018-05-22 Thread Wayne Thayer via dev-security-policy
On Thursday, a representative of AC Camerfirma sent an email informing Mozilla that InfoCert [1] has taken control of Camerfirma. News of the deal was first published on May 4th. [2] Section 8.1 of our policy applies here (quoting version 2.6 draft): If the receiving or acquiring company is new t

Fwd: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-22 Thread Matthew Hardeman via dev-security-policy
Copying message accidentally sent directly to a list participant. -- Forwarded message -- From: Matthew Hardeman Date: Tue, May 22, 2018 at 3:47 PM Subject: Re: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident To: Ryan Sleevi Ultimately it seems reasonable to, a

Re: OISTE WISeKey Global Root GC CA Root Inclusion Request

2018-05-22 Thread Wayne Thayer via dev-security-policy
On Tue, May 22, 2018 at 12:11 PM Ryan Sleevi wrote: > Overall, I think this would be good to proceed, but there's certain > discrepancies called out under Questions that I think should be resolved > before doing so. I would suggest contacting WISeKey for follow-up on these, > and not proceed unti

Re: OISTE WISeKey Global Root GC CA Root Inclusion Request

2018-05-22 Thread Ryan Sleevi via dev-security-policy
Thanks for the reminder, Wayne. I've reviewed the CPS and Audit Reports and have the following comments. I will note that, due to having already had someone else look at it, I only focused on information validation related to domains and IPs, and did not examine the policies around OV and EV, as t

Re: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-22 Thread vdukhovni--- via dev-security-policy
On Tuesday, May 22, 2018 at 1:32:51 PM UTC-4, vduk...@gmail.com wrote: > On Tuesday, May 22, 2018 at 1:04:31 PM UTC-4, Paul Wouters wrote: > > On Tue, 22 May 2018, Ryan Sleevi via dev-security-policy wrote: > > > > > However, what does this buy us? Considering that the ZSKs are > > > intentionall

Re: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-22 Thread vdukhovni--- via dev-security-policy
On Tuesday, May 22, 2018 at 1:04:31 PM UTC-4, Paul Wouters wrote: > On Tue, 22 May 2018, Ryan Sleevi via dev-security-policy wrote: > > > However, what does this buy us? Considering that the ZSKs are intentionally > > designed to be frequently rotated (24 - 72 hours), thus permitting weaker > > ke

Re: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-22 Thread Ryan Sleevi via dev-security-policy
On Tue, May 22, 2018 at 1:03 PM, Paul Wouters wrote: > On Tue, 22 May 2018, Ryan Sleevi via dev-security-policy wrote: > > However, what does this buy us? Considering that the ZSKs are intentionally >> designed to be frequently rotated (24 - 72 hours), thus permitting weaker >> key sizes (RSA-512

Re: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-22 Thread Ryan Sleevi via dev-security-policy
I think your position is both misguided and unrealistic, and I think you're using it as an opportunity to pursue a technical issue, when there is both a systemic issue at play (and can be demonstrated through all validation methods) and a fundamental misunderstanding as to the value it would provid

Re: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-22 Thread Paul Wouters via dev-security-policy
On Tue, 22 May 2018, Ryan Sleevi via dev-security-policy wrote: However, what does this buy us? Considering that the ZSKs are intentionally designed to be frequently rotated (24 - 72 hours), thus permitting weaker key sizes (RSA-512), I don't know anyone who believes or uses these timings or k

RE: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-22 Thread Tim Hollebeek via dev-security-policy
What that wall of text completely misses is the point I and others have been trying to make. The logs have to have enough information so you don’t end up in the situation Let’s Encrypt is currently, and unfortunately, in. Yes, what they did is compliant, and that’s exactly what most concern

Re: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-22 Thread Ryan Sleevi via dev-security-policy
On Tue, May 22, 2018 at 12:14 PM, Tim Hollebeek wrote: > What precisely was the antecedent of “this” in your message? Re-reading > it, I’m not clear which sentence you were referring to. > > > > The only reasons I can think of for not keeping DNSSEC signed RRs are > storage and/or performance, a

RE: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-22 Thread Tim Hollebeek via dev-security-policy
What precisely was the antecedent of “this” in your message? Re-reading it, I’m not clear which sentence you were referring to. The only reasons I can think of for not keeping DNSSEC signed RRs are storage and/or performance, and we think those concerns should not be the driving force in lo

Re: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-22 Thread Ryan Sleevi via dev-security-policy
On Tue, May 22, 2018 at 11:17 AM, Tim Hollebeek wrote: > > > Given the TTLs and the key sizes in use on DNSSEC records, why do you > believe > > this? > > DigiCert is not sympathetic to disk space as a reason to not keep > sufficient > information > in order to detect misissuance due to CAA failu

RE: 2018.05.18 Let's Encrypt CAA tag value case sensitivity incident

2018-05-22 Thread Tim Hollebeek via dev-security-policy
> Given the TTLs and the key sizes in use on DNSSEC records, why do you believe > this? DigiCert is not sympathetic to disk space as a reason to not keep sufficient information in order to detect misissuance due to CAA failures. In fact, inspired by this issue, we are taking a look internally at