Re: Pre-Incident Report - WISeKey Serial Number Entropy

2019-03-29 Thread Wayne Thayer via dev-security-policy
Pedro, Thank you for reporting this issue. On Tue, Mar 19, 2019 at 2:10 AM Pedro Fuentes via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > In light of the recent discussion related to serial number Entropy, at > WISeKey we could verify that we were also affected by this

Policy 2.7 Proposal: Require EKUs in End-Entity Certificates

2019-03-29 Thread Wayne Thayer via dev-security-policy
The BRs require EKUs in leaf TLS certs, but there is no equivalent requirement for S/MIME certificates. This leads to confusion such as [1] in which certificates that are not intended for TLS or S/MIME fall within the scope of our policies. Simply requiring EKUs in S/MIME certificates won't solve

Re: Policy 2.7 Proposal: Incident Reporting Updates

2019-03-29 Thread Wayne Thayer via dev-security-policy
On Thu, Mar 28, 2019 at 5:29 PM Ryan Sleevi wrote: > > On Thu, Mar 28, 2019 at 7:42 PM Wayne Thayer wrote: > >> On Thu, Mar 28, 2019 at 4:11 PM Ryan Sleevi wrote: >> >>> On Thu, Mar 28, 2019 at 6:45 PM Wayne Thayer via dev-security-policy < >>> dev-security-policy@lists.mozilla.org> wrote: >>>

Re: Policy 2.7 Proposal: Clarify Meaning of "Technically Constrained"

2019-03-29 Thread Wayne Thayer via dev-security-policy
On Fri, Mar 29, 2019 at 4:32 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 28/03/2019 21:52, Wayne Thayer wrote: > > Our current Root Store policy assigns two different meanings to the term > > "technically constrained": > > * in sections 1.1 and 3.1,

RE: Pre-Incident report: PKIoverheid Serial Number Entropy

2019-03-29 Thread Berge, J. van den (Jochem) - Logius via dev-security-policy
Dear MDSP community, We would like to share an update to our initial post-mortem of 03/13/2019 and our subsequent updates of 03/19/2019 and 03/22/2019 Following the discussions on MDSP Logius has determined that the following G3 TSP CA’s (Issuing CA certificates) are not compliant with BR 7.1

Re: Policy 2.7 Proposal: Clarify Meaning of "Technically Constrained"

2019-03-29 Thread Jakob Bohm via dev-security-policy
On 28/03/2019 21:52, Wayne Thayer wrote: > Our current Root Store policy assigns two different meanings to the term > "technically constrained": > * in sections 1.1 and 3.1, it means 'limited by EKU' > * in section 5.3 it means 'limited by EKU and name constraints' > > The BRs already define a

Re: Policy 2.7 Proposal: Clarify Meaning of "Technically Constrained"

2019-03-29 Thread Pedro Fuentes via dev-security-policy
Hello, related to this... I'd like to point out something that is bugging me... Section 7.1.5 of the BR stipulates... First paragraph: "For a Subordinate CA Certificate to be considered Technically Constrained..." Second paragraph: "If the Subordinate CA Certificate includes the