Re: PrintableString, UTF8String, and RFC 5280

2019-11-20 Thread Peter Gutmann via dev-security-policy
Ryan Sleevi writes: >I don't think the hyperbole helps here. It wasn't hyperbole, it was extreme surprise. When someone told me about this I couldn't believe it was still happening after the massive amount of publicity it got at the time, so it was more a giant "WTF?!??" than anything else.

Re: PrintableString, UTF8String, and RFC 5280

2019-11-20 Thread Ryan Sleevi via dev-security-policy
On Wed, Nov 20, 2019 at 10:54 PM Peter Gutmann wrote: > Ryan Sleevi writes: > > >Do you believe it’s still applicable in the Web PKI of the past decade? > > Yes, the specific cert I referenced is current valid and passed WebTrust > and > EV audits. > "Passed" is... a bit misleading as to the

Re: PrintableString, UTF8String, and RFC 5280

2019-11-20 Thread Peter Gutmann via dev-security-policy
Ryan Sleevi writes: >Do you believe it’s still applicable in the Web PKI of the past decade? Yes, the specific cert I referenced is current valid and passed WebTrust and EV audits. >If you could link to the crt.sh entry, that might be easier. Here's the Microsoft one I mentioned: Microsoft

Re: PrintableString, UTF8String, and RFC 5280

2019-11-20 Thread Ryan Sleevi via dev-security-policy
On Wed, Nov 20, 2019 at 9:48 PM Peter Gutmann wrote: > Ryan Sleevi via dev-security-policy > writes: > > >In https://bugzilla.mozilla.org/show_bug.cgi?id=1593814 , Rob Stradling, > >Jeremy Rowley, and I started discussing possible steps that might be > taken to > >prevent misencoding strings in

Re: PrintableString, UTF8String, and RFC 5280

2019-11-20 Thread Peter Gutmann via dev-security-policy
Ryan Sleevi via dev-security-policy writes: >In https://bugzilla.mozilla.org/show_bug.cgi?id=1593814 , Rob Stradling, >Jeremy Rowley, and I started discussing possible steps that might be taken to >prevent misencoding strings in certificates Is there any official position on strings that have

WebTrust direct URLs to PDF audit statements will be down during site update

2019-11-20 Thread Kathleen Wilson via dev-security-policy
All, CPA Canada just informed me that the PDF file URLs that we use in the CCADB for WebTrust audits will be down for a while as they perform a site update. You will still be able to access the audit statements via the Seal files on the CA websites during this time. We apologize for the

Policy 2.7 Proposal: Update Minimum Versions of Audit Criteria

2019-11-20 Thread Wayne Thayer via dev-security-policy
The last change I am proposing for version 2.7 of the Mozilla Root Store policy is an update to the minimum versions of audit criteria that we will accept in audits. I have conferred with the WebTrust Task Force and was informed that we can update the minimum version requirements for audit

Re: Policy 2.7 Proposal: Clarify Section 5.1 ECDSA Curve-Hash Requirements

2019-11-20 Thread Wayne Thayer via dev-security-policy
On Thu, Nov 14, 2019 at 3:24 PM Wayne Thayer wrote: > On Fri, Nov 8, 2019 at 12:06 PM Ryan Sleevi wrote: > >> >> On Fri, Nov 8, 2019 at 1:54 PM Wayne Thayer via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> A few more questions have come up about this change: >>>

PrintableString, UTF8String, and RFC 5280

2019-11-20 Thread Ryan Sleevi via dev-security-policy
In https://bugzilla.mozilla.org/show_bug.cgi?id=1593814 , Rob Stradling, Jeremy Rowley, and I started discussing possible steps that might be taken to prevent misencoding strings in certificates, and it seemed appropriate to shift this to a more general m.d.s.p. discussion, rather than solely on

Re: Audit Letter Validation (ALV) on intermediate certs in CCADB

2019-11-20 Thread Kathleen Wilson via dev-security-policy
On 11/19/19 4:59 PM, Kathleen Wilson wrote: Note: I will add a report to wiki.mozilla.org/CA/Intermediate_Certificates to list all of  the intermediate certificates that have been added to OneCRL and their revocation status. This will enable the CA Community to identify which certificates