Re: INC8119596 Other | Entrust Certs and DHS

2019-11-23 Thread Peter Bowen via dev-security-policy
On Sat, Nov 23, 2019 at 1:08 PM O'Donnell, Derek via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> We have a customer at the VA who uses an Entrust root:
> Issuer   Entrust
>
> AIA:
> http://nfitestweb.managed.entrust.com/AIA/CertsIssuedToNFIMediumSSPCA.p7c
>
> They are repeatedly flagged by DHS for not using a trusted certificate and
> using a self-signed certificate.  DHS uses Mozilla Trust Store.
>
> Taking a look at the following file:
>
> https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu
> iltins/certdata.txt
> ,
> we can see that everything pertaining to Entrust end in
> .NET.
>
> The Entrust CA our customer uses ends in .COM.  Both extensions are the
> same
> thing.  How can we have the .COM certificate added Globally to Mozilla's
> Trust Store?  This will resolve the issues being reported by DHS for us.
> Any help on this would be greatly appreciated.
>

Hi Derek,

Entrust Datacard runs a number of different CAs.  The various CAs are
intended for various purposes.

The CA you are using is intended for government-only applications.  The CAs
that are included in the Mozilla Trust Store are intended for citizen or
business-facing applications.  It sounds like DHS is recommending that you
use a certificate that is designed for citizen or business-facing
applications.  I would talk to Entrust Datacard or another CA in the
Mozilla Trust Store to see about getting a new certificate.

Thanks,
Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Apple: Patch Management

2019-11-23 Thread Matt Palmer via dev-security-policy
[aside: this is how incident reports should be done, IMHO]

On Fri, Nov 22, 2019 at 07:23:27PM -0800, Apple CA via dev-security-policy 
wrote:
> We did not have an accurate understanding of how the vulnerability scanner
> worked.  Our understanding of its capabilities lead us to believe it was
> scanning and detecting vulnerabilities in EJBCA.

There's a reasonable chance that other CAs may have a similar situation, so
I think it's worth digging deeper into the root causes here.  Can you expand
on how this misunderstanding regarding the vulnerability scanner came to
pass?  What was the information on which you were relying when you came to
the understanding of the vulnerability scanner's capabilities?  Were you
misled by the vendor marketing or technical documentation, or was it an
Apple-internal assessment that came to an inaccurate conclution?  Or
"other"?

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


INC8119596 Other | Entrust Certs and DHS

2019-11-23 Thread O'Donnell, Derek via dev-security-policy
Hello -

 

We have a customer at the VA who uses an Entrust root:

 

Issuer   Entrust

AIA:
http://nfitestweb.managed.entrust.com/AIA/CertsIssuedToNFIMediumSSPCA.p7c

AIA:
ldap://nfitestdir.managed.entrust.com/ou=Entrust%20NFI%20Test%20Shared%20Ser
vice%20Provider,ou=Certification%20Authorities,o=Entrust,c=US?cACertificate;
binary,crossCertificatePair;binary

 

They are repeatedly flagged by DHS for not using a trusted certificate and
using a self-signed certificate.  DHS uses Mozilla Trust Store.

 

Taking a look at the following file:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu
iltins/certdata.txt, we can see that everything pertaining to Entrust end in
.NET. 

 

The Entrust CA our customer uses ends in .COM.  Both extensions are the same
thing.  How can we have the .COM certificate added Globally to Mozilla's
Trust Store?  This will resolve the issues being reported by DHS for us.
Any help on this would be greatly appreciated.

 

Respectfully,

 

Derek O'Donnell (Contractor)

NOC Gateway Operations - QuarterLine 

Infrastructure Operations (IO)

IT Operations and Services (ITOPS), Office of Information and Technology
(OIT)

Office (304) 262-5282 T-S

 



smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy