Re: Consequences of mis-issuance under CNNIC

On 03/23/15 22:47, Richard Barnes wrote: Dear dev.security.policy, It has been discovered that an intermediate CA under the CNNIC root has mis-issued certificates for some Google domains. Full details can be found in blog posts by Google [0] and Mozilla [1]. We would like to discuss what

Re: Consequences of mis-issuance under CNNIC

On 03/23/15 22:47, Richard Barnes wrote: Dear dev.security.policy, It has been discovered that an intermediate CA under the CNNIC root has mis-issued certificates for some Google domains. Full details can be found in blog posts by Google [0] and Mozilla [1]. We would like to discuss what

Re: FNMT Root Inclusion Request

On 10/23/15 08:10, almo...@gmail.com wrote: > El miércoles, 21 de octubre de 2015, 22:43:15 (UTC+2), Charles Reiss > escribió: >> On 10/21/15 19:17, Kathleen Wilson wrote: >>> FNMT has applied to include the "AC RAIZ FNMT-RCM" root certificate and >&g

Re: FNMT Root Inclusion Request

On 10/26/15 15:57, rafa...@gmail.com wrote: > El miércoles, 21 de octubre de 2015, 22:43:15 (UTC+2), Charles Reiss > escribió: >> On 10/21/15 19:17, Kathleen Wilson wrote: >> >> >> What are the apparent subCAs with CNs 'AC FNMT Usuarios' >> [https://crt

Re: Symantec Test Cert Misissuance Incident

On 10/28/15 21:30, Kathleen Wilson wrote: > On 10/28/15 2:14 PM, Kathleen Wilson wrote: >> Google has blogged about this: >> >> https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html >> >> > > All, > > We should discuss what actions Mozilla should require

Re: Policy Update Proposal: Timeline for Disclosing SubCAs

On 11/04/15 00:24, Kathleen Wilson wrote: > Topic to discuss [1]: > “(D3) Make the timeline clear about when the audit statements and disclosure > has > to happen for new audited/disclosed subCAs. > > Section 10 of the Inclusion Policy says: >

Re: ComSign Root Renewal Request

On 12/10/15 20:01, Kathleen Wilson wrote: > This request is to include the "ComSign Global Root CA" root certificate, and > enable the Websites and Email trust bits. This root will eventually replace > the > "ComSign CA" root certificate that is currently included in NSS, and was > approved in

Re: Policy Update Proposal: Timeline for Disclosing SubCAs

On 12/15/15 01:48, Peter Bowen wrote: > On Mon, Dec 14, 2015 at 5:39 PM, Kathleen Wilson wrote: >> >> Another thing to consider in updating the policy is in regards to test >> certificates versus certificates issued to customers. >> e.g. Does the disclosure need to happen

Re: ComSign Root Renewal Request

On 12/14/15 17:56, Eli Spitzer wrote: > The SubCA "Comsign Ev SSL CA" is at its initial development stages. It was > indeed created under "Comsign Global Root CA", but so far we only issued a > handful of test certificates from it. We have no plans to issue public > certificates from it at the

Re: Policy Update Proposal: Timeline for Disclosing SubCAs

On 11/19/15 23:09, Kathleen Wilson wrote: > By the time version 2.3 of Mozilla’s CA Cert Policy is published, I hope to > have > issued a CA Community License to every included CA. Taking that into > consideration; I propose changing the policy as follows. > [snip] > > As always, I will

SHA1 certs issued this year chaining to included roots

Via censys.io, I found a couple SHA-1 certs with notBefore dates from this year which chain to root CAs in Mozilla's program: - https://crt.sh/?id=12089828 -- chains to Baltimore CyberTrust Root [DigiCert] via subCA "Eurida Primary CA" via subCA "DnB NOR ASA PKI Class G" Also, the OCSP responder

Re: SHA1 certs issued this year chaining to included roots

On 01/19/16 03:37, Charles Reiss wrote: > On 01/19/16 03:23, Kurt Roeckx wrote: >> On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote: >>> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this >>> year >>> which chain to root CA

Re: SHA1 certs issued this year chaining to included roots

On 01/19/16 03:23, Kurt Roeckx wrote: > On Tue, Jan 19, 2016 at 01:49:21AM +0000, Charles Reiss wrote: >> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this >> year >> which chain to root CAs in Mozilla's program: > > I also have some fro

Re: More SHA-1 certs

On 02/05/16 20:13, martin.suc...@gmail.com wrote: > Here's a list of all certificates with SHA-1 signatures and notBefore >= > 2016-01-01, logged in the Certificate Transparency Log: > https://crt.sh/?cablint=211=2016-01-01 Some notes on how these look as of now. The listed subCA CNs are: - DOD

Re: A-Trust Root Renewal Request

On 02/09/16 01:22, Kathleen Wilson wrote: > This request is to include the ‘A-Trust-Root-05’ root certificate, turn > on the Websites trust bit, and enable EV treatment. This new root > certificate will replace the ‘A-Trust-nQual-03’ root certificate that > was included via Bugzilla Bug #530797.

Re: More SHA-1 certs

On 02/05/16 21:14, Ben Wilson wrote: > Aren't all of these CA certificates? The links in the '#' column are to lists of BR-noncompliant certificates; the links in the 'Issuer Name' column are to information about the issuing DN+public key of those certificates. > > -Original Message- >

Re: DocuSign (OpenTrust/Keynectis/Certplus) root renewal request

On 02/09/16 20:07, Kathleen Wilson wrote: > This request by DocuSign (OpenTrust/Keynectis/Certplus) is to include > the following root certificates, turn on the Websites and Email trust > bits for all of them, and enable EV treatment for all of them. These new > certs will eventually replace the

Re: SHA1 certs issued this year chaining to included roots

On 01/19/16 01:49, Charles Reiss wrote: > Via censys.io, I found a couple SHA-1 certs with notBefore dates from this > year > which chain to root CAs in Mozilla's program: [snip] and even more, from different subCAs than have come up yet: - https://crt.sh/?id=12501241=cablint --

Re: Proposed limited exception to SHA-1 issuance

On 02/23/16 18:57, Gervase Markham wrote: [snip] > Symantec may issue certificates to Worldpay if the following things are > true: Based on what's happened with MD5 certificates, it seems the main risk of harm comes from something like a chosen-prefix collision attack using a specially

Re: SHA1 certs issued this year chaining to included roots

On 01/19/16 11:49, Jakob Bohm wrote: > On 19/01/2016 02:49, Charles Reiss wrote: >> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this >> year >> which chain to root CAs in Mozilla's program: >> >> - https://crt.sh/?id=12089828 -- ch

Re: DocuSign (OpenTrust/Keynectis/Certplus) root renewal request

On 02/09/16 20:07, Kathleen Wilson wrote: > This request by DocuSign (OpenTrust/Keynectis/Certplus) is to include > the following root certificates, turn on the Websites and Email trust > bits for all of them, and enable EV treatment for all of them. These new > certs will eventually replace the

Re: DocuSign (OpenTrust/Keynectis/Certplus) root renewal request

On 02/18/16 21:40, Erwann Abalea wrote: > Bonsoir, > > Le mercredi 10 février 2016 00:15:11 UTC+1, Charles Reiss a écrit : >> On 02/09/16 20:07, Kathleen Wilson wrote: >>> This request by DocuSign (OpenTrust/Keynectis/Certplus) is to >>> include the

Re: A-Trust Root Renewal Request

On 02/12/16 14:26, Christoph Klein wrote: > Dear All! > > Thank you for contributing in our discussion and illustrate some > existing problems with our certificates. I would like to address the > stated points seperatley. [snip] > * 20 Bits of Entropy: the Serialnumber included in the Subject of

Re: Drafting Q1 2016 CA Communication

On 03/15/16 22:43, kwil...@mozilla.com wrote: > On Monday, March 14, 2016 at 5:28:32 PM UTC-7, Charles Reiss wrote: >>> ACTION #1a: As previously communicated, CAs should no longer be >>> issuing SHA-1 certificates chaining up to root certificates >>> included in Mo

Re: Drafting Q1 2016 CA Communication

On 03/10/16 23:43, kwil...@mozilla.com wrote: [snip] > Regards, > > Kathleen Wilson Mozilla CA Program Manager > > ACTION #1a: As previously communicated, CAs should no longer be > issuing SHA-1 certificates chaining up to root certificates included > in Mozilla's CA Certificate Program. Check

Re: More SHA-1 certs

On 03/03/16 19:48, Ryan Sleevi wrote: > On Thursday, March 3, 2016 at 9:20:07 AM UTC-8, Andrew Ayer wrote: >> It's also troubling that a CA may be allowed to continue issuing >> non-serverAuth certs with SHA-1 from an issuer that is also used >> for serverAuth certs. Again, a collision attack

Re: SHA-1 S/MIME certificates

On 03/30/16 20:53, Jeremy Rowley wrote: > I think a required move away from SHA1 client certs requires a bit > more planning. > > 1) There hasn't been a formal deprecation of all SHA-1 certificates > in any root store policy. There has been a formal deprecation by the > CAB Forum of SHA1 server

Re: Drafting Q1 2016 CA Communication

On 03/16/16 17:48, kwil...@mozilla.com wrote: > On Wednesday, March 16, 2016 at 6:03:26 AM UTC-7, Jakob Bohm wrote: >> On 16/03/2016 00:27, Charles Reiss wrote: >>> On 03/15/16 22:43, kwilson wrote: >>>> ACTION #1a: As previously communicated, CAs should n

Re: Drafting Q1 2016 CA Communication

On 03/22/16 16:33, kwil...@mozilla.com wrote: > The following 'ACTION #1c' has been added to the communication, which > is here: https://wiki.mozilla.org/CA:Communications#March_2016 and > click on "Link to DRAFT of March 2016 CA Communication". With the current wordings of #1a and #1b, if - a CA

Re: March 2016 CA Communication Responses

On 04/13/16 20:32, Kathleen Wilson wrote: All, I have added links to reports of the responses to the March 2016 CA Communication survey: https://wiki.mozilla.org/CA:Communications#March_2016_Responses For question 1a, TeliaSonera indicated "2015 Oct 20", but the following SHA-1 server

Re: Certificate with invalid dnsName issued from Baltimore intermediate

On 07/18/2017 11:57 AM, Hanno Böck wrote: More dotdot-certificates: [snip] via searching censys.io: https://crt.sh/?id=174803642 for *..syntaxafrica.com Issued by GoDaddy in 2016; expires later this year, but revoked (CRL timestamp says a few days after issuance)

Re: Certificate with invalid dnsName issued from Baltimore intermediate

On 07/17/2017 11:21 AM, Ben Wilson wrote: Dear Jonathan, Thank you for bringing this to our attention. We have contacted Intesa Sanpaolo regarding this error and have asked them to correct it as soon as possible. Sincerely yours, This CA also issued a recent certificate for the unqualified

Re: TunRootCA2 root inclusion request

On 07/19/17 05:10, Aaron Wu wrote: - Tunisian Server Certificate Authority - TunServerCA2 https://crt.sh/?id=21813439 is a certificate issued by this CA which has a domain name in the common name but only an email address in the SAN. (The certificate has TLS server/client usage EKUs.)

Re: Certificate with invalid dnsName

On 07/19/2017 06:03 PM, Tom wrote: Following that discovery, I've search for odd (invalid?) DNS names. Here is the list of certificated I've found, it may overlap some discovery already reported. If I'm correct, theses certificate are not revoked, not expired, and probably trusted by Mozilla

Re: Certificate with invalid dnsName

On 07/19/2017 06:03 PM, Tom wrote: Following that discovery, I've search for odd (invalid?) DNS names. Here is the list of certificated I've found, it may overlap some discovery already reported. If I'm correct, theses certificate are not revoked, not expired, and probably trusted by Mozilla

Re: TunRootCA2 root inclusion request

On 07/19/2017 05:10 AM, Aaron Wu wrote: - Tunisian Server Certificate Authority - TunServerCA2 https://crt.sh/?id=79470561=cablint is a certificate for the internal name 'adv-mail.calladvance.local' issued by this CA with a notBefore of 2017. ___