RE: Increasing number of Errors found in crt.sh

2018-10-01 Thread Inigo Barreira via dev-security-policy
And checking this site, how can Comodo have more certs with errors (15030) than certs issued (15020). Regards From: dev-security-policy on behalf of Adriano Santoni via dev-security-policy Sent: Monday, October 01, 2018 10:09 PM To: Rob Stradling;

RE: PROCERT issues

2017-10-05 Thread Inigo Barreira via dev-security-policy
Has this been asked ever? Has any other CA published it? It´s just to know. And, is there a "default" scope for this kind of security audits? Best regards Iñigo Barreira CEO StartCom CA Limited > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- >

RE: StartCom inclusion request: next steps

2017-09-18 Thread Inigo Barreira via dev-security-policy
> > I want to give you some words from one of the "community side" (this is a > personal opinion and may vary from other opinions inside the community). > > Trust is not something that you get, it is something that you earn. True > StartCom was distrusted because of serious issues with their

RE: FW: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
> > Hi Inigo, > > On 14/09/17 16:05, Inigo Barreira wrote: > > Those tests were done to check the CT behaviour, there was any other > testing of the new systems, just for the CT. > > Is there any reason those tests could not have been done using a parallel > testing hierarchy (other than the

RE: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
> > Yes, you´re right, that was on the table and also suggested by > > Mozilla, but the issue was that people from 360 are used to code in > > PHP and the old one was in Java and some other for which they are not > > so familiar and then was decided to re-write all the code in PHP > > trying to

RE: FW: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
> Hi Inigo, > > To add from the last post. > > I know this is unwelcome news to you but I feel that with all these incidents > happening right now with Symantec and the incidents before, we can't really > take any more chances. Every incident is eroding trust in this system and if > we > want

RE: FW: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
> > > > > > > Those tests were done to check the CT behaviour, there was any > > > > other > > > testing of the new systems, just for the CT. Those certs were under > > > control all the time and were lived for some minutes because were > > > revoked inmediately after checking the certs were

RE: FW: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
> > > Those tests were done to check the CT behaviour, there was any other > testing of the new systems, just for the CT. Those certs were under control > all > the time and were lived for some minutes because were revoked inmediately > after checking the certs were logged correctly in the CTs.

RE: FW: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
> On 14/09/2017 17:05, Inigo Barreira wrote: > > All, > > > > ... > >> > >> We should add the existing Certnomis cross-signs to OneCRL to revoke > >> all the existing certificates. As of 10th August (now a month ago) > >> StartCom said they have 5 outstanding SSL certs which are valid > >> due

RE: FW: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
Yes, there are similar ones everywhere, so I´m familiar with it :-) And you´re right, I also make contributions in many other places, ETSI, ENISA, CABF (used to), ... and not get paid for that, but it´s also true that the way the distrust happened didn´t give us time or much time to act

RE: StartCom inclusion request: next steps

2017-09-15 Thread Inigo Barreira via dev-security-policy
Hi Percy, Yes, you´re right, that was on the table and also suggested by Mozilla, but the issue was that people from 360 are used to code in PHP and the old one was in Java and some other for which they are not so familiar and then was decided to re-write all the code in PHP trying to keep the

FW: StartCom inclusion request: next steps

2017-09-14 Thread Inigo Barreira via dev-security-policy
All, Obviously this is not the message we would like to read and will try to explain and rebate as much as possible some of the comments posted here. > > The Mozilla CA Certificates team has been considering what the appropriate > next steps are for the inclusion request from the CA

RE: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone

2017-09-13 Thread Inigo Barreira via dev-security-policy
Thanks Quirin, we´re working with Primekey to know what happened (we´ll generate a report once known) and will contact you if necessary to check that info you have. Regarding the logs, the log message actually means that CAA either explicitly permitted the issuance, or implicitly permitted

RE: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone

2017-09-12 Thread Inigo Barreira via dev-security-policy
rreira CEO StartCom CA Limited -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] On Behalf Of Inigo Barreira via dev-security-policy Sent: martes, 12 de septiembre de 2017 12:44 To: Nick Lamb <tialara...@gma

RE: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone

2017-09-12 Thread Inigo Barreira via dev-security-policy
Ok, let me investigate this further, maybe I didn´t catch it rightly. For the record, the certificate was revoked Best regards Iñigo Barreira CEO StartCom CA Limited -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org]

RE: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone

2017-09-12 Thread Inigo Barreira via dev-security-policy
Hi Quirin, I was going to reply to your email after investigating what happened, but since you´ve posted here, I can share it. I think most of the CAs are strugling with the DNSSEC interpretation or how to solve some of the issues. In our case, I can tell the following: The DNSSEC checking is

RE: StartCom cross-signs disclosed by Certinomis

2017-09-11 Thread Inigo Barreira via dev-security-policy
Hi Gerv, Those updates are referred basically to the format of the report in which Franck asked to include specific information such as the serial number, names, etc. according to your instructions. The report itself has not been changed (that´s forbidden). Regarding the qualifications or

RE: StartCom communication

2017-09-08 Thread Inigo Barreira via dev-security-policy
[mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] On Behalf Of Inigo Barreira via dev-security-policy Sent: lunes, 4 de septiembre de 2017 18:40 To: Andrew Ayer <a...@andrewayer.name> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: StartCom communication Hi

RE: StartCom communication

2017-09-04 Thread Inigo Barreira via dev-security-policy
Message- From: Andrew Ayer [mailto:a...@andrewayer.name] Sent: lunes, 4 de septiembre de 2017 18:06 To: Inigo Barreira <in...@startcomca.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom communication On Mon, 4 Sep 2017 12:10:19 + Inigo Barreira via dev-se

StartCom communication

2017-09-04 Thread Inigo Barreira via dev-security-policy
Hi all, I´ve realized that there has not been a good communication path to announce all the tasks and actions performed by StartCom during this time and this email will try to remediate it. I´d also like to ask you for some feedback, comments and/or suggestions on how to improve. I think we´ve

RE: StartCom cross-signs disclosed by Certinomis

2017-08-08 Thread Inigo Barreira via dev-security-policy
Can this be responded to more directly and comprehensively please? Are there any staff or personnel being shared between WoSign and Startcom? No This includes any staff from (or paid by) Qihoo 360 its subsidiaries, contractors, or affiliates--does anyone do any work (paid or unpaid) for both

RE: StartCom cross-signs disclosed by Certinomis

2017-08-08 Thread Inigo Barreira via dev-security-policy
Hi Percy, StartCom Spain exists since september last year. And it was included in the remediation plan set in October last year, but at the time Gerv wrote that email it didn´t exist officially, it took a while to be registered officially in the "equivalent" spanish companies house. The process

RE: StartCom cross-signs disclosed by Certinomis

2017-08-08 Thread Inigo Barreira via dev-security-policy
Hi, In the remediation plan that was published in October there was a chart in which was indicate how the group was going to change, from WoSign management to be under 360 management. I can provide the information again if you wish. StartCom Spain is 100% owned by Startcom UK, which is also 100%

RE: StartCom cross-signs disclosed by Certinomis

2017-08-08 Thread Inigo Barreira via dev-security-policy
Hi, 1.- yes, I said many times that it was not a good decission and of course not the best way to start, but at all times these test certs were under control, lived only for some minutes. Everything was explained in bugzilla #1369359 2.- Those pre-certificates were related to these test

RE: StartCom cross-signs disclosed by Certinomis

2017-08-04 Thread Inigo Barreira via dev-security-policy
> > In this larger light, it would also seem that StartCom, having misissued a number of certificates already under their new hierarchy, which present a risk to Mozilla users (revocation is neither an excuse nor a mitigation for misissuance), should be required to take corrective steps and

RE: StartCom cross-signs disclosed by Certinomis

2017-08-03 Thread Inigo Barreira via dev-security-policy
[mailto:jonat...@titanous.com] Sent: jueves, 3 de agosto de 2017 16:52 To: Inigo Barreira <in...@startcomca.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom cross-signs disclosed by Certinomis > On Aug 3, 2017, at 04:47, Inigo Barreira via dev-security-policy > &

RE: StartCom cross-signs disclosed by Certinomis

2017-08-03 Thread Inigo Barreira via dev-security-policy
igel.email] Sent: jueves, 3 de agosto de 2017 13:07 To: Inigo Barreira <in...@startcomca.com>; Franck Leroy <fr.le...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom cross-signs disclosed by Certinomis On 03/08/2017 10:47, Inigo Barreira via dev-security-p

RE: StartCom cross-signs disclosed by Certinomis

2017-08-03 Thread Inigo Barreira via dev-security-policy
Hi, this is my reply in the bugzilla Hi all, what Fanck is saying is true and we haven´t started to issue any cert using this new path. Regarding the info that is in this bug I´m really shocked because the majority of them are revoked and don´t understand why have been included here. For

RE: Certificate with invalid dnsName

2017-07-20 Thread Inigo Barreira via dev-security-policy
Thanks for this info. These Startcom certs were issued from the old system. We´ll contact the users and act accordingly. Best regards Iñigo Barreira CEO StartCom CA Limited -Original Message- From: dev-security-policy

RE: New undisclosed intermediates

2017-06-06 Thread Inigo Barreira via dev-security-policy
Hello all, I also did it but it´s not reflected. In my case was also my fault because I was disclosing a different one. Best regards Iñigo Barreira CEO StartCom CA Limited -Original Message- From: dev-security-policy

RE: StartCom issuing bogus certificates

2017-06-01 Thread Inigo Barreira via dev-security-policy
I believe that's the 'best practice' for sharing files here as it allows non-subscribers to access the file via the Google Groups archive. -Vincent On Thu, Jun 1, 2017 at 6:40 AM Inigo Barreira via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@l

RE: StartCom issuing bogus certificates

2017-06-01 Thread Inigo Barreira via dev-security-policy
Hi all, Firstly I´d like to apologize for not having answering before and for posting an initial response that was not correct not accurate and not related what it´s being discussed right now. It was my fault for not having checked before with my team, which is in China and they are 6 hours

RE: StartCom issuing bogus certificates

2017-05-31 Thread Inigo Barreira via dev-security-policy
Hi all, There´s been a misunderstanding internally when requested to create some "test" certificates as indicated in the Microsoft root program requirements as stated in 4b "Test URLs for each root, or a URL of a publicly accessible server that Microsoft can use to verify the certificates."

RE: Policy 2.5 Proposal: Fix definition of constraints for id-kp-emailProtection

2017-05-19 Thread Inigo Barreira via dev-security-policy
Yes, I wanted to know if a regular user can use its Gmail account to get an s/mime cert but that can´t be issued because the CA can´t validate the domain properly because it´s not his or authorized to use it when doing the 3.2.2.4 Best regards Iñigo Barreira CEO StartCom CA Limited

RE: Policy 2.5 Proposal: Fix definition of constraints for id-kp-emailProtection

2017-05-19 Thread Inigo Barreira via dev-security-policy
What about those for gmail, Hotmail, etc.? Are out of scope? Best regards Iñigo Barreira CEO StartCom CA Limited -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] On Behalf Of Gervase Markham via dev-security-policy

RE: StartCom continues to sell untrusted certificates

2017-05-03 Thread Inigo Barreira via dev-security-policy
Yes, thank you for letting us know. Best regards Iñigo Barreira CEO StartCom CA Limited -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] On Behalf Of Lewis Resmond via dev-security-policy Sent: miércoles, 3 de

RE: Symantec Conclusions and Next Steps

2017-04-27 Thread Inigo Barreira via dev-security-policy
No problem at all. I thought that while distrusted no needed to follow nor update the CCADB. Will do asap. Best regards Iñigo Barreira CEO StartCom CA Limited -Original Message- From: Rob Stradling [mailto:rob.stradl...@comodo.com] Sent: jueves, 27 de abril de 2017 13:08 To: Inigo

RE: Symantec Conclusions and Next Steps

2017-04-27 Thread Inigo Barreira via dev-security-policy
Good to know that our new certs are there :-) Regarding StartCom, these are the new certs we´ve generated and will be used to apply for inclusion in the Mozilla root program. Nothing to disclose at the moment I guess. We´ve not been audited yet nor applied. Best regards Iñigo Barreira CEO

RE: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

2017-02-13 Thread Inigo Barreira via dev-security-policy
Yes, I know what happened but it´s not what the document says. Unless there´s another document, it seems to me that you haven´t acted according to what this page says. If I understand correcly, a should is a conditional and then it´s not a requirement. Furthermore there´s no indication on the

RE: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

2017-02-10 Thread Inigo Barreira via dev-security-policy
Gerv, I see many "should" in this link. Basically those indicating "should notify Mozilla" and "should follow the physical relocation section". But in physical relocation and personnel changes sections it seems to me there´s a contradiction because there are some must. Can you explain the