MOVED mozilla.dev.security.policy to dev-security-policy

2021-04-02 Thread Kathleen Wilson via dev-security-policy
All, This mozilla.dev.security.policy group has been moved to dev-security-policy in Mozilla’s Google Workspace (formerly GSuite). New Access Points: - Mailing List: dev-security-pol...@mozilla.org -- dev-security-policy@lists.mozilla.org will automatically forward to the new mailing list

Re: MOVING mozilla.dev.security.policy to dev-security-policy in Mozilla’s Google Workspace (formerly GSuite)

2021-04-01 Thread Kathleen Wilson via dev-security-policy
All, I posted the first message to the new group, with subject "WELCOME to dev-security-policy". If you do not receive the welcome message to the new group, you can subscribe to it by sending an email to dev-security-policy+subscr...@mozilla.org or to me or Ben. You can update your user

Re: CCADB Update to Audit and Root Inclusion Cases March 25-29

2021-03-30 Thread Kathleen Wilson via dev-security-policy
All, The CCADB update has been completed, and the "UNDER CONSTRUCTION" notice will be removed today. There is still some cleanup that we will be doing, but you may proceed with using Audit Cases and Root Inclusion Cases now. Please let me know if you run into any problems with the CCADB.

CCADB Update to Audit and Root Inclusion Cases March 25-29

2021-03-25 Thread Kathleen Wilson via dev-security-policy
All, We will be applying updates to CCADB Audit Cases and Root Inclusion Cases starting tonight, March 25, and expected to be completed the afternoon of March 29. We will post the following message on the CCADB home page while the updates are in progress. -- UNDER CONSTRUCTION: Audit

MOVING mozilla.dev.security.policy to dev-security-policy in Mozilla’s Google Workspace (formerly GSuite)

2021-03-25 Thread Kathleen Wilson via dev-security-policy
All, This mozilla.dev.security.policy mailing list has been running on ancient custom-patched mailman software since the early Mozilla days. As many of you are aware, there are limitations and sometimes loss of data with the old configuration, so we are migrating this list to be hosted as a

Re: New intermediate certs and Audit Statements

2021-03-24 Thread Kathleen Wilson via dev-security-policy
On 3/24/21 5:32 AM, Rob Stradling wrote: On 9th July 2019, Kathleen wrote: I propose that to handle this situation, the CA may enter the subordinate CA's current audit statements and use the Public Comment field to indicate that the new certificate will be included in the next audit

Re: Audit Reminder Email Summary

2021-03-16 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of March 2021 Audit Reminder Emails Date: Tue, 16 Mar 2021 19:02:12 + (GMT) Mozilla: Audit Reminder CA Owner: certSIGN Root Certificates: certSIGN ROOT CA Standard Audit:

Re: Audit Reminders for Intermediate Certs

2021-03-02 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of March 2021 Outdated Audit Statements for Intermediate Certs Date: Tue, 2 Mar 2021 15:00:24 + (GMT) CA Owner: SECOM Trust Systems CO., LTD. - Certificate Name: JPRS Organization Validation Authority - G3 SHA-256 Fingerprint:

CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

2021-02-24 Thread Kathleen Wilson via dev-security-policy
All, As previously discussed, there is a section on root and intermediate certificate pages in the CCADB called ‘Pertaining to Certificates Issued by this CA’, and it currently has one field called 'Full CRL Issued By This CA'. Proposal: Add field called 'JSON Array of Partitioned CRLs

Re: Audit Reminder Email Summary

2021-02-16 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of February 2021 Audit Reminder Emails Date: Tue, 16 Feb 2021 20:01:02 + (GMT) Mozilla: Audit Reminder CA Owner: Krajowa Izba Rozliczeniowa S.A. (KIR) Root Certificates: SZAFIR ROOT CA2 Standard Audit:

Re: Action on Camerfirma Root CAs

2021-02-10 Thread Kathleen Wilson via dev-security-policy
I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1692094 to turn off the Websites trust bit for the 2008 root certs, and to set the "Distrust for S/MIME After Date" for the older root certs. Thanks, Kathleen ___ dev-security-policy mailing list

Re: Audit Reminders for Intermediate Certs

2021-02-02 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of February 2021 Outdated Audit Statements for Intermediate Certs Date: Tue, 2 Feb 2021 15:00:16 + (GMT) CA Owner: SECOM Trust Systems CO., LTD. - Certificate Name: JPRS Organization Validation Authority - G3 SHA-256 Fingerprint:

CCADB Update: Extended ALV to EV SSL Audits on Intermediate Certs

2021-01-22 Thread Kathleen Wilson via dev-security-policy
CAs, There are a couple updates to the CCADB that I would like to bring to your attention. 1) Added 'CCADB Release Notes' link to the CA home page. It links to: https://docs.google.com/document/d/1yMLYQFNH2JnOixVsByC99uoQd8fFfZcKlKBu-vgy3CU/edit#heading=h.6p4mru6ujyvl 2) Extended automated

Re: Audit Reminder Email Summary

2021-01-19 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of January 2021 Audit Reminder Emails Date: Tue, 19 Jan 2021 20:00:30 + (GMT) Mozilla: Audit Reminder CA Owner: Krajowa Izba Rozliczeniowa S.A. (KIR) Root Certificates: SZAFIR ROOT CA2 Standard Audit:

Re: CCADB Update to Salesforce Lightning Interface

2020-12-16 Thread Kathleen Wilson via dev-security-policy
All, The new video about how to create an Audit Case in the CCADB is available here: https://www.ccadb.org/cas/updates#instructions Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Audit Reminder Email Summary

2020-12-15 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of December 2020 Audit Reminder Emails Date: Tue, 15 Dec 2020 20:00:28 + (GMT) Mozilla: Audit Reminder CA Owner: DigiCert Root Certificates: Symantec Class 2 Public Primary Certification Authority - G6 Symantec Class 1 Public Primary

2H2020 Symantec Root Updates

2020-12-14 Thread Kathleen Wilson via dev-security-policy
All, Continuing with the distrust of the old Symantec root certificates, 10 root certificates were removed via bug 1670769 from NSS 3.60 and Firefox 85. 1. GeoTrust Global CA 2. GeoTrust Primary Certification Authority 3. GeoTrust Primary Certification Authority - G3 4. thawte Primary Root

Re: CCADB Update to Salesforce Lightning Interface

2020-12-04 Thread Kathleen Wilson via dev-security-policy
On 12/3/20 10:30 AM, Kathleen Wilson wrote: On Thursday, December 3, we intend to migrate CCADB to Salesforce’s newer interface, called Lightning. Here is a document explaining the changes: https://docs.google.com/document/d/1RchT4pMUvzHkKpLPRYyzdhuIovVUKd88KwLyijzobT4/edit?usp=sharing

Re: CCADB Update to Salesforce Lightning Interface

2020-12-03 Thread Kathleen Wilson via dev-security-policy
On Thursday, December 3, we intend to migrate CCADB to Salesforce’s newer interface, called Lightning. Here is a document explaining the changes: https://docs.google.com/document/d/1RchT4pMUvzHkKpLPRYyzdhuIovVUKd88KwLyijzobT4/edit?usp=sharing The CCADB update to the newer Lightning

Re: Announcing the Chrome Root Program

2020-12-02 Thread Kathleen Wilson via dev-security-policy
Thank you, Ryan, for providing this very helpful information. ## What does this mean for the CA Certificates Module? Since 2015, I’ve been a Module Peer of the CA Certificates Module [1]. My role has been to support Kathleen and Ben, and previously also Wayne and Gerv, in performing detailed

Re: Audit Reminders for Intermediate Certs

2020-12-01 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of December 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 1 Dec 2020 15:00:43 + (GMT) CA Owner: Government of The Netherlands, PKIoverheid (Logius) - Certificate Name: UZI-register Medewerker niet op naam CA G3

CCADB Update to Salesforce Lightning Interface

2020-11-30 Thread Kathleen Wilson via dev-security-policy
CAs, On Thursday, December 3, we intend to migrate CCADB to Salesforce’s newer interface, called Lightning. Here is a document explaining the changes: https://docs.google.com/document/d/1RchT4pMUvzHkKpLPRYyzdhuIovVUKd88KwLyijzobT4/edit?usp=sharing Thanks, Kathleen

Re: CCADB Proposal: Add field called Full CRL Issued By This CA

2020-11-18 Thread Kathleen Wilson via dev-security-policy
All, The following changes have been made in the CCADB: On Intermediate Cert pages: - Renamed section heading ‘Revocation Information’ to ‘Revocation Information for this Certificate’ - Added section called ‘Pertaining to Certificates Issued by this CA’ - Added 'Full CRL Issued By This CA'

Re: Audit Reminder Email Summary

2020-11-18 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of November 2020 Audit Reminder Emails Date: Tue, 17 Nov 2020 20:01:50 + (GMT) Mozilla: Audit Reminder CA Owner: Google Trust Services LLC (GTS) Root Certificates: GTS Root R2 GTS Root R3 GTS Root R4 GTS Root R1 GlobalSign

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2020-11-14 Thread Kathleen Wilson via dev-security-policy
On 11/13/20 1:43 PM, Ryan Sleevi wrote: In this regard, the principles from Mozilla's 1.0 Certificate Policy provide a small minimum, along with some of the language from, say, the FPKI, regarding technical competencies. The basis here is simply for the auditor to *disclose* why they believe

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2020-11-12 Thread Kathleen Wilson via dev-security-policy
PS: In the meantime, we will continue to verify auditor qualifications as described here: https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications On 11/12/20 4:27 PM, Kathleen Wilson wrote: > It is proposed in Issue #192 > that

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2020-11-12 Thread Kathleen Wilson via dev-security-policy
> It is proposed in Issue #192 > that information about > individual auditor's qualifications be provided--identity, competence, > experience and independence. (For those interested as to this independence > requirement, Mozilla Policy v.1.0

Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

2020-11-06 Thread Kathleen Wilson via dev-security-policy
>> For this MRSP Issue #152 update to v2.7.1, I propose that we make each >> occurrence of "capable of issuing EV certificates" link to >> https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable In the definition of EV TLS Capable, I'd move the last bullet up to the top. Done.

Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

2020-11-05 Thread Kathleen Wilson via dev-security-policy
On 10/16/20 11:26 PM, Ryan Sleevi wrote: Because of this, it seems that there is a simpler, clearer, unambiguous path for CAs that seems useful to move to: - If a CA is trusted for purpose X, that certificate, and all subordinate CAs, should be audited against the criteria relevant for X I am

Re: Audit Reminders for Intermediate Certs

2020-11-03 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of November 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 3 Nov 2020 15:00:07 + (GMT) CA Owner: AC Camerfirma, S.A. - Certificate Name: MULTICERT SSL Certification Authority 001 SHA-256 Fingerprint:

CCADB Proposal: Add field called Full CRL Issued By This CA

2020-10-21 Thread Kathleen Wilson via dev-security-policy
All, Root store operators would like to easily find and use the URLs to the Full CRLs for things like Mozilla’s CRLite. The BRs do not require CRL URLs in end-entity certificates, and many CAs use partitioned CRLs for end-entity certificates. Proposal: Add field called 'Full CRL Issued By

Re: Audit Reminder Email Summary

2020-10-20 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of October 2020 Audit Reminder Emails Date: Tue, 20 Oct 2020 19:00:26 + (GMT) Mozilla: Audit Reminder CA Owner: Internet Security Research Group (ISRG) Root Certificates: ISRG Root X1** ** Audit Case in the Common CA Database is under

Re: PEM of root certs in Mozilla's root store

2020-10-14 Thread Kathleen Wilson via dev-security-policy
The text version has been updated to have each line limited to 64 characters. Text: https://ccadb-public.secure.force.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites https://ccadb-public.secure.force.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Email CSV:

Re: PEM of root certs in Mozilla's root store

2020-10-12 Thread Kathleen Wilson via dev-security-policy
On 10/7/20 1:09 PM, Jakob Bohm wrote: Please note that at least the first CSV download is not really a CSV file, as there are line feeds within each "PEM" value, and only one column.  It would probably be more useful as a simple concatenated PEM file, as used by various software packages as a

Re: Verifying Auditor Qualifications

2020-10-12 Thread Kathleen Wilson via dev-security-policy
On 10/11/20 11:06 PM, Nikolaos Soumelidis wrote: Dear Kathleen, We have been informed by ACCREDIA that the accreditation pages have now been updated to include ETSI EN 319 403. This removes any ambiguity. URLs remain the same; for example, QMSCERT's accreditation:

Re: PEM of root certs in Mozilla's root store

2020-10-07 Thread Kathleen Wilson via dev-security-policy
On 10/7/20 9:30 AM, Matthew Hardeman wrote: Would it be unreasonable to also consider publishing, as an "easy to use" list, that set of only those anchors which are currently trusted in the program and for which no exceptional in-product policy enforcement is imposed? (TLD constraints,

Re: PEM of root certs in Mozilla's root store

2020-10-07 Thread Kathleen Wilson via dev-security-policy
On 10/6/20 7:09 PM, Ryan Sleevi wrote: It seems like there should be a link to https://wiki.mozilla.org/CA/FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F there I added that link to https://wiki.mozilla.org/CA/Included_Certificates Thanks, Kathleen

PEM of root certs in Mozilla's root store

2020-10-06 Thread Kathleen Wilson via dev-security-policy
All, I've been asked to publish Mozilla's root store in a way that is easy to consume by downstreams, so I have added the following to https://wiki.mozilla.org/CA/Included_Certificates CCADB Data Usage Terms PEM of Root

Re: Audit Reminders for Intermediate Certs

2020-10-06 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of October 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 6 Oct 2020 14:00:25 + (GMT) CA Owner: Government of The Netherlands, PKIoverheid (Logius) - Certificate Name: QuoVadis PKIoverheid Organisatie Server CA - G3

Re: Audit Reminder Email Summary

2020-09-18 Thread Kathleen Wilson via dev-security-policy
On 9/15/20 3:21 PM, Kathleen Wilson wrote: Forwarded Message Subject: Summary of September 2020 Audit Reminder Emails Mozilla: Audit Reminder CA Owner: E-Tugra Root Certificates:    E-Tugra Certification Authority Standard Audit:

Re: Audit Reminder Email Summary

2020-09-15 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of September 2020 Audit Reminder Emails Date: Tue, 15 Sep 2020 19:00:12 + (GMT) Mozilla: Overdue Audit Statements CA Owner: eMudhra Technologies Limited Root Certificates: emSign Root CA - C1** emSign ECC Root CA - C3** emSign

Re: Add Ben Wilson as Peer of Mozilla's CA Certificates and CA Certificate Policy modules

2020-09-02 Thread Kathleen Wilson via dev-security-policy
On 8/27/20 11:11 AM, Kathleen Wilson wrote: All, I propose adding Ben Wilson as a peer[1] of Mozilla's CA Certificates Module[2] and CA Certificate Policy Module[3]. As you know, Ben and I are distributing the job of running Mozilla's CA Program between us, so Ben will continue to actively work

Re: Verifying Auditor Qualifications

2020-09-01 Thread Kathleen Wilson via dev-security-policy
On 8/31/20 11:07 AM, Kathleen Wilson wrote: On 8/28/20 3:59 PM, Kathleen Wilson wrote: On 8/26/20 1:41 PM, Kathleen Wilson wrote: The 5 CABs that I haven't been able to complete the Standard Check for are: - Bureau Veritas Italia S.p.A. - NAB is Accredia - CSQA - NAB is Accredia - KIWA - NAB

Re: Audit Reminders for Intermediate Certs

2020-09-01 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of September 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 1 Sep 2020 14:00:20 + (GMT) CA Owner: Government of The Netherlands, PKIoverheid (Logius) - Certificate Name: QuoVadis PKIoverheid Organisatie Server CA -

Re: Verifying Auditor Qualifications

2020-08-31 Thread Kathleen Wilson via dev-security-policy
On 8/28/20 3:59 PM, Kathleen Wilson wrote: On 8/26/20 1:41 PM, Kathleen Wilson wrote: The 5 CABs that I haven't been able to complete the Standard Check for are: - Bureau Veritas Italia S.p.A. - NAB is Accredia - CSQA - NAB is Accredia - KIWA - NAB is Accredia - QMSCERT - NAB is Accredia -

Re: Verifying Auditor Qualifications

2020-08-28 Thread Kathleen Wilson via dev-security-policy
On 8/26/20 1:41 PM, Kathleen Wilson wrote: The 5 CABs that I haven't been able to complete the Standard Check for are: - Bureau Veritas Italia S.p.A. - NAB is Accredia - CSQA - NAB is Accredia - KIWA - NAB is Accredia - QMSCERT - NAB is Accredia - QSCert - NAB is CAI Update: I received

How to Create and Audit Case in CCADB

2020-08-27 Thread Kathleen Wilson via dev-security-policy
CAs, I have updated the instructions for creating an Audit Case in the CCADB, and have added a video that demonstrates the process. https://www.ccadb.org/cas/updates#instructions Please let me know if you have any questions about the updated process. Thanks, Kathleen

Add Ben Wilson as Peer of Mozilla's CA Certificates and CA Certificate Policy modules

2020-08-27 Thread Kathleen Wilson via dev-security-policy
All, I propose adding Ben Wilson as a peer[1] of Mozilla's CA Certificates Module[2] and CA Certificate Policy Module[3]. As you know, Ben and I are distributing the job of running Mozilla's CA Program between us, so Ben will continue to actively work on both of these Modules. Thanks, Kathleen

Re: Verifying Auditor Qualifications

2020-08-26 Thread Kathleen Wilson via dev-security-policy
On 8/26/20 2:01 PM, Nikolaos Soumelidis wrote: I will greatly appreciate it if you can reach out to them again. Please let me know what information you would need. Will definitely do. Probably no other information will be needed by you, but I do appreciate the offer. Thanks! Please note

Re: Verifying Auditor Qualifications

2020-08-26 Thread Kathleen Wilson via dev-security-policy
On 8/26/20 12:35 PM, Nikolaos Soumelidis wrote: One would expect that they would put that in the accreditation documents or references, That helps answer part of my question -- that it is reasonable to expect the NAB's accreditation document to specifically list these ETSI EN standards.

Re: Verifying Auditor Qualifications

2020-08-26 Thread Kathleen Wilson via dev-security-policy
On 8/26/20 12:29 PM, Ben Wilson wrote: This raises the question of whether NABs typically include ETSI EN 319 401, ETSI EN 319 411-1 and ETSI EN 319 411-2 in such CAB certification records. The answer to that question is yes, the other NABs typically do list that information directly in the

Re: Verifying Auditor Qualifications

2020-08-26 Thread Kathleen Wilson via dev-security-policy
On 6/3/20 4:20 PM, Kathleen Wilson wrote: It recently came to my attention that I need to be more diligent in verifying auditor qualifications. https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications All, While re-verifying auditor qualifications I have run into the following

Re: CCADB Updates August 20-24: Policy Document Objects

2020-08-26 Thread Kathleen Wilson via dev-security-policy
Here are a couple clarifications about this CCADB update. Please let me know if you run into any problems or have further questions about it. 1) The multiple-policy-documents feature is only available at the root certificate level. 2) Changes to root certificate records and their policy

Re: CCADB Updates August 20-24: Policy Document Objects

2020-08-25 Thread Kathleen Wilson via dev-security-policy
The CCADB has been updated to enable many-to-many mapping between policy documents and root certificates. If you run into any problems using the CCADB, please send an email to supp...@ccadb.org. We are already working to fix the AllCertificateRecordsCSVFormat report, which is currently

Re: Audit Reminder Email Summary

2020-08-18 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of August 2020 Audit Reminder Emails Date: Tue, 18 Aug 2020 19:00:34 + (GMT) Mozilla: Audit Reminder CA Owner: eMudhra Technologies Limited Root Certificates: emSign Root CA - C1 emSign ECC Root CA - C3 emSign ECC Root CA - G3

CCADB Updates August 20-24: Policy Document Objects

2020-08-13 Thread Kathleen Wilson via dev-security-policy
All, Currently CCADB only allows for one CP URL and one CPS URL per root certificate, so we are updating the CCADB to enable many-to-many mapping between policy documents and root certificates. One or more policy documents may be provided and associated with one or more root certificates and

Re: Adding Distrust-After Date columns to CCADB reports

2020-08-04 Thread Kathleen Wilson via dev-security-policy
While we're at it we're going to update the date format in the reports to -MM-DD. On 8/4/20 9:06 AM, Kathleen Wilson wrote: No concerns have been raised, so we will proceed with the inserting the new columns between the "Trust Bits" and "EV Policy OID(s)" columns. On 7/29/20 11:11 AM,

Re: Audit Reminders for Intermediate Certs

2020-08-04 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of August 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 4 Aug 2020 14:00:25 + (GMT) CA Owner: Government of Taiwan, Government Root Certification Authority (GRCA) - Certificate Name: 行政院工商憑證管理中心 (MOEACA) SHA-256

Re: Adding Distrust-After Date columns to CCADB reports

2020-08-04 Thread Kathleen Wilson via dev-security-policy
No concerns have been raised, so we will proceed with the inserting the new columns between the "Trust Bits" and "EV Policy OID(s)" columns. On 7/29/20 11:11 AM, Kathleen Wilson wrote: All, I have been asked to add two columns to the following CCADB reports. Columns to add: 1) Distrust for

Adding Distrust-After Date columns to CCADB reports

2020-07-29 Thread Kathleen Wilson via dev-security-policy
All, I have been asked to add two columns to the following CCADB reports. Columns to add: 1) Distrust for TLS After Date 2) Distrust for S/MIME After Date Reports to update: 1) https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport 2)

Re: Audit Reminder Email Summary

2020-07-27 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of July 2020 Audit Reminder Emails Date: Tue, 21 Jul 2020 19:00:13 + (GMT) Mozilla: Audit Reminder CA Owner: eMudhra Technologies Limited Root Certificates: emSign Root CA - C1 emSign ECC Root CA - C3 emSign ECC Root CA - G3

Re: Audit Reminders for Intermediate Certs

2020-07-07 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of July 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 7 Jul 2020 14:00:11 + (GMT) CA Owner: Government of Taiwan, Government Root Certification Authority (GRCA) - Certificate Name: 行政院工商憑證管理中心 (MOEACA) SHA-256

Re: Verifying Auditor Qualifications

2020-06-25 Thread Kathleen Wilson via dev-security-policy
On 6/24/20 8:48 PM, Ryan Sleevi wrote: On Wed, Jun 24, 2020 at 3:08 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: I have updated the following section of the wiki page to incorporate feedback that I received from representatives of ACAB'c.

Re: Verifying Auditor Qualifications

2020-06-24 Thread Kathleen Wilson via dev-security-policy
I have updated the following section of the wiki page to incorporate feedback that I received from representatives of ACAB'c. https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications I will greatly appreciate it if those of you familiar with ETSI audits will review

Re: Audit Reminder Email Summary

2020-06-18 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of June 2020 Audit Reminder Emails Date: Tue, 16 Jun 2020 19:00:31 + (GMT) Mozilla: Audit Reminder CA Owner: Shanghai Electronic Certification Authority Co., Ltd. (SHECA) Root Certificates: UCA Extended Validation Root UCA Global G2

Re: Verifying Auditor Qualifications

2020-06-04 Thread Kathleen Wilson via dev-security-policy
On 6/4/20 1:25 AM, Arvid Vermote wrote: Hi Kathleen Related to the below it would be helpful if the WebTrust organization would disclose additional details on the licensed WebTrust practitioners: right now there is no data publicly available on historical WebTrust auditor licensing. We don't

Re: Request to Include Microsec e-Szigno Root CA 2017 and to EV-enable Microsec e-Szigno Root CA 2009

2020-06-04 Thread Kathleen Wilson via dev-security-policy
On 6/4/20 11:17 AM, Ben Wilson wrote: Having received no further comments, I have recommended approval of this request in bug 1445364 - Ben To clarify, Ben is recommending approval of the request to include the e-Szigno Root CA 2017

Verifying Auditor Qualifications

2020-06-03 Thread Kathleen Wilson via dev-security-policy
All, It recently came to my attention that I need to be more diligent in verifying auditor qualifications. Therefore, we have added a field in the CCADB called “Date Qualifications Verified” (on Auditor Location objects), which will be used to remind root store operators to check each

Re: DRAFT May 2020 CA Communication/Survey

2020-06-03 Thread Kathleen Wilson via dev-security-policy
Based on the survey results, we (Ben and I) have recommended the following updates to the Browser Alignment Ballot. (currently in draft form here: https://github.com/sleevi/cabforum-docs/pull/10) 1) For the following changes proposed in the ballot, we have recommended that the effective date

Re: Audit Reminders for Intermediate Certs

2020-06-02 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of June 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 2 Jun 2020 14:00:11 + (GMT) intermediate certs chaining up to root certs in Mozilla's program.> ___

Re: DRAFT May 2020 CA Communication/Survey

2020-06-01 Thread Kathleen Wilson via dev-security-policy
Thank you to all of you who responded to the May 2020 CA Communication/Survey. Communication/Survey: https://wiki.mozilla.org/CA/Communications#May_2020_CA_Communication Blog Post: https://blog.mozilla.org/security/2020/05/08/may-2020-ca-communication/ Responses:

Re: Audit Reminder Email Summary

2020-05-19 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of May 2020 Audit Reminder Emails Date: Tue, 19 May 2020 19:00:17 + (GMT) Mozilla: Audit Reminder CA Owner: Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) Root Certificates: GDCA

Re: DRAFT May 2020 CA Communication/Survey

2020-05-08 Thread Kathleen Wilson via dev-security-policy
On 5/7/20 11:33 AM, Kathleen Wilson wrote: > I have drafted a potential CA Communication and survey, and will greatly > appreciate your input on it. > > https://wiki.mozilla.org/CA/Communications#May_2020_CA_Communication > > Direct link to read-only copy of the draft survey: >

Re: Audit Reminders for Intermediate Certs

2020-05-07 Thread Kathleen Wilson via dev-security-policy
On 5/6/20 5:19 AM, Ryan Sleevi wrote: Should we be creating CA incidents for repeats? I wasn’t sure if this was just an administrative hiccup on the Mozilla side in processing the case, or if this is a matter where the CA is not disclosing in a timely fashion. CAs directly add audit

Re: DRAFT May 2020 CA Communication/Survey

2020-05-07 Thread Kathleen Wilson via dev-security-policy
> I have drafted a potential CA Communication and survey, and will greatly > appreciate your input on it. > > https://wiki.mozilla.org/CA/Communications#May_2020_CA_Communication > > Direct link to read-only copy of the draft survey: >

Re: Audit Reminders for Intermediate Certs

2020-05-05 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of May 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 5 May 2020 14:00:08 + (GMT) CA Owner: SECOM Trust Systems CO., LTD. - Certificate Name: SECOM Passport for Web MH CA SHA-256 Fingerprint:

Re: DRAFT May 2020 CA Communication/Survey

2020-05-05 Thread Kathleen Wilson via dev-security-policy
On 5/4/20 9:31 AM, Corey Bonnell wrote: Thank you very much for the clarifications. If I'm understanding correctly, it sounds like Mozilla is considering to add sub-items of item 4 on the survey as Mozilla Root Program requirements if the associated CAB Forum ballot does not pass. However, there

Re: DRAFT May 2020 CA Communication/Survey

2020-05-01 Thread Kathleen Wilson via dev-security-policy
On 5/1/20 10:18 AM, Corey Bonnell wrote: I agree that the intent of item 3 is clear, given the previous discussion on the topic [1]. However, there is no corresponding discussion on the Mozilla list (nor any Github issues [2]) for item 4 and the associated sub-items, which is why I asked for

Re: DRAFT May 2020 CA Communication/Survey

2020-05-01 Thread Kathleen Wilson via dev-security-policy
On 5/1/20 9:48 AM, Corey Bonnell wrote: Hi Kathleen, Thank you for sending out this notification of the draft survey. I have briefly reviewed and would like to ask what is the intent of Item 4 and the associated sub-items? The Browser Alignment draft ballot is under discussion in the CAB

Re: Audit Reminder Email Summary

2020-04-21 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of April 2020 Audit Reminder Emails Date: Tue, 21 Apr 2020 19:00:09 + (GMT) Mozilla: Audit Reminder CA Owner: Global Digital Cybersecurity Authority Co., Ltd. (Formerly Guang Dong Certificate Authority (GDCA)) Root Certificates: GDCA

Welcome Ben Wilson to Mozilla!

2020-04-13 Thread Kathleen Wilson via dev-security-policy
All, I am pleased to announce that Ben Wilson has joined Mozilla as a CA Program Manager! Ben has worked in PKI security, compliance, and policy since 1998. Previously, he worked at DigiCert in various roles, including VP of PKI Operations, VP of Compliance, and Chair of DigiCert’s Policy

Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

2020-03-27 Thread Kathleen Wilson via dev-security-policy
All, Just FYI that I updated the CA Incident Dashboard wiki page to separate the audit delay bugs into their own section. https://wiki.mozilla.org/CA/Incident_Dashboard#Audit_Delays Thanks, Kathleen ___ dev-security-policy mailing list

Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

2020-03-23 Thread Kathleen Wilson via dev-security-policy
It's still very much a work-in-progress, but I updated the first bullet point in the "Minimum Expectations" section again. https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay "" Both ETSI and WebTrust Audits should: - Disclose each location (at the state/province level) that was included

Re: COVID-19 and CA Operational Status

2020-03-23 Thread Kathleen Wilson via dev-security-policy
All, If Mozilla decides to ask each CA in our program these types of questions, we will do so via a CA Communication (https://wiki.mozilla.org/CA/Communications). I appreciate Burton's curiosity, but your participation in this particular discussion thread is optional, and will not be

Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

2020-03-20 Thread Kathleen Wilson via dev-security-policy
On 3/20/20 1:15 PM, Jeremy Rowley wrote: What about issues other than audits? For example, with certain locations closing, key ceremonies may become impossible, leading to downed CRLs/OCSP for intermediates. There's also a potential issue with trusted roles even being able to access the data

Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

2020-03-20 Thread Kathleen Wilson via dev-security-policy
All, I will greatly appreciate your ideas about the following. In the Minimum Expectations section in https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay I added: "" * Both ETSI and WebTrust Audits must: ** Disclose each location that was included in the scope of the audit, as well as

Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

2020-03-19 Thread Kathleen Wilson via dev-security-policy
On 3/18/20 5:16 PM, Ryan Sleevi wrote: Suggestions: 1) Rename "Audit Delay" to [audit-delay] and rename "Audit Delay COVID-19" to [audit-delay] [covid-19] or [audit-delay-covid-19], depending Rationale: In general, our filters work on word searches, so the brackets brackets help distinguish the

Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

2020-03-18 Thread Kathleen Wilson via dev-security-policy
All, I will greatly appreciate your input on the following new "Audit Delay" section. https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay Thanks, Kathleen PS: I moved the content of https://wiki.mozilla.org/CA/Audit_Letter_Validation to https://wiki.mozilla.org/CA/Audit_Statements

Re: Audit Reminder Email Summary

2020-03-17 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of March 2020 Audit Reminder Emails Date: Tue, 17 Mar 2020 19:00:22 + (GMT) Mozilla: Audit Reminder CA Owner: Government of The Netherlands, PKIoverheid (Logius) Root Certificates: Staat der Nederlanden EV Root CA Staat der

Re: About upcoming limits on trusted certificates

2020-03-17 Thread Kathleen Wilson via dev-security-policy
Thanks to all of you who have participated in this discussion. We plan to begin work on a minor update (version 2.7.1) to Mozilla's Root Store Policy soon. In response to this discussion, the following two issues have been created and labelled for 2.7.1. Wayne filed

Re: About upcoming limits on trusted certificates

2020-03-15 Thread Kathleen Wilson via dev-security-policy
On 3/14/20 11:53 AM, Nick Lamb wrote: On Thu, 5 Mar 2020 14:15:17 + Nick Lamb via dev-security-policy wrote: Would Mozilla accept third party work to implement something like #908125 ? Hi Nick, I apologize for my delay in replying to your question. I checked with the Crypto

Re: About upcoming limits on trusted certificates

2020-03-12 Thread Kathleen Wilson via dev-security-policy
On 3/12/20 5:52 AM, Doug Beattie wrote: Changing the domain validation re-user period is a substantial change from the Apple proposed max validity period change and will place an additional burden on certificate Applicants to update their domain validation more than twice as frequently.

Re: About upcoming limits on trusted certificates

2020-03-11 Thread Kathleen Wilson via dev-security-policy
On 3/11/20 4:37 PM, Paul Walsh wrote: On Mar 11, 2020, at 4:11 PM, Kathleen Wilson via dev-security-policy wrote: On 3/11/20 3:51 PM, Paul Walsh wrote: Can you provide some insight to why you think a shorter frequency in domain validation would be beneficial? [PW] If the owner’s identity

Re: About upcoming limits on trusted certificates

2020-03-11 Thread Kathleen Wilson via dev-security-policy
On 3/11/20 3:51 PM, Paul Walsh wrote: Can you provide some insight to why you think a shorter frequency in domain validation would be beneficial? To start with, it is common for a domain name to be purchased for one year. A certificate owner that was able to prove ownership/control of the

Re: About upcoming limits on trusted certificates

2020-03-11 Thread Kathleen Wilson via dev-security-policy
All, First, I would like to say that my preference would have been for this type of change (limit SSL cert validity period to 398 days) to be agreed to in the CA/Browser Forum and added to the BRs. However, the ball is already rolling, and discussion here in m.d.s.p is supportive of updating

Request to Include Microsec e-Szigno Root CA 2017 and to EV-enable Microsec e-Szigno Root CA 2009

2020-03-09 Thread Kathleen Wilson via dev-security-policy
This request is for inclusion of the Microsec e-Szigno Root CA 2017 trust anchor and to EV-enable the currently included Microsec e-Szigno Root CA 2009 trust anchor as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1445364 BR Self Assessment is here:

Re: Audit Reminders for Intermediate Certs

2020-03-03 Thread Kathleen Wilson via dev-security-policy
Forwarded Message Subject: Summary of March 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 3 Mar 2020 15:00:16 + (GMT) CA Owner: AC Camerfirma, S.A. - Certificate Name: InfoCert Organization Validation CA 3 SHA-256 Fingerprint:

Re: 1H2020 Symantec Root Updates

2020-02-26 Thread Kathleen Wilson via dev-security-policy
I have filed these three bugs. === Bug #1: Root Removal and Disable Email Trust Bit === https://bugzilla.mozilla.org/show_bug.cgi?id=1618402 Symantec root certs - removal and turning off Email trust bit === Bug #2: Set CKA_NSS_SERVER_DISTRUST_AFTER ===

Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

2020-02-20 Thread Kathleen Wilson via dev-security-policy
All, First, I would like to add a personal note that I am truly sorry about the many people, families, and colleagues that are being impacted by the Coronavirus. This is a heartbreaking situation. At Mozilla, our responsibility lies in ensuring people's security and privacy as they navigate

1H2020 Symantec Root Updates

2020-02-18 Thread Kathleen Wilson via dev-security-policy
All, I plan to file the following Bugzilla Bugs for changes related to the distrust of the old Symantec root certificates. === Bug #1: Root Removal and Disable Email Trust Bit === This bug will request that the following changes be made to NSS. 1) Remove the following root certs. - Subject:

  1   2   3   4   >