EJBCA performs incorrect calculation of validities

2020-10-28 Thread Mike Kushner via dev-security-policy
Hi all, We were alerted to the fact that EJBCA does not calculate certificate and OCSP validities in accordance with RFC 5280, which has been a requirement since BR 1.7.1 The word "inclusive" was not caught, meaning that a certificate/response issued by EJBCA will have a validity of one second

Re: Notice on SC31 and CAs using EJBCA

2020-09-18 Thread Mike Kushner via dev-security-policy
To be clear, the change came as a result of following the cabf mailing lists, and was released as soon as it could be fit into our pipeline. All customers were informed through our release mailing list. Cheers Mike Agrenius Kushner Product Owner, EJBCA On Fri, 18 Sep 2020 at 13:35, Arvid

Re: CAA record checking issue

2019-05-13 Thread Mike Kushner via dev-security-policy
On Monday, May 13, 2019 at 1:39:32 AM UTC+2, Matt Palmer wrote: > On Sat, May 11, 2019 at 08:37:53AM -0700, Han Yuwei via dev-security-policy > wrote: > > This raised a question: > > How can CA prove they have done CAA checks or not at the time of issue? > > They can't, just as they can't

Re: Open Source CA Software

2019-03-15 Thread Mike Kushner via dev-security-policy
On Thursday, March 14, 2019 at 11:54:52 PM UTC+1, James Burton wrote: > Let's Encrypt CA software 'Boulder' is open source for everyone to browse > and check for issues. All other CAs should follow the Let's Encrypt lead > and open source their own CA software for everyone to browse and check for

Re: What's the meaning of "non-sequential"? (AW: EJBCA defaulting to 63 bit serial numbers)

2019-03-12 Thread Mike Kushner via dev-security-policy
> I think when it comes to specifications with cryptographic relevance (as > unpredictable serials are), less is more; the more inflexible and > unambiguous the spec is, the less likely it will be "creatively > interpreted" in a manner that bypasses the whole point. To someone with > crypto

Re: EJBCA defaulting to 63 bit serial numbers

2019-03-08 Thread Mike Kushner via dev-security-policy
Hi Jakob, On Thursday, March 7, 2019 at 7:30:03 PM UTC+1, Jakob Bohm wrote: > In the cause of the other discussion it was revealed that EJBCA by PrimeKey > has apparently: > > 1. Made serial numbers with 63 bits of entropy the default. Which is > not in compliance with the BRs for globally

Re: DarkMatter Concerns

2019-02-26 Thread Mike Kushner via dev-security-policy
Hi, Since EJBCA as a product was mentioned we thought we could chime in with some background and updates. EJBCA was possible the first (certainly one of the first) CA products to use random serial numbers. From the very beginning, 64 bit random serial numbers, from a CSPRNG, were used. This