2017 12:09 PM
To: r...@sleevi.com
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham
Subject: RE: CA Validation quality is failing
Okay – we’ll add them all to CT over the next couple of days.
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Tuesday, May 2, 2017 9:08
On 02/05/2017 17:30, Rob Stradling wrote:
On 02/05/17 16:11, Alex Gaynor via dev-security-policy wrote:
I know several CAs are using certlint
(https://github.com/awslabs/certlint)
as a pre-issuance check that the cert they're about to issue doesn't have
any programmatically detectable deficienci
Okay – we’ll add them all to CT over the next couple of days.
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Tuesday, May 2, 2017 9:08 AM
To: Jeremy Rowley
Cc: r...@sleevi.com; Gervase Markham ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: CA Validation quality is failing
Thanks!
The revocation timeline changes are coming today/tomorrow morning.
-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Tuesday, May 2, 2017 4:55 AM
To: r...@sleevi.com; Jeremy Rowley ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: CA Validation
certificates
257 entities are affected if we revoke the 1033 certs
82 entities are affected if we revoke just the 150 certs
What else would you like to know?
Jeremy
*From:* Ryan Sleevi [mailto:r...@sleevi.com]
*Sent:* Monday, May 1, 2017 5:01 PM
*To:* Jeremy Rowley
*Cc:* Gervase Markham
t; >
> >
> >
> > What else would you like to know?
> >
> >
> >
> > Jeremy
> >
> >
> >
> > *From:* Ryan Sleevi [mailto:r...@sleevi.com]
> > *Sent:* Monday, May 1, 2017 5:01 PM
> > *To:* Jeremy Rowley
> > *Cc:* Ger
evi.com]
> *Sent:* Monday, May 1, 2017 5:01 PM
> *To:* Jeremy Rowley
> *Cc:* Gervase Markham ; mozilla-dev-security-policy@
> lists.mozilla.org
> *Subject:* Re: CA Validation quality is failing
>
>
>
>
>
>
>
> On Mon, May 1, 2017 at 3:41 PM, Jeremy Rowley via d
On 02/05/17 00:01, Ryan Sleevi wrote:
> Thank you for
> 1) Disclosing the details to a sufficient level of detail immediately
> 2) Providing regular updates and continued investigation
> 3) Confirming the acceptability of the plan before implementing it, and
> with sufficient detail to understand t
Validation quality is failing
On Mon, May 1, 2017 at 3:41 PM, Jeremy Rowley via dev-security-policy
mailto:dev-security-policy@lists.mozilla.org> > wrote:
There isn't anything in our CPS directly. However, we state that we follow the
baseline requirements in the CPS. T
On Mon, May 1, 2017 at 3:41 PM, Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> There isn't anything in our CPS directly. However, we state that we follow
> the baseline requirements in the CPS. The baseline requirements give a
> profile for the state field.
ny thoughts?
Jeremy
-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Thursday, April 27, 2017 2:41 AM
To: Jeremy Rowley ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: CA Validation quality is failing
On 27/04/17 00:16, Jeremy Rowley wrot
On 27/04/17 00:16, Jeremy Rowley wrote:
> We also started the revocation process for the 500 certificates
> containing meta-data. However, we wanted to ask about the 1000
> certificates containing data indicating the field was not applicable.
> We recognize these were not properly issued, but I am
ess next week with additional ideas. Please
let me know if you have any questions.
Jeremy
-Original Message-
From: Jeremy Rowley
Sent: Wednesday, April 19, 2017 7:49 PM
To: Jeremy Rowley ; r...@sleevi.com; Mike vd Ent
Cc: Ben Wilson ; mozilla-dev-security-policy
Subject: RE: CA Validat
know if you have any questions.
Jeremy
-Original Message-
From: Jeremy Rowley
Sent: Wednesday, April 19, 2017 7:49 PM
To: Jeremy Rowley ; r...@sleevi.com; Mike vd Ent
Cc: Ben Wilson ; mozilla-dev-security-policy
Subject: RE: CA Validation quality is failing
FYI - still looking into this
On Thu, Apr 20, 2017 at 6:42 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> One thing:
>
> Could this be a result of the common (among CAs) bug of requiring entry
> of a US/Canada State/Province regardless of country, forcing applicants
> to fill in rando
-security-policy
Subject: RE: CA Validation quality is failing
I’m looking into it right now. I’ll report back shortly.
Jeremy
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Wednesday, April 19, 2017 2:25 PM
To: Mike vd Ent
Cc: mozilla-dev-security-policy ; Jeremy
Rowley ; Ben Wilson
Ryan Sleevi writes:
>For an EV cert, you look in
>https://cabforum.org/wp-content/uploads/EV-V1_6_1.pdf
It was meant as a rhetorical question, the OP asked whether doing XYZ in an
EV certificate was allowed and I was pointing out that the CAB Forum
guidelines should provide the answer.
: r...@sleevi.com; Mike vd Ent
Cc: Ben Wilson ; mozilla-dev-security-policy
Subject: RE: CA Validation quality is failing
I’m looking into it right now. I’ll report back shortly.
Jeremy
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Wednesday, April 19, 2017 2:25 PM
To: Mike vd Ent
Cc
On Wed, Apr 19, 2017 at 09:00:22PM -0400, Ryan Sleevi wrote:
> On Wed, Apr 19, 2017 at 7:53 PM, Kurt Roeckx via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> >
> > (It was a code sign certificate, but I expect if it's labeled EV
> > that the same things apply.)
> >
>
> No
On Wed, Apr 19, 2017 at 11:58:28PM +, Jeremy Rowley wrote:
> That was changed in ballot 127.
Which is adopted in july 2014. This was somewhere in 2016.
As I understood it, they didn't ask for the HR department, just
someone else. That might of course be a misunderstanding of what
was asked, w
On Wed, Apr 19, 2017 at 7:53 PM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> (It was a code sign certificate, but I expect if it's labeled EV
> that the same things apply.)
>
Not necessarily. A separate set of guidelines cover those -
https://cabforum.or
;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: CA Validation quality is failing
On Wed, Apr 19, 2017 at 10:41:33PM +, Peter Gutmann via
dev-security-policy wrote:
> Kurt Roeckx via dev-security-policy
writes:
>
> >Both the localityName and stateOrProvinceName are Almer
On Wed, Apr 19, 2017 at 10:41:33PM +, Peter Gutmann via dev-security-policy
wrote:
> Kurt Roeckx via dev-security-policy
> writes:
>
> >Both the localityName and stateOrProvinceName are Almere, while the province
> >is Flevoland.
>
> How much checking is a CA expected to do here? I know
Hi Peter,
EV requirements are actually dictated by a separate set of guidelines:
https://cabforum.org/extended-validation/
They do go into detail about how to verify applicant information. It covers
how you verify the company is legally established, where its physically
operating, etc. As you can
On Wed, Apr 19, 2017 at 6:41 PM, Peter Gutmann via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Kurt Roeckx via dev-security-policy
> writes:
>
> >Both the localityName and stateOrProvinceName are Almere, while the
> province
> >is Flevoland.
>
> How much checking is a CA
Kurt Roeckx via dev-security-policy
writes:
>Both the localityName and stateOrProvinceName are Almere, while the province
>is Flevoland.
How much checking is a CA expected to do here? I know that OV and DV certs
are just "someone at this site responded to email" or whatever, but for an
EV c
y
> ; Jeremy Rowley
> ; Ben Wilson
> Subject: Re: CA Validation quality is failing
>
>
>
>
>
>
>
> On Wed, Apr 19, 2017 at 3:47 PM, Mike vd Ent via dev-security-policy
> <mailto:dev-security-policy@lists.mozilla.org> > wrote:
>
> Ryan
I’m looking into it right now. I’ll report back shortly.
Jeremy
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Wednesday, April 19, 2017 2:25 PM
To: Mike vd Ent
Cc: mozilla-dev-security-policy
; Jeremy Rowley
; Ben Wilson
Subject: Re: CA Validation quality is failing
On
On Wed, Apr 19, 2017 at 3:47 PM, Mike vd Ent via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Ryan,
>
> My answers on the particular issues are stated inline.
> But the thing I want to address is how could (in this case Digicert)
> validate such data and issues certificate
Ryan,
My answers on the particular issues are stated inline.
But the thing I want to address is how could (in this case Digicert) validate
such data and issues certificates? I am investigation more of them and afraid
even linked company names or registration numbers could be false. Shouldn't
th
On Wed, Apr 19, 2017 at 12:28:16PM -0700, Ryan Sleevi via dev-security-policy
wrote:
> > https://portal.mobilitymixx.nl
>
> I'm not sure I understand enough to know what the issues are here. Could you
> explain?
Both the localityName and stateOrProvinceName are Almere, while
the province is Fle
On Wednesday, April 19, 2017 at 3:13:36 PM UTC-4, Mike Pasarella wrote:
> To add some more concerning this issue:
>
> https://xenapp.alpinvest.com/
https://crt.sh/?id=42227446
localityName of Amsterdam
stateOrProvinceName of 19
countryName of NL
Problem has existed since 2013 - https://crt.sh/?
To add some more concerning this issue:
https://xenapp.alpinvest.com/
https://adoftheyear.com
https://secure.mobihealth.com
https://portal.mobilitymixx.nl
https://mijn.nfu.nl
https://portal.payplaza.com
I also believe that this happens often with the re-use of once (wrong) data for
issue-ing new
33 matches
Mail list logo
