2017 13:27
To: Franck Leroy <fr.le...@gmail.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom cross-signs disclosed by Certinomis
Hi Franck,
On 03/08/17 08:59, Franck Leroy wrote:
> On end of June the audit report form PwC was available but with still some
mi
Hi Franck,
On 03/08/17 08:59, Franck Leroy wrote:
> On end of June the audit report form PwC was available but with still some
> minor issues. I asked StartCom to correct them.
>
> On July 14th the audit report and the policy were updated and published on
> StartCom website.
The audit reports
Getting back to this very late... I am studying this situation today.
On 07/08/17 10:21, Franck Leroy wrote:
> Then in November 2016 I contacted Kathleen and Gerv to know if there was some
> stoppers to work with Inigo to help StartCom to be back in the business.
> There was no opposition as
>
> Best regards
>
> Iñigo Barreira
> CEO
> StartCom CA Limited
>
>
> -Original Message-
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+inigo=startcomca.com@lists.mozilla
> .org] On Behalf Of Jakob Bohm via dev-security-policy
> Sent: l
egards
>
> Iñigo Barreira
> CEO
> StartCom CA Limited
>
>
> -Original Message-
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org]
> On Behalf Of Jakob Bohm via dev-security-policy
> Sent: lunes, 7 de agosto
ity-policy-bounces+inigo=startcomca@lists.mozilla.org]
On Behalf Of Percy via dev-security-policy
Sent: martes, 8 de agosto de 2017 2:39
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom cross-signs disclosed by Certinomis
On Monday, August 7, 2017 at 2:36:10 PM UTC-7, Itzhak Da
de 2017 23:36
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom cross-signs disclosed by Certinomis
On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote:
> 7. At Quihoo: Actually get rid of Richard Wang, not just change his
>title from CEO to COO.
I didn
: dev-security-policy
[mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] On
Behalf Of Jakob Bohm via dev-security-policy
Sent: lunes, 7 de agosto de 2017 22:03
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom cross-signs disclosed by Certinomis
-pol...@lists.mozilla.org
Subject: Re: StartCom cross-signs disclosed by Certinomis
On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote:
> 7. At Quihoo: Actually get rid of Richard Wang, not just change his
>title from CEO to COO.
I didn't map the new hierarchy of the &q
On Monday, August 7, 2017 at 2:36:10 PM UTC-7, Itzhak Daniel wrote:
> On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote:
> > 7. At Quihoo: Actually get rid of Richard Wang, not just change his
> >title from CEO to COO.
>
> I didn't map the new hierarchy of the "Spanish"
On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote:
> 7. At Quihoo: Actually get rid of Richard Wang, not just change his
>title from CEO to COO.
I didn't map the new hierarchy of the "Spanish" StartCom CA ("StartCom CA Spain
Sociedad Limitada"), having trouble registering to
On 07/08/2017 11:21, Franck Leroy wrote:
Hello
I see many reactions that are not in line with the reality because you don’t
have all the history on the subject.
I’ll try to summarize.
Approximately one year ago Inigo was CTO of Izenpe (CA of the Basque Country)
and he left this company in
To play the devil's advocate...
If everything is as Mr. Leroy of Certinomis points out, I don't see the problem
with the cross-sign.
In that version of events, the vast majority of the issues in the new PKI (test
certs, etc) had already been revoked and measures put in place to prevent that
Trust is something you *gain*.
I want to believe the internet has come a long way from PGP signing parties.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Hello
I see many reactions that are not in line with the reality because you don’t
have all the history on the subject.
I’ll try to summarize.
Approximately one year ago Inigo was CTO of Izenpe (CA of the Basque Country)
and he left this company in order to join StartCom.
Not long after he
>
> In this larger light, it would also seem that StartCom, having misissued a
number of certificates already under their new hierarchy, which present a
risk to Mozilla users (revocation is neither an excuse nor a mitigation for
misissuance), should be required to take corrective steps and
On Friday, 4 August 2017 03:16:45 UTC+2, Matt Palmer wrote:
> On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via
> dev-security-policy wrote:
> > However, I think it is fine for Certinomis to cross-sign with new StartCom
> > subCA certs, as long as Certinomis ensures that Mozilla's
On Friday, August 4, 2017 at 12:27:13 AM UTC, Kathleen Wilson wrote:
> Along this line of discussion, I have not felt comfortable with StartCom's
> current root inclusion request (bug #1381406), because Hanno raised a concern
> about the private key used by the new root is also used by two
On 8/3/17 5:27 PM, Kathleen Wilson via dev-security-policy wrote:
> On Thursday, August 3, 2017 at 4:34:27 PM UTC-7, Ryan Sleevi wrote:
> In bug #1311832 there is a note about cross-signing:
> "[1] The new (replacement) root certificates may be cross-signed by the
> Affected Roots. However, the
On Thu, Aug 03, 2017 at 08:47:17AM +, Inigo Barreira via
dev-security-policy wrote:
> And what I don´t understand are those comments of "very sloppy isuance
> practices" , "many non-BR compliants", "specially given the historic issues
> with StartCom" and consider them very unfair. These are
On Thu, Aug 03, 2017 at 11:20:19AM +, Inigo Barreira via
dev-security-policy wrote:
> We´re revoking all those unrevoked certs to avoid any more problems.
Revoking problematic certificates doesn't avoid any problems. The problems
have already been created.
> Regarding the pre-certs, yes, I
On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via
dev-security-policy wrote:
> However, I think it is fine for Certinomis to cross-sign with new StartCom
> subCA certs, as long as Certinomis ensures that Mozilla's Root Store
> Policy is being followed.
... which they didn't. So
On Thu, Aug 03, 2017 at 05:27:03PM -0700, Kathleen Wilson via
dev-security-policy wrote:
> Along this line of discussion, I have not felt comfortable with StartCom's
> current root inclusion request (bug #1381406), because Hanno raised a
> concern about the private key used by the new root is
On Thursday, August 3, 2017 at 4:34:27 PM UTC-7, Ryan Sleevi wrote:
> I do hope you can clarify whether remediations apply to keys operated by
> organizations, or whether they apply to the organization themselves.
https://bugzilla.mozilla.org/show_bug.cgi?id=1311832
says: "StartCom may apply
On Friday, August 4, 2017 at 8:02:16 AM UTC+9, Kathleen Wilson wrote:
> On Thursday, August 3, 2017 at 3:09:25 PM UTC-7, Kurt Roeckx wrote:
> > I would really like to see that they have at least opened a bug to
> > request the inclusion of that CA before it's cross-signed.
>
> Here's StartCom's
On Thursday, August 3, 2017 at 3:09:25 PM UTC-7, Kurt Roeckx wrote:
> I would really like to see that they have at least opened a bug to
> request the inclusion of that CA before it's cross-signed.
Here's StartCom's current root inclusion request:
On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via
dev-security-policy wrote:
> On Thursday, August 3, 2017 at 9:49:41 AM UTC-7, Jonathan Rudenberg wrote:
> > Even absent the BR-violating certificates and disclosure timeline, I
> > believe this cross-sign is problematic because it
> On Aug 3, 2017, at 12:26, Kathleen Wilson via dev-security-policy
> wrote:
>
> All,
>
> I have conflicting opinions about this situation:
>
> On the one hand, I want to see better behavior, and am inclinded to add these
> two intermediate certs to
All,
I have conflicting opinions about this situation:
On the one hand, I want to see better behavior, and am inclinded to add these
two intermediate certs to OneCRL, and tell StartCom and Certinomis to start
over and do things right.
On the other hand, I'm not convinced yet that the issued
[mailto:jonat...@titanous.com]
Sent: jueves, 3 de agosto de 2017 16:52
To: Inigo Barreira <in...@startcomca.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom cross-signs disclosed by Certinomis
> On Aug 3, 2017, at 04:47, Inigo Barreira via dev-security-policy
> &
> On Aug 3, 2017, at 04:47, Inigo Barreira via dev-security-policy
> wrote:
>
> For those which are not revoked are due to use different curves (P-384,
> P-521) that have been discussed in the mozilla m.d.s.p as well as the CAB
> Forum and there´s no
a
> CEO
> StartCom CA Limited
>
> -Original Message-
> From: Patrick Figel [mailto:patrick@figel.email]
> Sent: jueves, 3 de agosto de 2017 13:07
> To: Inigo Barreira <in...@startcomca.com>; Franck Leroy
> <fr.le...@gmail.com>; mozilla-dev-security-pol...@lists.m
igel.email]
Sent: jueves, 3 de agosto de 2017 13:07
To: Inigo Barreira <in...@startcomca.com>; Franck Leroy
<fr.le...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom cross-signs disclosed by Certinomis
On 03/08/2017 10:47, Inigo Barreira via dev-security-p
1. It is well established that logging pre-certs constitutes "issuance" for
purposes of policy compliance. If you wouldn't issue it, don't log it. Not
difficult. And this isn't new.
2. When a new path comes into existence in the Web PKI you don't need to
explicitly "use" it as a CA, the
On 03/08/2017 10:47, Inigo Barreira via dev-security-policy wrote> 1.
The un-revoked test certificates are those pre-sign ones with uncompleted
> ctlog. So they are not completed certificates.
> https://crt.sh/?opt=cablint=134843670
> https://crt.sh/?opt=cablint=134843674
>
ranck Leroy via dev-security-policy
Sent: jueves, 3 de agosto de 2017 9:59
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom cross-signs disclosed by Certinomis
Hello,
the 2 CA certificates signed by Certinomis has been retained till a full
successful webtrust audit.
Hello,
the 2 CA certificates signed by Certinomis has been retained till a full
successful webtrust audit.
On end of June the audit report form PwC was available but with still some
minor issues. I asked StartCom to correct them.
On July 14th the audit report and the policy were updated and
On Thursday, 3 August 2017 02:12:18 UTC+2, Matt Palmer wrote:
> On Wed, Aug 02, 2017 at 06:38:44PM -0400, Jonathan Rudenberg via
> dev-security-policy wrote:
> > I think the correct response is to add both intermediates to OneCRL
> > immediately, especially given the historic issues with
On Wed, Aug 02, 2017 at 06:38:44PM -0400, Jonathan Rudenberg via
dev-security-policy wrote:
> I think the correct response is to add both intermediates to OneCRL
> immediately, especially given the historic issues with StartCom.
+1. Also a strongly worded letter of "are you f%*king kidding
Jonathan, Thank you for bringing this to our attention.
I have filed two bugs...
1) https://bugzilla.mozilla.org/show_bug.cgi?id=1386891
Certinomis: Cross-signing of StartCom intermediate certs, and delay in
reporting it in CCADB
2) https://bugzilla.mozilla.org/show_bug.cgi?id=1386894
Add
40 matches
Mail list logo