Re: Taiwan GRCA Root Renewal Request

Thanks for pointing this out Ryan and Dimitris. You are both correct: we should direct Taiwan GRCA to change their request from including the root to including only the subordinate CAs that comply with the Mozilla policy. The option of adding the non-compliant subordinate CAs to OneCRL does not

Re: Taiwan GRCA Root Renewal Request

On 26/1/2018 11:54 μμ, Ryan Sleevi via dev-security-policy wrote: > Has any consideration been given to adopt a similar policy as discussed > with the Government of Korea application - > https://bugzilla.mozilla.org/show_bug.cgi?id=1226100#c38 Just to avoid any possible mis-reading of: "If

Re: Taiwan GRCA Root Renewal Request

On Fri, Jan 12, 2018 at 2:27 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, June 1, 2017 at 5:03:15 PM UTC-7, Kathleen Wilson wrote: > > On Friday, May 26, 2017 at 9:32:57 AM UTC-7, Kathleen Wilson wrote: > > > On Wednesday, March 15, 2017

Re: Taiwan GRCA Root Renewal Request

This root inclusion request is currently in the public discussion phase [1] After reviewing Taiwan GRCA's CP, CPS and related documents [2], I have the following comments: ==Good== 1. GRCA has requested that this root be constrained to issuing certificates for .tw domains. 2. The BR Self

Re: Taiwan GRCA Root Renewal Request

On Thursday, June 1, 2017 at 5:03:15 PM UTC-7, Kathleen Wilson wrote: > On Friday, May 26, 2017 at 9:32:57 AM UTC-7, Kathleen Wilson wrote: > > On Wednesday, March 15, 2017 at 5:01:13 PM UTC-7, Kathleen Wilson wrote: > > All, > > > > I requested that this CA perform a BR Self Assessment, and

Re: Taiwan GRCA Root Renewal Request

On Friday, May 26, 2017 at 9:32:57 AM UTC-7, Kathleen Wilson wrote: > On Wednesday, March 15, 2017 at 5:01:13 PM UTC-7, Kathleen Wilson wrote: > All, > > I requested that this CA perform a BR Self Assessment, and they have attached > their completed BR Self Assessment to the bug here: >

Re: Taiwan GRCA Root Renewal Request

On Wednesday, March 15, 2017 at 5:01:13 PM UTC-7, Kathleen Wilson wrote: > > So, if there are no further questions or comments about this CA's request, > then I will close this discussion and recommend approval in the bug. > All, I requested that this CA perform a BR Self Assessment, and

Re: Taiwan GRCA Root Renewal Request

All, My apologies for taking so long to get back to this discussion about the Government of Taiwan's (GRCA's) request to include their Government Root Certification Authority root certificate, and turn on the Websites and Email trust bits. Note that GRCA has suggested that this root be

Re: Taiwan GRCA Root Renewal Request

Gervase Markham via dev-security-policy writes: >Peter: you are going to have to re-summarise your question. And then, if you >are asking why Mozilla code works in a certain way, mozilla.dev.security or >mozilla.dev.tech.crypto are almost certainly far

Re: Taiwan GRCA Root Renewal Request

On 11/02/17 12:13, Peter Gutmann wrote: > Is no-one at Mozilla able to explain why they did this? It's a nontrivial > piece of code to implement, surely someone must know what the thinking was > behind doing it this way? Peter: you are going to have to re-summarise your question. And then, if

Re: Taiwan GRCA Root Renewal Request

Kathleen Wilson於 2017年2月3日星期五 UTC+8上午6時36分54秒寫道： > On Tuesday, December 13, 2016 at 2:36:15 PM UTC-8, Kathleen Wilson wrote: > > Thanks to all of you who have reviewed and commented on this request from > > Government of Taiwan, Government Root Certification Authority (GRCA), to > > include

Re: Taiwan GRCA Root Renewal Request

Kathleen Wilson writes: >Indeed, and as per your comment here: >https://bugzilla.mozilla.org/show_bug.cgi?id=1056341#c24 So just to satisfy my curiosity, it's been known ever since top-down construction was first advocated by PKI loon^H^H^Htheoreticians:

Re: Taiwan GRCA Root Renewal Request

On Tuesday, December 13, 2016 at 2:36:15 PM UTC-8, Kathleen Wilson wrote: > Thanks to all of you who have reviewed and commented on this request from > Government of Taiwan, Government Root Certification Authority (GRCA), to > include their renewed Government Root Certification Authority root >

Re: Taiwan GRCA Root Renewal Request

On Thursday, December 15, 2016 at 10:56:52 AM UTC-8, Brian Smith wrote: > It is important to fix the DoS issue with the path building when there > are many choices for the same subject. SKI/AKI matching only fixes the > DoS issue for benign cases, not malicious cases. Therefore some way of >

Re: Taiwan GRCA Root Renewal Request

Kathleen Wilson wrote: > How about the following? That sounds right to me. It is important to fix the DoS issue with the path building when there are many choices for the same subject. SKI/AKI matching only fixes the DoS issue for benign cases, not malicious cases.

Re: Taiwan GRCA Root Renewal Request

In regards to updating https://wiki.mozilla.org/CA:How_to_apply#Root_certificates_with_the_same_subject_and_different_keys ? How about the following? ~~ The standards allow for two CA certificates to have the same subject names but different subject public keys. Please try to avoid this,

Re: Taiwan GRCA Root Renewal Request

On Tue, Dec 13, 2016 at 12:36 PM, Kathleen Wilson wrote: > Question: Do I need to update > https://wiki.mozilla.org/CA:How_to_apply#Root_certificates_with_the_same_subject_and_different_keys > ? That description seems to have been written to describe the behavior of the

Re: Taiwan GRCA Root Renewal Request

Bonsoir, Le mardi 13 décembre 2016 23:36:15 UTC+1, Kathleen Wilson a écrit : [...] > Question: Do I need to update > https://wiki.mozilla.org/CA:How_to_apply#Root_certificates_with_the_same_subject_and_different_keys > ? There could be something trying to enforce that root certificates sharing

Re: Taiwan GRCA Root Renewal Request

Thanks to all of you who have reviewed and commented on this request from Government of Taiwan, Government Root Certification Authority (GRCA), to include their renewed Government Root Certification Authority root certificate, and turn on the Websites and Email trust bits. To summarize this

Re: Taiwan GRCA Root Renewal Request

On Saturday, December 10, 2016 at 3:30:09 AM UTC+2, Erwann Abalea wrote: > I don't think there is a bug in IIS here. IIRC, you discovered that IIS > doesn't send the self-issued certificate when loaded with the 2 self-signed > root certs and the self-issued cert (1st gen signing 2nd gen). And

Re: Taiwan GRCA Root Renewal Request

On Friday, December 9, 2016 at 1:43:27 AM UTC+2, Brian Smith wrote: > Some people claimed some software may be unable to cope with two > different CA certificates with the same subject DNs. Nobody claimed > that Firefox is unable to cope with two CA certificates having the > same subject DN. It

Re: Taiwan GRCA Root Renewal Request

On Thursday, December 8, 2016 at 10:21:53 PM UTC+2, Gervase Markham wrote: > On 05/12/16 21:10, Wen-Cheng Wang wrote: > > I mean BR Audit is specifically for CAs that provide SSL > > certificates. Therefore, it is not possible to conduct on those > > subordinate CAs that do not provide SSL

Re: Taiwan GRCA Root Renewal Request

Bonsoir, Le mardi 6 décembre 2016 09:31:48 UTC+1, Wen-Cheng Wang a écrit : > Hi Jacob, > > I think you get confused by My colleague Li-Chun's email because he mentioned > a lot about using self-issued certificates for key-rollover, AIA certificate > chaining support, and the bug of Microsoft

Re: Taiwan GRCA Root Renewal Request

Gervase Markham wrote: > Just to help me be clear: the request is for the inclusion of a root > with the same DN as a previous root, which will still be included after > the addition? Or the problem with duplicate DNs occurs further down the > hierarchy? Some people claimed

Re: Taiwan GRCA Root Renewal Request

On 05/12/16 21:10, Wen-Cheng Wang wrote: > I mean BR Audit is specifically for CAs that provide SSL > certificates. Therefore, it is not possible to conduct on those > subordinate CAs that do not provide SSL certificates, AIUI, that's not actually true. As we found out recently when discussing

Re: Taiwan GRCA Root Renewal Request

Hi Jacob, I think you get confused by My colleague Li-Chun's email because he mentioned a lot about using self-issued certificates for key-rollover, AIA certificate chaining support, and the bug of Microsoft IIS (note: not IE browser) in handling self-issued certificates. All these are

Re: Taiwan GRCA Root Renewal Request

Hi Gervase, On Monday, December 5, 2016 at 9:00:53 PM UTC+8, Gervase Markham wrote: > On 04/12/16 08:17, Wen-Cheng Wang wrote: > > You are wight, there are several subordinate CAs under our Government > > Root CA. Our Government Root CA and all its subordinate have WebTrust > > for CA audits.

Re: Taiwan GRCA Root Renewal Request

On 04/12/2016 06:00, capuchin...@gmail.com wrote: Jakob Bohm於 2016年12月4日星期日 UTC+8上午1時23分16秒寫道： You have made a fundamental technical mistake. I do not understand that why do you said that we made a fundamental technical mistake? As I had participated in drafting RFC 5280, I am sure that our

Re: Taiwan GRCA Root Renewal Request

On 04/12/16 08:17, Wen-Cheng Wang wrote: > You are wight, there are several subordinate CAs under our Government > Root CA. Our Government Root CA and all its subordinate have WebTrust > for CA audits. However, among those subordinate CAs, only GCA will > issue SSL certificates. Therefore, only

Re: Taiwan GRCA Root Renewal Request

Wen-Cheng Wang writes: >Actually, we have tested the capabilities of many browsers in the wild and >found they can live peacefully with our PKIX-compliant root certs. Ah, OK. That's the right way to do it. >They are not so weak as you might think. I bet I can create

Re: Taiwan GRCA Root Renewal Request

On Sunday, December 4, 2016 at 11:56:13 PM UTC+8, Peter Bowen wrote: > On Sun, Dec 4, 2016 at 7:26 AM, Wen-Cheng Wang wrote: > > Gervase Markham於 2016年12月4日星期日 UTC+8下午6時27分55秒寫道： > >> On 03/12/16 17:42, Peter Bowen wrote: > >> > As to the inclusion request, I think Mozilla should reject this > >>

Re: Taiwan GRCA Root Renewal Request

On Sunday, December 4, 2016 at 11:56:13 PM UTC+8, Peter Bowen wrote: > On Sun, Dec 4, 2016 at 7:26 AM, Wen-Cheng Wang wrote: > > Gervase Markham於 2016年12月4日星期日 UTC+8下午6時27分55秒寫道： > >> On 03/12/16 17:42, Peter Bowen wrote: > >> > As to the inclusion request, I think Mozilla should reject this > >>

Re: Taiwan GRCA Root Renewal Request

On Sunday, December 4, 2016 at 11:56:13 PM UTC+8, Peter Bowen wrote: > On Sun, Dec 4, 2016 at 7:26 AM, Wen-Cheng Wang wrote: > > Gervase Markham於 2016年12月4日星期日 UTC+8下午6時27分55秒寫道： > >> On 03/12/16 17:42, Peter Bowen wrote: > >> > As to the inclusion request, I think Mozilla should reject this > >>

Re: Taiwan GRCA Root Renewal Request

On Sunday, December 4, 2016 at 5:58:56 PM UTC+8, Peter Gutmann wrote: > Wen-Cheng Wang writes: > > >However, that does not means our PKIX (RFC-5280) conforimg implementation > >will cause errors or bugs to current implementations of browsers. > > Given all the bizarre stuff that ended up in the

Re: Taiwan GRCA Root Renewal Request

On Sun, Dec 4, 2016 at 7:26 AM, 王文正 wrote: > Gervase Markham於 2016年12月4日星期日 UTC+8下午6時27分55秒寫道： >> On 03/12/16 17:42, Peter Bowen wrote: >> > As to the inclusion request, I think Mozilla should reject this >> > request and add a clear rule to the Mozilla CA policy that each

Re: Taiwan GRCA Root Renewal Request

Gervase Markham於 2016年12月4日星期日 UTC+8下午6時27分55秒寫道： > On 03/12/16 17:42, Peter Bowen wrote: > > As to the inclusion request, I think Mozilla should reject this > > request and add a clear rule to the Mozilla CA policy that each CA > > must have a unique DN. The DN should be a primary key for the

Re: Taiwan GRCA Root Renewal Request

Gervase Markham於 2016年12月4日星期日 UTC+8下午6時18分48秒寫道： > Hi Wen-Cheng, > > On 04/12/16 06:12, 王文正 wrote: > > Requiring that Key rollover must be accompanied by DN rotation will > > contradict with the PKIX standard and the original X.509 standard. > > Leaving aside the particular situation we are

Re: Taiwan GRCA Root Renewal Request

On 03/12/16 17:42, Peter Bowen wrote: > As to the inclusion request, I think Mozilla should reject this > request and add a clear rule to the Mozilla CA policy that each CA > must have a unique DN. The DN should be a primary key for the trust > store and no two entries should have the same DN.

Re: Taiwan GRCA Root Renewal Request

Hi Wen-Cheng, On 04/12/16 06:12, 王文正 wrote: > Requiring that Key rollover must be accompanied by DN rotation will > contradict with the PKIX standard and the original X.509 standard. Leaving aside the particular situation we are in, in general the Web PKI uses X.509 and other standards as a

Re: Taiwan GRCA Root Renewal Request

capuchin...@gmail.com writes: >However, that does not means our PKIX (RFC-5280) conforimg implementation >will cause errors or bugs to current implementations of browsers. Given all the bizarre stuff that ended up in the PKIX spec, it would be quite easy to create a fully

Re: Taiwan GRCA Root Renewal Request

Peter Bowen於 2016年12月4日星期日 UTC+8上午1時43分00秒寫道： > On Sat, Dec 3, 2016 at 9:22 AM, Jakob Bohm wrote: > > > > Using two different public keys with the same exact full distinguished > > name is generally not expected to work. Some implementations may use > > additional checks (such as the key

Re: Taiwan GRCA Root Renewal Request

Jakob Bohm於 2016年12月4日星期日 UTC+8上午1時23分16秒寫道： > > You have made a fundamental technical mistake. I do not understand that why do you said that we made a fundamental technical mistake? As I had participated in drafting RFC 5280, I am sure that our implementation fully conforms to RFC 5280 and of

Re: Taiwan GRCA Root Renewal Request

lcchen.ci...@gmail.com writes: >I explained the rollover certificate process outlined in RFC 4210 by signing >the old public key with the new private key and the new public key with the >old private key. Uhh, that stuff was a gedanken experiment dreamed up by some folks

Re: Taiwan GRCA Root Renewal Request

On Thu, Sep 22, 2016 at 12:57 AM, wrote: > Peter Bowen於 2016年9月20日星期二 UTC+8下午11時53分29秒寫道： >> On Fri, Sep 16, 2016 at 2:00 PM, Kathleen Wilson wrote: >> > >> > * CA Hierarchy: Diagram of CA Hierarchy: http://grca.nat.gov.tw/ >> > All subordinate CAs are

Re: Taiwan GRCA Root Renewal Request

On Sat, Dec 3, 2016 at 9:22 AM, Jakob Bohm wrote: > On 03/12/2016 09:34, lcchen.ci...@gmail.com wrote: >> >> In CA/Browser Forum 34th F2F meeting, the minutes is in >> https://cabforum.org/2015/03/11/2015-03-11-minutes-of-cupertino-f2f-meeting-34/. >> Li-Chun Chen (me) of

Re: Taiwan GRCA Root Renewal Request

On 03/12/2016 09:34, lcchen.ci...@gmail.com wrote: Kathleen Wilson於 2016年11月15日星期二 UTC+8上午9時20分09秒寫道： All, I will greatly appreciate it if you will review this request from Government of Taiwan, Government Root Certification Authority (GRCA) to include their Government Root Certification

Re: Taiwan GRCA Root Renewal Request

Kathleen Wilson於 2016年11月15日星期二 UTC+8上午9時20分09秒寫道： > All, > > I will greatly appreciate it if you will review this request from Government > of Taiwan, Government Root Certification Authority (GRCA) to include their > Government Root Certification Authority root certificate, and turn on the >

Re: Taiwan GRCA Root Renewal Request

All, I will greatly appreciate it if you will review this request from Government of Taiwan, Government Root Certification Authority (GRCA) to include their Government Root Certification Authority root certificate, and turn on the Websites and Email trust bits. This root cert will eventually

Re: Taiwan GRCA Root Renewal Request

Peter Bowen於 2016年9月20日星期二 UTC+8下午11時53分29秒寫道： > On Fri, Sep 16, 2016 at 2:00 PM, Kathleen Wilson wrote: > > > > * CA Hierarchy: Diagram of CA Hierarchy: http://grca.nat.gov.tw/ > > All subordinate CAs are operated by Taiwan Government organizations. > > GCA is responsible

Taiwan GRCA Root Renewal Request

This request from Government of Taiwan, Government Root Certification Authority (GRCA), is to include their Government Root Certification Authority root certificate, and turn on the Websites and Email trust bits. This root cert will eventually replace the previous GRCA root certificate that was