Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-18 Thread Kathleen Wilson via dev-security-policy
On Friday, August 18, 2017 at 6:35:23 AM UTC-7, Gervase Markham wrote: > On 17/08/17 00:18, Kathleen Wilson wrote: > > == Let’s Encrypt == > > RESOLVED (no bug needed) > > > == Staat der Nederlandend / PKIoverheid == > > RESOLVED (no bug needed) > > While the timely responses and performance of

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-18 Thread Gervase Markham via dev-security-policy
On 17/08/17 00:18, Kathleen Wilson wrote: > == Let’s Encrypt == > RESOLVED (no bug needed) > == Staat der Nederlandend / PKIoverheid == > RESOLVED (no bug needed) While the timely responses and performance of these CAs is commendable, it may be worth opening a bug and recording the events and

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-17 Thread Kathleen Wilson via dev-security-policy
Filed bug for GoDaddy: https://bugzilla.mozilla.org/show_bug.cgi?id=1391429 Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-17 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 16, 2017, at 19:18, Kathleen Wilson via dev-security-policy > wrote: > > Bugs filed... Hi Kathleen, It looks like a bug was not created for GoDaddy about these certificates with invalid dnsNames, containing a space at the beginning of the

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-17 Thread Gervase Markham via dev-security-policy
On 15/08/17 21:24, Kathleen Wilson wrote: > Mozilla's Root Store policy says: "CAs MUST follow and be aware of > discussions in the mozilla.dev.security.policy forum, where Mozilla's > root program is coordinated." > > There is no indication about how frequently a representative of the > CA must

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-17 Thread Peter Miskovic via dev-security-policy
CA Disig revoked listed non-conforming certificate. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-16 Thread Kathleen Wilson via dev-security-policy
Bugs filed... == Actalis == https://bugzilla.mozilla.org/show_bug.cgi?id=1390974 == Camerfirma == https://bugzilla.mozilla.org/show_bug.cgi?id=1390977 == Certinomis == https://bugzilla.mozilla.org/show_bug.cgi?id=1390978 == certSIGN == https://bugzilla.mozilla.org/show_bug.cgi?id=1390979 ==

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-16 Thread Kathleen Wilson via dev-security-policy
I will proceed with filing these bugs now. Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Kathleen Wilson via dev-security-policy
Updated draft for the Bugzilla Bugs that I will be filing for the problems listed below. Product: NSS Component: CA Certificate Mis-Issuance Whiteboard: [ca-compliance] Blocks: 1029147 Summary: : Non-BR-Compliant Certificate Issuance Description: The following problems have been found in

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Kathleen Wilson via dev-security-policy
On Tuesday, August 15, 2017 at 3:53:06 PM UTC-7, Jonathan Rudenberg wrote: > It would be useful to know when and through what channel the CA learned about > each of the problems listed. (problem report via email at date/time; > known/unresolved issue since date; mailing list post at date/time;

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 15, 2017, at 18:21, Kathleen Wilson via dev-security-policy > wrote: > > Feedback will be appreciated on the following draft for the Bugzilla Bugs > that I will be filing for the problems listed below. It would be useful to know when and

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 15, 2017, at 18:21, Kathleen Wilson via dev-security-policy > wrote: > > Feedback will be appreciated on the following draft for the Bugzilla Bugs > that I will be filing for the problems listed below. I think we should ask for the CAs to

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Kathleen Wilson via dev-security-policy
Feedback will be appreciated on the following draft for the Bugzilla Bugs that I will be filing for the problems listed below. Product: NSS Component: CA Certificate Mis-Issuance Whiteboard: [ca-compliance] Blocks: 1029147 Summary: : Non-BR-Compliant Certificate Issuance Description: The

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Jonathan Rudenberg via dev-security-policy
dev-security-policy@lists.mozilla.org> > Data: 15/08/2017 21:59 (GMT+01:00) > A: r...@sleevi.com > Cc: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org>, Kathleen Wilson > <kwil...@mozilla.com> > Oggetto: Re: Bugzilla Bugs re CA issuanc

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Ryan Sleevi via dev-security-policy
On Tue, Aug 15, 2017 at 4:01 PM, Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Tuesday, August 15, 2017 at 12:46:36 PM UTC-7, Ryan Sleevi wrote: > > > > The requirement for revocation comes from the Baseline Requirements. > > > > Could you clarify

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Kathleen Wilson via dev-security-policy
On Tuesday, August 15, 2017 at 1:00:04 PM UTC-7, Jonathan Rudenberg wrote: > It’s worth noting that with the exception of the metadata-only > subject fields issue, Alex and I have attempted to contact every > CA listed directly via their public certificate problem reporting channels. Good

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 15, 2017, at 15:37, Kathleen Wilson via dev-security-policy > wrote: > > ** Common Name not in SAN > https://groups.google.com/d/msg/mozilla.dev.security.policy/K3sk5ZMv2DE/4oVzlN1xBgAJ > It is not clear to me if I need to add this item to the

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Kathleen Wilson via dev-security-policy
On Tuesday, August 15, 2017 at 12:46:36 PM UTC-7, Ryan Sleevi wrote: > > The requirement for revocation comes from the Baseline Requirements. > > Could you clarify your expectations regarding CAs' violation of the > Baseline Requirements with respect to these issues and Section 4.9.1.1. Are you

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 15, 2017, at 15:45, Ryan Sleevi via dev-security-policy > wrote: > > I would note that any CA which does not or has not promptly revoked these > within 24 hours of contact should, at a minimum, contact all root programs > that they participate in

Re: Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Ryan Sleevi via dev-security-policy
On Tue, Aug 15, 2017 at 3:37 PM, Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I do *NOT* necessarily expect the CAs to revoke all of these certificates. > I expect the CAs to do a careful analysis of the situation and > determine/explain whether or

Bugzilla Bugs re CA issuance of non-compliant certs

2017-08-15 Thread Kathleen Wilson via dev-security-policy
All, I have gone through the July/August posts in m.d.s.policy in order to determine which Bugzilla Bugs I should file. There are two outliers: ~~ ** Undisclosed intermediates, or those missing audits I have been working diligently on intermediate cert disclosures in the CCADB for many months