On Tue, Sep 19, 2017 at 3:09 PM, Nick Lamb via dev-security-policy
wrote:
> I have no doubt that this was obvious to people who have worked for a public
> CA, but it wasn't obvious to me, so thank you for answering. I think these
> answers give us good
Hi Inigo,
On 15/09/17 17:30, Inigo Barreira wrote:
> There wasn´t a lack of integrity and monitoring, of course not. All PKI logs
> were and are signed, it´s just the auditors wanted to add the integrity to
> other systems which is not so clear that should have this enabled. For
> example, if
Hi Franck,
On 18/09/17 15:49, Franck Leroy wrote:
> Our understanding in April was that as long as StartCom is not
> allowed by Certinomis to issue EE certs, the disclosure was not
> mandated immediately.
I think that we need to establish a timeline of the exact events
involved here.
But I
On 15/09/17 15:35, Inigo Barreira wrote:
> No, those weren´t tests. We allowed the use of curves permitted by the BRs
> but this issue came up in the mozilla policy (I think Arkadiusz posted) and I
> also asked about it in the last CABF F2F (I asked Ryan about it) and then,
> with that outcome
Le lundi 18 septembre 2017 14:52:27 UTC+2, Ryan Sleevi a écrit :
> On Mon, Sep 18, 2017 at 8:12 AM, Inigo Barreira <>
> wrote:
> Then they misissued a CA certificate and failed to disclose it, and we
> should start an incident report into it.
Hello
In April 2017 the mozilla policy in force (v2.4)
On Mon, Sep 18, 2017 at 8:12 AM, Inigo Barreira
wrote:
>
> We are not seeking to identify personal blame. We are seeking to
> understand what, if any, improvements have been made to address such
> issues. In reading this thread, I have difficulty finding any discussion
>
I didn't understand the original below comment by StartCom very well about
the cross-sign, but after Ryan's message I understand it better in
retrospect:
> On Thu, Sep 14, 2017 at 11:05 AM, Inigo Barreira via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> I´ve never said
On Fri, Sep 15, 2017 at 12:30 PM, Inigo Barreira via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> >
> > Hi Inigo,
> >
> > On 14/09/17 16:05, Inigo Barreira wrote:
> > > Those tests were done to check the CT behaviour, there was any other
> > testing of the new systems,
>
> Hi Inigo,
>
> On 14/09/17 16:05, Inigo Barreira wrote:
> > Those tests were done to check the CT behaviour, there was any other
> testing of the new systems, just for the CT.
>
> Is there any reason those tests could not have been done using a parallel
> testing hierarchy (other than the
I'm fairly confused by your answers, if the only thing you tested in
production was CT, why was the system issuing non-compliant certs? Why did
production CT testing come before having established, tested, and verified
a compliant certificate profile?
Alex
On Fri, Sep 15, 2017 at 10:35 AM, Inigo
On 15/09/17 09:24, Inigo Barreira wrote:
> AFAIK, Certinomis only disclosed in the CCADB
That means it's published and available. As noted in my other reply,
information as to exactly what this cross-sign enables trust for would
be most helpful, as I may have misunderstood previous statements on
Hi Inigo,
On 14/09/17 16:05, Inigo Barreira wrote:
> Those tests were done to check the CT behaviour, there was any other testing
> of the new systems, just for the CT.
Is there any reason those tests could not have been done using a
parallel testing hierarchy (other than the fact that you
> Hi Inigo,
>
> To add from the last post.
>
> I know this is unwelcome news to you but I feel that with all these incidents
> happening right now with Symantec and the incidents before, we can't really
> take any more chances. Every incident is eroding trust in this system and if
> we
> want
> > >
> > > > Those tests were done to check the CT behaviour, there was any
> > > > other
> > > testing of the new systems, just for the CT. Those certs were under
> > > control all the time and were lived for some minutes because were
> > > revoked inmediately after checking the certs were
On Friday, September 15, 2017 at 12:30:00 PM UTC+1, James Burton wrote:
> On Friday, September 15, 2017 at 10:56:11 AM UTC+1, Inigo Barreira wrote:
> > >
> > > > Those tests were done to check the CT behaviour, there was any other
> > > testing of the new systems, just for the CT. Those certs
On Friday, September 15, 2017 at 10:56:11 AM UTC+1, Inigo Barreira wrote:
> >
> > > Those tests were done to check the CT behaviour, there was any other
> > testing of the new systems, just for the CT. Those certs were under control
> > all
> > the time and were lived for some minutes because
>
> > Those tests were done to check the CT behaviour, there was any other
> testing of the new systems, just for the CT. Those certs were under control
> all
> the time and were lived for some minutes because were revoked inmediately
> after checking the certs were logged correctly in the CTs.
> Those tests were done to check the CT behaviour, there was any other testing
> of the new systems, just for the CT. Those certs were under control all the
> time and were lived for some minutes because were revoked inmediately after
> checking the certs were logged correctly in the CTs. It´s
> On 14/09/2017 17:05, Inigo Barreira wrote:
> > All,
> >
> > ...
> >>
> >> We should add the existing Certnomis cross-signs to OneCRL to revoke
> >> all the existing certificates. As of 10th August (now a month ago)
> >> StartCom said they have 5 outstanding SSL certs which are valid
> >> due
re de 2017 1:22
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: FW: StartCom inclusion request: next steps
>
> On Thursday, 14 September 2017 16:00:35 UTC+1, Inigo Barreira wrote:
> > Well, finally this is a business and I don´t think none on this list is
> >
On 14/09/2017 17:05, Inigo Barreira wrote:
All,
...
We should add the existing Certnomis cross-signs to OneCRL to revoke all the
existing certificates. As of 10th August (now a month ago) StartCom said they
have 5 outstanding SSL certs which are valid due to the Certnomis cross-
sign.
On Thursday, 14 September 2017 16:00:35 UTC+1, Inigo Barreira wrote:
> Well, finally this is a business and I don´t think none on this list is
> working for free. At the end everyone has his/her salary, etc. But that was
> not the main reason because getting included in the root programs takes
All,
Obviously this is not the message we would like to read and will try to explain
and rebate as much as possible some of the comments posted here.
>
> The Mozilla CA Certificates team has been considering what the appropriate
> next steps are for the inclusion request from the CA
23 matches
Mail list logo