Re: FW: StartCom inclusion request: next steps

On Tue, Sep 19, 2017 at 3:09 PM, Nick Lamb via dev-security-policy wrote: > I have no doubt that this was obvious to people who have worked for a public > CA, but it wasn't obvious to me, so thank you for answering. I think these > answers give us good

Re: FW: StartCom inclusion request: next steps

Hi Inigo, On 15/09/17 17:30, Inigo Barreira wrote: > There wasn´t a lack of integrity and monitoring, of course not. All PKI logs > were and are signed, it´s just the auditors wanted to add the integrity to > other systems which is not so clear that should have this enabled. For > example, if

Re: FW: StartCom inclusion request: next steps

Hi Franck, On 18/09/17 15:49, Franck Leroy wrote: > Our understanding in April was that as long as StartCom is not > allowed by Certinomis to issue EE certs, the disclosure was not > mandated immediately. I think that we need to establish a timeline of the exact events involved here. But I

Re: FW: StartCom inclusion request: next steps

On 15/09/17 15:35, Inigo Barreira wrote: > No, those weren´t tests. We allowed the use of curves permitted by the BRs > but this issue came up in the mozilla policy (I think Arkadiusz posted) and I > also asked about it in the last CABF F2F (I asked Ryan about it) and then, > with that outcome

Re: FW: StartCom inclusion request: next steps

Le lundi 18 septembre 2017 14:52:27 UTC+2, Ryan Sleevi a écrit : > On Mon, Sep 18, 2017 at 8:12 AM, Inigo Barreira <> > wrote: > Then they misissued a CA certificate and failed to disclose it, and we > should start an incident report into it. Hello In April 2017 the mozilla policy in force (v2.4)

Re: FW: StartCom inclusion request: next steps

On Mon, Sep 18, 2017 at 8:12 AM, Inigo Barreira wrote: > > We are not seeking to identify personal blame. We are seeking to > understand what, if any, improvements have been made to address such > issues. In reading this thread, I have difficulty finding any discussion >

Re: FW: StartCom inclusion request: next steps

I didn't understand the original below comment by StartCom very well about the cross-sign, but after Ryan's message I understand it better in retrospect: > On Thu, Sep 14, 2017 at 11:05 AM, Inigo Barreira via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I´ve never said

Re: FW: StartCom inclusion request: next steps

On Fri, Sep 15, 2017 at 12:30 PM, Inigo Barreira via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > > Hi Inigo, > > > > On 14/09/17 16:05, Inigo Barreira wrote: > > > Those tests were done to check the CT behaviour, there was any other > > testing of the new systems,

RE: FW: StartCom inclusion request: next steps

> > Hi Inigo, > > On 14/09/17 16:05, Inigo Barreira wrote: > > Those tests were done to check the CT behaviour, there was any other > testing of the new systems, just for the CT. > > Is there any reason those tests could not have been done using a parallel > testing hierarchy (other than the

Re: FW: StartCom inclusion request: next steps

I'm fairly confused by your answers, if the only thing you tested in production was CT, why was the system issuing non-compliant certs? Why did production CT testing come before having established, tested, and verified a compliant certificate profile? Alex On Fri, Sep 15, 2017 at 10:35 AM, Inigo

Re: FW: StartCom inclusion request: next steps

On 15/09/17 09:24, Inigo Barreira wrote: > AFAIK, Certinomis only disclosed in the CCADB That means it's published and available. As noted in my other reply, information as to exactly what this cross-sign enables trust for would be most helpful, as I may have misunderstood previous statements on

Re: FW: StartCom inclusion request: next steps

Hi Inigo, On 14/09/17 16:05, Inigo Barreira wrote: > Those tests were done to check the CT behaviour, there was any other testing > of the new systems, just for the CT. Is there any reason those tests could not have been done using a parallel testing hierarchy (other than the fact that you

RE: FW: StartCom inclusion request: next steps

> Hi Inigo, > > To add from the last post. > > I know this is unwelcome news to you but I feel that with all these incidents > happening right now with Symantec and the incidents before, we can't really > take any more chances. Every incident is eroding trust in this system and if > we > want

RE: FW: StartCom inclusion request: next steps

> > > > > > > Those tests were done to check the CT behaviour, there was any > > > > other > > > testing of the new systems, just for the CT. Those certs were under > > > control all the time and were lived for some minutes because were > > > revoked inmediately after checking the certs were

Re: FW: StartCom inclusion request: next steps

On Friday, September 15, 2017 at 12:30:00 PM UTC+1, James Burton wrote: > On Friday, September 15, 2017 at 10:56:11 AM UTC+1, Inigo Barreira wrote: > > > > > > > Those tests were done to check the CT behaviour, there was any other > > > testing of the new systems, just for the CT. Those certs

Re: FW: StartCom inclusion request: next steps

On Friday, September 15, 2017 at 10:56:11 AM UTC+1, Inigo Barreira wrote: > > > > > Those tests were done to check the CT behaviour, there was any other > > testing of the new systems, just for the CT. Those certs were under control > > all > > the time and were lived for some minutes because

RE: FW: StartCom inclusion request: next steps

> > > Those tests were done to check the CT behaviour, there was any other > testing of the new systems, just for the CT. Those certs were under control > all > the time and were lived for some minutes because were revoked inmediately > after checking the certs were logged correctly in the CTs.

Re: FW: StartCom inclusion request: next steps

> Those tests were done to check the CT behaviour, there was any other testing > of the new systems, just for the CT. Those certs were under control all the > time and were lived for some minutes because were revoked inmediately after > checking the certs were logged correctly in the CTs. It´s

RE: FW: StartCom inclusion request: next steps

> On 14/09/2017 17:05, Inigo Barreira wrote: > > All, > > > > ... > >> > >> We should add the existing Certnomis cross-signs to OneCRL to revoke > >> all the existing certificates. As of 10th August (now a month ago) > >> StartCom said they have 5 outstanding SSL certs which are valid > >> due

RE: FW: StartCom inclusion request: next steps

re de 2017 1:22 > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: FW: StartCom inclusion request: next steps > > On Thursday, 14 September 2017 16:00:35 UTC+1, Inigo Barreira wrote: > > Well, finally this is a business and I don´t think none on this list is > >

Re: FW: StartCom inclusion request: next steps

On 14/09/2017 17:05, Inigo Barreira wrote: All, ... We should add the existing Certnomis cross-signs to OneCRL to revoke all the existing certificates. As of 10th August (now a month ago) StartCom said they have 5 outstanding SSL certs which are valid due to the Certnomis cross- sign.

Re: FW: StartCom inclusion request: next steps

On Thursday, 14 September 2017 16:00:35 UTC+1, Inigo Barreira wrote: > Well, finally this is a business and I don´t think none on this list is > working for free. At the end everyone has his/her salary, etc. But that was > not the main reason because getting included in the root programs takes

FW: StartCom inclusion request: next steps

All, Obviously this is not the message we would like to read and will try to explain and rebate as much as possible some of the comments posted here. > > The Mozilla CA Certificates team has been considering what the appropriate > next steps are for the inclusion request from the CA