Re: How long to resolve unaudited unconstrained intermediates?

2017-07-21 Thread Rob Stradling via dev-security-policy
On 20/07/17 15:24, Gervase Markham via dev-security-policy wrote: On 12/07/17 21:18, Ben Wilson wrote: For CAs with emailProtection and proper name constraints, where would such CAs appear in https://crt.sh/mozilla-disclosures? https://crt.sh/mozilla-disclosures#constrainedother? Or a new

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-20 Thread Gervase Markham via dev-security-policy
On 12/07/17 21:18, Ben Wilson wrote: > For CAs with emailProtection and proper name constraints, where would such > CAs appear in > https://crt.sh/mozilla-disclosures? > >

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-12 Thread Kurt Roeckx via dev-security-policy
On Wed, Jul 12, 2017 at 12:12:13PM -0400, Ryan Sleevi wrote: > > Consider, for example, a client that does not support path discovery > (which, for example, includes most actively-deployed OpenSSL versions). If > one were to extract certdata.txt into trust and distrust records, with the >

RE: How long to resolve unaudited unconstrained intermediates?

2017-07-12 Thread Ben Wilson via dev-security-policy
gicert@lists.mozilla.org <mailto:digicert@lists.mozilla.org> ] On Behalf Of Nick Lamb via dev-security-policy Sent: Tuesday, July 11, 2017 7:57 AM To: mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: How long to resolve unaudi

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-12 Thread Ryan Sleevi via dev-security-policy
On Wed, Jul 12, 2017 at 10:40 AM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 2017-07-12 16:12, Ryan Sleevi wrote: > >> I don't know if this currently happens, but I would like to see all CA >>> certificates that are in OneCRL but are not revoked to be

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-12 Thread Kurt Roeckx via dev-security-policy
On 2017-07-12 16:12, Ryan Sleevi wrote: I don't know if this currently happens, but I would like to see all CA certificates that are in OneCRL but are not revoked to be added to the root store as distrusted too. Why? I can share reasons why it might not be desirable, but rather than start out

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-12 Thread Ryan Sleevi via dev-security-policy
On Wed, Jul 12, 2017 at 6:03 AM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 2017-07-11 15:56, Nick Lamb wrote: > >> On Tuesday, 11 July 2017 10:56:43 UTC+1, Kurt Roeckx wrote:> >> >>> So at least some of them have been notified more than 3 months

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-12 Thread Kurt Roeckx via dev-security-policy
On 2017-07-11 15:56, Nick Lamb wrote: On Tuesday, 11 July 2017 10:56:43 UTC+1, Kurt Roeckx wrote:> So at least some of them have been notified more than 3 months ago, and a bug was filed a month later. I think you already gave them too much time to at least respond to it, and suggest that you

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-11 Thread Nick Lamb via dev-security-policy
On Tuesday, 11 July 2017 10:56:43 UTC+1, Kurt Roeckx wrote:> > So at least some of them have been notified more than 3 months ago, and > a bug was filed a month later. I think you already gave them too much > time to at least respond to it, and suggest that you sent a new email > indicating

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-11 Thread Kurt Roeckx via dev-security-policy
On 2017-07-10 18:35, Alex Gaynor wrote: Hi all, I wanted to call some attention to a few intermediates which have been hanging out in the "Audit required" section for quite a while: https://crt.sh/mozilla-disclosures#disclosureincomplete Specifically, the TurkTrust and Firmaprofesional ones.

How long to resolve unaudited unconstrained intermediates?

2017-07-10 Thread Alex Gaynor via dev-security-policy
Hi all, I wanted to call some attention to a few intermediates which have been hanging out in the "Audit required" section for quite a while: https://crt.sh/mozilla-disclosures#disclosureincomplete Specifically, the TurkTrust and Firmaprofesional ones. Both have issues open in Bugzilla: -