Re: PEM of root certs in Mozilla's root store

2020-10-19 Thread Jakob Bohm via dev-security-policy
On 2020-10-17 01:38, Ryan Sleevi wrote: On Fri, Oct 16, 2020 at 5:27 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: RFC4180 section 3 explicitly warns that there are other variants and specifications of the CSV format, and thus the full generalizations in

Re: PEM of root certs in Mozilla's root store

2020-10-16 Thread Ryan Sleevi via dev-security-policy
On Fri, Oct 16, 2020 at 5:27 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > RFC4180 section 3 explicitly warns that there are other variants and > specifications of the CSV format, and thus the full generalizations in > RFC4180 should not be exploited to

Re: PEM of root certs in Mozilla's root store

2020-10-16 Thread Jakob Bohm via dev-security-policy
On 2020-10-16 14:11, Ryan Sleevi wrote: On Thu, Oct 15, 2020 at 7:44 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 2020-10-15 11:57, Ryan Sleevi wrote: On Thu, Oct 15, 2020 at 1:14 AM Jakob Bohm via dev-security-policy <

Re: PEM of root certs in Mozilla's root store

2020-10-16 Thread Ryan Sleevi via dev-security-policy
On Thu, Oct 15, 2020 at 7:44 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 2020-10-15 11:57, Ryan Sleevi wrote: > > On Thu, Oct 15, 2020 at 1:14 AM Jakob Bohm via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >>> For

Re: PEM of root certs in Mozilla's root store

2020-10-15 Thread Jakob Bohm via dev-security-policy
On 2020-10-15 11:57, Ryan Sleevi wrote: On Thu, Oct 15, 2020 at 1:14 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: For example, embedded new lines are discussed in 2.6 and the ABNF therein. The one difference from RFC4180 is that CR and LF are not

Re: PEM of root certs in Mozilla's root store

2020-10-15 Thread Ryan Sleevi via dev-security-policy
On Thu, Oct 15, 2020 at 1:14 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > For example, embedded new lines are discussed in 2.6 and the ABNF > therein. > > > > The one difference from RFC4180 is that CR and LF are not part of the > alternatives for the

Re: PEM of root certs in Mozilla's root store

2020-10-14 Thread Jakob Bohm via dev-security-policy
On 2020-10-15 04:52, Ryan Sleevi wrote: On Wed, Oct 14, 2020 at 7:31 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Only the CSV form now contains CSV artifacts. And it isn't really CSV either (even if Microsoft Excel handles it). Hi Jakob, Could you

Re: PEM of root certs in Mozilla's root store

2020-10-14 Thread Ryan Sleevi via dev-security-policy
On Wed, Oct 14, 2020 at 7:31 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Only the CSV form now contains CSV artifacts. And it isn't really CSV > either (even if Microsoft Excel handles it). Hi Jakob, Could you be more precise here? Embedded new

Re: PEM of root certs in Mozilla's root store

2020-10-14 Thread Jakob Bohm via dev-security-policy
On 2020-10-15 00:16, Kathleen Wilson wrote: The text version has been updated to have each line limited to 64 characters. Text: https://ccadb-public.secure.force.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites

Re: PEM of root certs in Mozilla's root store

2020-10-14 Thread Kathleen Wilson via dev-security-policy
The text version has been updated to have each line limited to 64 characters. Text: https://ccadb-public.secure.force.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites https://ccadb-public.secure.force.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Email CSV:

Re: PEM of root certs in Mozilla's root store

2020-10-14 Thread Jakob Bohm via dev-security-policy
On 2020-10-13 16:32, Ryan Sleevi wrote: Jakob, I had a little trouble following your mail, despite being quite familiar with PEM, so hopefully you'll indulge me in making sure I've got your criticisms/complaints correct. Your objection to the text report is that RFC 7468 requires generators to

Re: PEM of root certs in Mozilla's root store

2020-10-13 Thread Ryan Sleevi via dev-security-policy
Jakob, I had a little trouble following your mail, despite being quite familiar with PEM, so hopefully you'll indulge me in making sure I've got your criticisms/complaints correct. Your objection to the text report is that RFC 7468 requires generators to wrap lines (except the last line) at

Re: PEM of root certs in Mozilla's root store

2020-10-13 Thread Jakob Bohm via dev-security-policy
On 2020-10-12 20:50, Kathleen Wilson wrote: On 10/7/20 1:09 PM, Jakob Bohm wrote: Please note that at least the first CSV download is not really a CSV file, as there are line feeds within each "PEM" value, and only one column.  It would probably be more useful as a simple concatenated PEM

Re: PEM of root certs in Mozilla's root store

2020-10-12 Thread Kathleen Wilson via dev-security-policy
On 10/7/20 1:09 PM, Jakob Bohm wrote: Please note that at least the first CSV download is not really a CSV file, as there are line feeds within each "PEM" value, and only one column.  It would probably be more useful as a simple concatenated PEM file, as used by various software packages as a

Re: PEM of root certs in Mozilla's root store

2020-10-07 Thread Kathleen Wilson via dev-security-policy
On 10/7/20 9:30 AM, Matthew Hardeman wrote: Would it be unreasonable to also consider publishing, as an "easy to use" list, that set of only those anchors which are currently trusted in the program and for which no exceptional in-product policy enforcement is imposed? (TLD constraints,

Re: PEM of root certs in Mozilla's root store

2020-10-07 Thread Kathleen Wilson via dev-security-policy
On 10/6/20 7:09 PM, Ryan Sleevi wrote: It seems like there should be a link to https://wiki.mozilla.org/CA/FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F there I added that link to https://wiki.mozilla.org/CA/Included_Certificates Thanks, Kathleen

Re: PEM of root certs in Mozilla's root store

2020-10-07 Thread Jakob Bohm via dev-security-policy
On 2020-10-06 23:47, Kathleen Wilson wrote: All, I've been asked to publish Mozilla's root store in a way that is easy to consume by downstreams, so I have added the following to https://wiki.mozilla.org/CA/Included_Certificates CCADB Data Usage Terms

Re: PEM of root certs in Mozilla's root store

2020-10-07 Thread Matthew Hardeman via dev-security-policy
Would it be unreasonable to also consider publishing, as an "easy to use" list, that set of only those anchors which are currently trusted in the program and for which no exceptional in-product policy enforcement is imposed? (TLD constraints, provisional distrusts, etc.) The lazier implementers

Re: PEM of root certs in Mozilla's root store

2020-10-06 Thread Ryan Sleevi via dev-security-policy
It seems like there should be a link to https://wiki.mozilla.org/CA/FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F there I realize there’s a tension between making this easily consumable, and the fact that “easily consumed” doesn’t and can’t relieve an organization of having to be

PEM of root certs in Mozilla's root store

2020-10-06 Thread Kathleen Wilson via dev-security-policy
All, I've been asked to publish Mozilla's root store in a way that is easy to consume by downstreams, so I have added the following to https://wiki.mozilla.org/CA/Included_Certificates CCADB Data Usage Terms PEM of Root