Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Mon, Nov 16, 2020 at 02:17:37AM +, Nick Lamb wrote: > On Mon, 16 Nov 2020 10:13:16 +1100 > Matt Palmer via dev-security-policy > wrote: > > I doubt it. So far, every CA that's decided to come up with their own > > method of proving key compromise has produced something entirely > >

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On 15/11/2020 9:44 μ.μ., Ryan Sleevi wrote: Thanks for chiming-in Peter, I have always considered this revocation reason as the absolutely "last resort" for CAs when it comes to revocation of Certificates. Especially for the revocation of end-entity Certificates for

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Mon, 16 Nov 2020 10:13:16 +1100 Matt Palmer via dev-security-policy wrote: > I doubt it. So far, every CA that's decided to come up with their own > method of proving key compromise has produced something entirely > proprietary to themselves. At least two CAs (and from what I can tell likely

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Sun, Nov 15, 2020 at 04:52:38AM +, Nick Lamb via dev-security-policy wrote: > This makes clear that the CA must have at least one of these "clearly > specified" accepted methods which ought to actually help Matt get some > traction. I doubt it. So far, every CA that's decided to come up

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Sun, Nov 15, 2020 at 6:02 AM Dimitris Zacharopoulos wrote: > > > On 2020-11-15 1:04 π.μ., Peter Bowen via dev-security-policy wrote: > > On Sat, Nov 14, 2020 at 2:05 PM Ryan Sleevi via dev-security-policy > > wrote: > >> So, perhaps now that we've had this conversation, and you've learned >

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Sat, Nov 14, 2020 at 11:52 PM Nick Lamb wrote: > On Sat, 14 Nov 2020 17:05:26 -0500 > Ryan Sleevi wrote: > > > I don't entirely appreciate being told that I don't know what I'm > > talking about, which is how this reply comes across, but as I've > > stated several times, the _original_

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On 2020-11-15 1:04 π.μ., Peter Bowen via dev-security-policy wrote: On Sat, Nov 14, 2020 at 2:05 PM Ryan Sleevi via dev-security-policy wrote: So, perhaps now that we've had this conversation, and you've learned about potentially illegitimate revocations are a thing, but that they were not

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On 2020-11-14 5:01 π.μ., Ryan Sleevi wrote: I believe it's possible to do, with the original language, but this requires the CA to proactively take steps to address that in their CP/CPS. That is, I think it'd be reasonable for an auditor to conclude that, if a CA stated "We do X, Y, Z" in

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Sat, 14 Nov 2020 17:05:26 -0500 Ryan Sleevi wrote: > I don't entirely appreciate being told that I don't know what I'm > talking about, which is how this reply comes across, but as I've > stated several times, the _original_ language is sufficient here, > it's the modified language that's

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Sat, Nov 14, 2020 at 09:42:48PM +, Nick Lamb via dev-security-policy wrote: > This boilerplate does not actually achieve any of those things, and > you've offered no evidence that it could do so. If anything it > encourages CAs *not* to actually offer what we wanted: a clearly > documented

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Sat, Nov 14, 2020 at 6:05 PM Peter Bowen wrote: > On Sat, Nov 14, 2020 at 2:05 PM Ryan Sleevi via dev-security-policy > wrote: > > > > So, perhaps now that we've had this conversation, and you've learned > about > > potentially illegitimate revocations are a thing, but that they were not > >

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Sat, Nov 14, 2020 at 4:42 PM Nick Lamb wrote: > To the extent your preferred policy is actually even about issue #205 > (see later) it's not really addressing the actual problem we have, > whereas the original proposed language does that. > I don't entirely appreciate being told that I don't

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Fri, 13 Nov 2020 21:06:30 -0500 Ryan Sleevi via dev-security-policy wrote: > Right, I can see by my failing to explicitly state you were > misunderstanding my position in both parts of your previous mail, you > may have believed you correctly understood it, and not picked up on > all of my

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Fri, Nov 13, 2020 at 6:11 PM Dimitris Zacharopoulos wrote: > > > On 2020-11-13 7:17 μ.μ., Ryan Sleevi wrote: > > > > On Fri, Nov 13, 2020 at 2:55 AM Dimitris Zacharopoulos > wrote: > >> There is transparency that the CA has evaluated some reporting >> mechanisms and these will be documented

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

Right, I can see by my failing to explicitly state you were misunderstanding my position in both parts of your previous mail, you may have believed you correctly understood it, and not picked up on all of my reply. To be very clear: "secret" document is not what you described, as a way for a CA

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Fri, 13 Nov 2020 12:11:57 -0500 Ryan Sleevi via dev-security-policy wrote: > I want it to be explicit whether or not a CA is making a restrictive > set or not. That is, it should be clear if a CA is saying "We will > only accept these specific methods" or if the CA is saying "We will > accept

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On 2020-11-13 7:17 μ.μ., Ryan Sleevi wrote: On Fri, Nov 13, 2020 at 2:55 AM Dimitris Zacharopoulos mailto:ji...@it.auth.gr>> wrote: There is transparency that the CA has evaluated some reporting mechanisms and these will be documented in the CPS. However, on an issue like

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Fri, Nov 13, 2020 at 2:55 AM Dimitris Zacharopoulos wrote: > There is transparency that the CA has evaluated some reporting > mechanisms and these will be documented in the CPS. However, on an issue > like compromised key reporting, there is no single recipe that covers > all possible and

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Thu, Nov 12, 2020 at 10:51 PM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, 12 Nov 2020 15:51:55 -0500 > Ryan Sleevi via dev-security-policy > wrote: > > > I would say the first goal is transparency, and I think that both > > proposals try to

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On 12/11/2020 10:51 μ.μ., Ryan Sleevi via dev-security-policy wrote: On Thu, Nov 12, 2020 at 1:39 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On Thu, Nov 12, 2020 at 2:57 AM Dimitris Zacharopoulos wrote: I believe this information should be the

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Thu, 12 Nov 2020 15:51:55 -0500 Ryan Sleevi via dev-security-policy wrote: > I would say the first goal is transparency, and I think that both > proposals try to accomplish that baseline level of providing some > transparency. Where I think it's different is that the concern > Dimitris raised

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Thu, Nov 12, 2020 at 1:39 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Nov 12, 2020 at 2:57 AM Dimitris Zacharopoulos > wrote: > > > > > I believe this information should be the "minimum" accepted methods of > > proving that a Private Key is

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On 2020-11-12 8:38 μ.μ., Ben Wilson wrote: On Thu, Nov 12, 2020 at 2:57 AM Dimitris Zacharopoulos mailto:ji...@it.auth.gr>> wrote: I believe this information should be the "minimum" accepted methods of proving that a Private Key is compromised. We should allow CAs to

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Thu, Nov 12, 2020 at 2:57 AM Dimitris Zacharopoulos wrote: > > I believe this information should be the "minimum" accepted methods of > proving that a Private Key is compromised. We should allow CAs to accept > other methods without the need to first update their CP/CPS. Do people > think

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On 5/11/2020 10:33 μ.μ., Ben Wilson via dev-security-policy wrote: This email begins discussion of a potential change to section 6 of the Mozilla Root Store Policy . The method by which a person

Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

This email begins discussion of a potential change to section 6 of the Mozilla Root Store Policy . The method by which a person may provide a CA with proof of private key compromise has been an