RE: CA Validation quality is failing

2017-05-09 Thread Jeremy Rowley via dev-security-policy
12:09 PM To: r...@sleevi.com Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham <g...@mozilla.org> Subject: RE: CA Validation quality is failing Okay – we’ll add them all to CT over the next couple of days. From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Tuesday, May 2

Re: CA Validation quality is failing

2017-05-02 Thread Jakob Bohm via dev-security-policy
On 02/05/2017 17:30, Rob Stradling wrote: On 02/05/17 16:11, Alex Gaynor via dev-security-policy wrote: I know several CAs are using certlint (https://github.com/awslabs/certlint) as a pre-issuance check that the cert they're about to issue doesn't have any programmatically detectable

RE: CA Validation quality is failing

2017-05-02 Thread Jeremy Rowley via dev-security-policy
.mozilla.org Subject: Re: CA Validation quality is failing (Still wearing Google Hat in this context) I think sharing a list (in CT) of the certs is good and can help verify the assertions made here :) But overall, I think this sounds right and the risk is minimal to our users, so not re

RE: CA Validation quality is failing

2017-05-02 Thread Jeremy Rowley via dev-security-policy
la.org Subject: Re: CA Validation quality is failing On 02/05/17 00:01, Ryan Sleevi wrote: > Thank you for > 1) Disclosing the details to a sufficient level of detail immediately > 2) Providing regular updates and continued investigation > 3) Confirming the acceptability of the plan b

Re: CA Validation quality is failing

2017-05-02 Thread Rob Stradling via dev-security-policy
cert.com> *Cc:* Gervase Markham <g...@mozilla.org>; mozilla-dev-security-policy@ lists.mozilla.org *Subject:* Re: CA Validation quality is failing On Mon, May 1, 2017 at 3:41 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Th

Re: CA Validation quality is failing

2017-05-02 Thread Alex Gaynor via dev-security-policy
> > > > > > > > What else would you like to know? > > > > > > > > Jeremy > > > > > > > > *From:* Ryan Sleevi [mailto:r...@sleevi.com] > > *Sent:* Monday, May 1, 2017 5:01 PM > > *To:* Jeremy Rowley <jeremy.row...

Re: CA Validation quality is failing

2017-05-02 Thread Ryan Sleevi via dev-security-policy
:* Ryan Sleevi [mailto:r...@sleevi.com] > *Sent:* Monday, May 1, 2017 5:01 PM > *To:* Jeremy Rowley <jeremy.row...@digicert.com> > *Cc:* Gervase Markham <g...@mozilla.org>; mozilla-dev-security-policy@ > lists.mozilla.org > *Subject:* Re: CA Validation quality is failing &

Re: CA Validation quality is failing

2017-05-02 Thread Gervase Markham via dev-security-policy
On 02/05/17 00:01, Ryan Sleevi wrote: > Thank you for > 1) Disclosing the details to a sufficient level of detail immediately > 2) Providing regular updates and continued investigation > 3) Confirming the acceptability of the plan before implementing it, and > with sufficient detail to understand

RE: CA Validation quality is failing

2017-05-01 Thread Jeremy Rowley via dev-security-policy
mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CA Validation quality is failing On Mon, May 1, 2017 at 3:41 PM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: There isn't anything in o

Re: CA Validation quality is failing

2017-05-01 Thread Ryan Sleevi via dev-security-policy
On Mon, May 1, 2017 at 3:41 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > There isn't anything in our CPS directly. However, we state that we follow > the baseline requirements in the CPS. The baseline requirements give a > profile for the state

RE: CA Validation quality is failing

2017-05-01 Thread Jeremy Rowley via dev-security-policy
Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Thursday, April 27, 2017 2:41 AM To: Jeremy Rowley <jeremy.row...@digicert.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CA Validation quality is failing On 27/04/17 00:16, Jeremy Rowley wro

RE: CA Validation quality is failing

2017-04-26 Thread Jeremy Rowley via dev-security-policy
ozilla-dev-security-pol...@lists.mozilla.org> Subject: RE: CA Validation quality is failing Thanks Mike for bringing this up. We’ve looked into it and have an initial report to share. After receiving the email on the Mozilla list, we investigated the identified certificates and discovered a cou

Re: CA Validation quality is failing

2017-04-20 Thread Ryan Sleevi via dev-security-policy
On Thu, Apr 20, 2017 at 6:42 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > One thing: > > Could this be a result of the common (among CAs) bug of requiring entry > of a US/Canada State/Province regardless of country, forcing applicants > to fill in

Re: CA Validation quality is failing

2017-04-20 Thread Jakob Bohm via dev-security-policy
gt; Cc: Ben Wilson <ben.wil...@digicert.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: RE: CA Validation quality is failing I’m looking into it right now. I’ll report back shortly. Jeremy From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: W

Re: CA Validation quality is failing

2017-04-20 Thread Peter Gutmann via dev-security-policy
Ryan Sleevi writes: >For an EV cert, you look in  >https://cabforum.org/wp-content/uploads/EV-V1_6_1.pdf It was meant as a rhetorical question, the OP asked whether doing XYZ in an EV certificate was allowed and I was pointing out that the CAB Forum guidelines should

RE: CA Validation quality is failing

2017-04-19 Thread Jeremy Rowley via dev-security-policy
To: r...@sleevi.com; Mike vd Ent <pasarellaph...@gmail.com> Cc: Ben Wilson <ben.wil...@digicert.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: RE: CA Validation quality is failing I’m looking into it right now. I’ll report back shortly.

Re: CA Validation quality is failing

2017-04-19 Thread Kurt Roeckx via dev-security-policy
On Wed, Apr 19, 2017 at 09:00:22PM -0400, Ryan Sleevi wrote: > On Wed, Apr 19, 2017 at 7:53 PM, Kurt Roeckx via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > (It was a code sign certificate, but I expect if it's labeled EV > > that the same things apply.) > > > >

Re: CA Validation quality is failing

2017-04-19 Thread Kurt Roeckx via dev-security-policy
On Wed, Apr 19, 2017 at 11:58:28PM +, Jeremy Rowley wrote: > That was changed in ballot 127. Which is adopted in july 2014. This was somewhere in 2016. As I understood it, they didn't ask for the HR department, just someone else. That might of course be a misunderstanding of what was asked,

Re: CA Validation quality is failing

2017-04-19 Thread Ryan Sleevi via dev-security-policy
On Wed, Apr 19, 2017 at 7:53 PM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > (It was a code sign certificate, but I expect if it's labeled EV > that the same things apply.) > Not necessarily. A separate set of guidelines cover those -

RE: CA Validation quality is failing

2017-04-19 Thread Jeremy Rowley via dev-security-policy
gut...@cs.auckland.ac.nz> Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CA Validation quality is failing On Wed, Apr 19, 2017 at 10:41:33PM +, Peter Gutmann via dev-security-policy wrote: > Kurt Roeckx via dev-security-policy <dev-security-policy

Re: CA Validation quality is failing

2017-04-19 Thread Kurt Roeckx via dev-security-policy
On Wed, Apr 19, 2017 at 10:41:33PM +, Peter Gutmann via dev-security-policy wrote: > Kurt Roeckx via dev-security-policy > writes: > > >Both the localityName and stateOrProvinceName are Almere, while the province > >is Flevoland. > > How much

Re: CA Validation quality is failing

2017-04-19 Thread Vincent Lynch via dev-security-policy
Hi Peter, EV requirements are actually dictated by a separate set of guidelines: https://cabforum.org/extended-validation/ They do go into detail about how to verify applicant information. It covers how you verify the company is legally established, where its physically operating, etc. As you

Re: CA Validation quality is failing

2017-04-19 Thread Ryan Sleevi via dev-security-policy
On Wed, Apr 19, 2017 at 6:41 PM, Peter Gutmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Kurt Roeckx via dev-security-policy > writes: > > >Both the localityName and stateOrProvinceName are Almere, while the > province > >is

Re: CA Validation quality is failing

2017-04-19 Thread Peter Gutmann via dev-security-policy
Kurt Roeckx via dev-security-policy writes: >Both the localityName and stateOrProvinceName are Almere, while the province >is Flevoland. How much checking is a CA expected to do here? I know that OV and DV certs are just "someone at this site responded

Re: CA Validation quality is failing

2017-04-19 Thread Mike vd Ent via dev-security-policy
c: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org>; Jeremy Rowley > <jeremy.row...@digicert.com>; Ben Wilson <ben.wil...@digicert.com> > Subject: Re: CA Validation quality is failing > > > > > > > >

RE: CA Validation quality is failing

2017-04-19 Thread Jeremy Rowley via dev-security-policy
eremy Rowley <jeremy.row...@digicert.com>; Ben Wilson <ben.wil...@digicert.com> Subject: Re: CA Validation quality is failing On Wed, Apr 19, 2017 at 3:47 PM, Mike vd Ent via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mo

Re: CA Validation quality is failing

2017-04-19 Thread Ryan Sleevi via dev-security-policy
On Wed, Apr 19, 2017 at 3:47 PM, Mike vd Ent via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Ryan, > > My answers on the particular issues are stated inline. > But the thing I want to address is how could (in this case Digicert) > validate such data and issues

Re: CA Validation quality is failing

2017-04-19 Thread Mike vd Ent via dev-security-policy
Ryan, My answers on the particular issues are stated inline. But the thing I want to address is how could (in this case Digicert) validate such data and issues certificates? I am investigation more of them and afraid even linked company names or registration numbers could be false. Shouldn't

Re: CA Validation quality is failing

2017-04-19 Thread Kurt Roeckx via dev-security-policy
On Wed, Apr 19, 2017 at 12:28:16PM -0700, Ryan Sleevi via dev-security-policy wrote: > > https://portal.mobilitymixx.nl > > I'm not sure I understand enough to know what the issues are here. Could you > explain? Both the localityName and stateOrProvinceName are Almere, while the province is