RE: Mozilla Policy Requirements CA Incidents

2019-10-15 Thread Jeremy Rowley via dev-security-policy
that is a one-off concern. From: Ryan Sleevi Sent: Monday, October 14, 2019 4:12 PM To: Ryan Sleevi Cc: Jeremy Rowley ; Wayne Thayer ; mozilla-dev-security-policy Subject: Re: Mozilla Policy Requirements CA Incidents In the spirit of improving transparency, I've gone and filed https://github.com

Re: Mozilla Policy Requirements CA Incidents

2019-10-14 Thread Ryan Sleevi via dev-security-policy
In the spirit of improving transparency, I've gone and filed https://github.com/mozilla/pkipolicy/issues/192 , which is specific to auditors. However, I want to highlight this model (the model used by the US Federal PKI), because it may also provide a roadmap for dealing with issues like this /

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Ryan Sleevi via dev-security-policy
On Tue, Oct 8, 2019 at 8:16 PM Jeremy Rowley wrote: > I think requiring publication of profiles for certs is a good idea. It’s > part of what I’ve wanted to publish as part of our CPS. You can see most of > our profiles here: >

RE: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Jeremy Rowley via dev-security-policy
Rowley Cc: Wayne Thayer ; Ryan Sleevi ; mozilla-dev-security-policy Subject: Re: Mozilla Policy Requirements CA Incidents On Tue, Oct 8, 2019 at 6:42 PM Jeremy Rowley mailto:jeremy.row...@digicert.com>> wrote: Tackling Sub CA renewals/issuance from a compliance perspective is difficult b

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Ryan Sleevi via dev-security-policy
(Sorry for the second e-mail, Erwann still having some Groups issues - this will be the one that shows up on the list) On Tue, Oct 8, 2019 at 6:43 PM Erwann Abalea via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > If this is to be read as an exclusive choice, then how do

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Ryan Sleevi via dev-security-policy
On Tue, Oct 8, 2019 at 6:42 PM Jeremy Rowley wrote: > Tackling Sub CA renewals/issuance from a compliance perspective is > difficult because of the number of manual components involved. You have the > key ceremony, the scripting, and all of the formal process involved. > Because the root is

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Erwann Abalea via dev-security-policy
Bonsoir, Le lundi 7 octobre 2019 20:53:11 UTC+2, Ryan Sleevi a écrit : [...] > # Intermediates that do not comply with the EKU requirements > > In September 2018 [1], Mozilla sent a CA Communications reminding CAs about > the changes in Policy 2.6.1. One specific change, called to attention in >

RE: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Jeremy Rowley via dev-security-policy
that they “are” different, but that’s been changing. I’m definitely looking forward to hearing what other CAs do. Jeremy From: Wayne Thayer Sent: Tuesday, October 8, 2019 3:20 PM To: Ryan Sleevi Cc: Jeremy Rowley ; mozilla-dev-security-policy Subject: Re: Mozilla Policy Requirements CA Incidents Ryan

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Ryan Sleevi via dev-security-policy
To try and minimize some of the tone-policing ad hominem, arguments from authority, and thread-jacking, especially on-list, let's circle back to the subject of this thread, and hopefully you can offer constructive solutions there. Is my understanding correct that your concern is you don't believe

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Paul Walsh via dev-security-policy
> On Oct 8, 2019, at 12:44 PM, Ryan Sleevi wrote: > > Paul, [snip] > It does not seem you're interested in finding solutions for the issues, [PW] You are mixing things up Ryan. I am interested in finding solution to issues. I specifically kept my message on point, which was your tone and

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Matthew Hardeman via dev-security-policy
My apologies. I messed up when trimming that down. I was quoting Ryan Sleevi there. On Tue, Oct 8, 2019 at 2:55 PM Paul Walsh wrote: > > On Oct 8, 2019, at 12:51 PM, Matthew Hardeman wrote: > > > On Tue, Oct 8, 2019 at 2:10 PM Ryan Sleevi via dev-security-policy < >

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Paul Walsh via dev-security-policy
> On Oct 8, 2019, at 12:51 PM, Matthew Hardeman wrote: > > > On Tue, Oct 8, 2019 at 2:10 PM Ryan Sleevi via dev-security-policy > > wrote: > On Tue, Oct 8, 2019 at 2:44 PM Paul Walsh > wrote: > > so we need better

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Matthew Hardeman via dev-security-policy
On Tue, Oct 8, 2019 at 2:10 PM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Tue, Oct 8, 2019 at 2:44 PM Paul Walsh wrote: > > so we need better solutions. It's also being willing to acknowledge that if > we can't find systemic fixes, it may be that we

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Ryan Sleevi via dev-security-policy
Paul, If you'd like to continue this conversation, might I respectfully ask you take it elsewhere from this thread? It does not seem you're interested in finding solutions for the issues, and you've continued to shift your message, so perhaps it might be better to continue that discussion

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Paul Walsh via dev-security-policy
Ryan, You just proved me right by saying I’m confused because I hold an opinion about how you conduct yourself when collaborating with industry stakeholders. My observations are the same across the board. I don’t think I’m confused. But you’re welcome to disagree with me. And, it’s not

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Ryan Sleevi via dev-security-policy
On Tue, Oct 8, 2019 at 2:44 PM Paul Walsh wrote: > Dear Ryan, > > It would help a great deal, if you tone down your constant insults towards > the entire CA world. Questioning whether you should trust any CA is a > bridge too far. > Instead, why don’t you try to focus on specific issues with

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Paul Walsh via dev-security-policy
I read Jeremy’s last response before posting my comment. Dear Ryan, It would help a great deal, if you tone down your constant insults towards the entire CA world. Questioning whether you should trust any CA is a bridge too far. Instead, why don’t you try to focus on specific issues with

Re: Mozilla Policy Requirements CA Incidents

2019-10-08 Thread Ryan Sleevi via dev-security-policy
On the topic of root causes, there's also https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3425554 that was recently published. I'm not sure if that was peer reviewed, but it does provide an analysis of m.d.s.p and Bugzilla. I have some concerns about the study methodology (for example, when

RE: Mozilla Policy Requirements CA Incidents

2019-10-07 Thread Jeremy Rowley via dev-security-policy
to previous years and see what the CA is doing that will make the next year will be even better. Jeremy From: Ryan Sleevi Sent: Monday, October 7, 2019 6:45 PM To: Jeremy Rowley Cc: mozilla-dev-security-policy ; r...@sleevi.com Subject: Re: Mozilla Policy Requirements CA Incidents On Mon, Oct

Re: Mozilla Policy Requirements CA Incidents

2019-10-07 Thread Ryan Sleevi via dev-security-policy
On Mon, Oct 7, 2019 at 7:06 PM Jeremy Rowley wrote: > Interesting. I can't tell with the Netlock certificate, but the other > three non-EKU intermediates look like replacements for intermediates that > were issued before the policy date and then reissued after the compliance > date. The

RE: Mozilla Policy Requirements CA Incidents

2019-10-07 Thread Jeremy Rowley via dev-security-policy
Interesting. I can't tell with the Netlock certificate, but the other three non-EKU intermediates look like replacements for intermediates that were issued before the policy date and then reissued after the compliance date. The industry has established that renewal and new issuance are