Re: Remediation Plan for WoSign and StartCom

Just came across the following Phishing site which is using a StartCom cert: hXXps://serviices-intl.com/webapps/6fa9b/websrc On 11/2/16, 6:32 PM, "dev-security-policy on behalf of Itzhak Daniel"

Re: Remediation Plan for WoSign and StartCom

On Wednesday, November 2, 2016 at 5:22:30 PM UTC+2, Gervase Markham wrote: > Hi Daniel, > > On 02/11/16 14:11, Itzhak Daniel wrote: > As far as the DigiCert certs go, it is far too early to have an opinion > on what Mozilla is or isn't doing. I have to agree, the time span is too short (at least

Re: Remediation Plan for WoSign and StartCom

Hi Daniel, On 02/11/16 14:11, Itzhak Daniel wrote: > Interesting that Comodo and DigiCert are getting a different > treatment, As far as the DigiCert certs go, it is far too early to have an opinion on what Mozilla is or isn't doing. And let us remember, the WoSign incident involved multiple

Re: Remediation Plan for WoSign and StartCom

Hi dracenmarx, On 02/11/16 12:44, dracenm...@googlemail.com wrote: > (1) I did find any public answer from Apple, Google or Mozilla in > regards to the Remediation plan by StartCom. I have the feeling, that > the sanctions were applied without considering this document. ( >

Re: Remediation Plan for WoSign and StartCom

Interesting that Comodo and DigiCert are getting a different treatment, I wonder if WoSign/StartCom had ignored Mozilla Security Community at some degree, the same way Comodo and DigiCert are doing, would it saved them. (I don't know if there are chatters in the back, maybe I missed something

Re: Remediation Plan for WoSign and StartCom

I think that the steps against StartCom are too extreme and I would like to tell my personal opinion. First of all, I want to say that I don't have any benefits when I tell this opinion, since I personally already switched to a different CA. (1) I did find any public answer from Apple, Google

Re: Remediation Plan for WoSign and StartCom

On 24/10/16 06:55, Samuel Pinder wrote: > There's some good questions there, actually. OEM SSL, does that mean > another CA would be doing the validation and issuing using their own > infrastructure and team, which you would be reselling via a > constrained intermediate? I suspect he means

Re: Remediation Plan for WoSign and StartCom

ard > > From: Eric Mill [mailto:e...@konklone.com] > Sent: Monday, October 24, 2016 12:05 PM > To: Richard Wang <rich...@wosign.com> > Cc: Kathleen Wilson <kwil...@mozilla.com>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Remediation Plan for WoSign a

RE: Remediation Plan for WoSign and StartCom

: Monday, October 24, 2016 12:05 PM To: Richard Wang <rich...@wosign.com> Cc: Kathleen Wilson <kwil...@mozilla.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Remediation Plan for WoSign and StartCom Hi Richard, A few questions - 1) Your post says "Ther

Re: Remediation Plan for WoSign and StartCom

> To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Remediation Plan for WoSign and StartCom > > On Thursday, October 20, 2016 at 6:59:08 PM UTC-7, Percy wrote: > > Kathleen, > > As most users affected by this decision are Chinese, will you be able to > make th

RE: Remediation Plan for WoSign and StartCom

, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Kathleen Wilson Sent: Friday, October 21, 2016 10:43 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Remediation Plan for WoSign

Re: Remediation Plan for WoSign and StartCom

Bonjour, Le vendredi 21 octobre 2016 12:48:21 UTC+2, marc@gmail.com a écrit : [...] > Just the opinion of a user who is securing services, websites and his mails > with certificates but is not capable of paying hundreds of Euros / Dollars > for achieving this goal every year. DV

Re: Remediation Plan for WoSign and StartCom

On Thu, Oct 20, 2016 at 1:57 PM, Kathleen Wilson wrote: > 1) Distrust certificates with a notBefore date after October 21, 2016 which > chain up to the following affected roots. If additional back-dating is > discovered (by any means) to circumvent this control, then

Re: Remediation Plan for WoSign and StartCom

On Sat, 22 Oct 2016 16:26:51 +0200, Jakob Bohm wrote: > Thus the need for those who obtaind OV code > signing certificates from StartCom to start looking for alternatives, > and my suggestion, as a public service, that someone here might chime > in with the names of small/individual developer

Re: Remediation Plan for WoSign and StartCom

On 22/10/2016 14:59, Ryan Sleevi wrote: On Saturday, October 22, 2016 at 5:11:29 AM UTC-7, Jakob Bohm wrote: Talking of codesigning, which root store does Chrome use to validate signatures on the PPAPI plug ins it is currently forcing developers to switch to? I've mentioned to you repeatedly

Re: Remediation Plan for WoSign and StartCom

On Saturday, October 22, 2016 at 5:11:29 AM UTC-7, Jakob Bohm wrote: > Talking of codesigning, which root store does Chrome use to validate > signatures on the PPAPI plug ins it is currently forcing developers to > switch to? I've mentioned to you repeatedly that no one uses the code signing

Re: Remediation Plan for WoSign and StartCom

On 22/10/2016 00:57, Jernej Simončič wrote: On Fri, 21 Oct 2016 10:03:46 -0700 (PDT), Han Yuwei wrote: I am also a StartCom's SSL & S/MIME certificate user. The only problem for me is that I must re-config nginx. S/MIME have a lot of alternatives for free. Code Signing may only works on

Re: Remediation Plan for WoSign and StartCom

Following on from my previous posting, I have found that Startcom are still issuing certificates past the 21st of October that should be subject to blocking in an upcoming version of Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 . I have therefore obtained such a certificate via my

Re: Remediation Plan for WoSign and StartCom

Samuel, I absolutely agree with what you're saying. That's why I suggested to Mozilla that it mandates WoSign/StartCom to disclose such information on its websites or otherwise inform their customers. Currently, new customers have no way to know until it's too late, i.e when Firefox releases

Re: Remediation Plan for WoSign and StartCom

I have been reading into this discussion for quite some time since my initial posting, and as a Startcom customer even I wholeheartedly agree with the measures being taken. I think I am one of the lucky ones, as I have got my set of certificates before the cut-off deadline and intend to look after

Re: Remediation Plan for WoSign and StartCom

Isn't that something you should take up with StartCom? Bottom line you payed them for your certificate, didn't you. Not Mozilla. Perhaps StartCom should have been a bit more careful so they could keep serving their customers. CU Hans ___

Re: Remediation Plan for WoSign and StartCom

在 2016年10月21日星期五 UTC+8下午6:48:21，marc@gmail.com写道： > Am Freitag, 21. Oktober 2016 03:59:08 UTC+2 schrieb Percy: > > Kathleen, > > As most users affected by this decision are Chinese, will you be able to > > make the blog post available in Chinese on the security blog as well? You > > can ask

Re: Remediation Plan for WoSign and StartCom

On Friday, 21 October 2016 11:48:21 UTC+1, marc@gmail.com wrote: > Just the opinion of a user who is securing services, websites and his mails > with certificates but is not capable of paying hundreds of Euros / Dollars > for achieving this goal every year. This is the "too big to fail"

Re: Remediation Plan for WoSign and StartCom

Am Freitag, 21. Oktober 2016 03:59:08 UTC+2 schrieb Percy: > Kathleen, > As most users affected by this decision are Chinese, will you be able to make > the blog post available in Chinese on the security blog as well? You can ask > the Chinese firefox community or me to translate. Hi, only the

Re: Remediation Plan for WoSign and StartCom

On Thursday, October 20, 2016 at 6:59:08 PM UTC-7, Percy wrote: > Kathleen, > As most users affected by this decision are Chinese, will you be able to make > the blog post available in Chinese on the security blog as well? You can ask > the Chinese firefox community or me to translate. > > As

Re: Remediation Plan for WoSign and StartCom

Kathleen, As most users affected by this decision are Chinese, will you be able to make the blog post available in Chinese on the security blog as well? You can ask the Chinese firefox community or me to translate. As I stated earlier, there are almost no news of the distrust of

Re: Remediation Plan for WoSign and StartCom

All, I have filed the following two bugs. WoSign Action Items: https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 StartCom Action Items: https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 I will work on a security blog that will probably get posted early next week. It will point to these

Re: Remediation Plan for WoSign and StartCom

On 19/10/16 15:13, okaphone.elektron...@gmail.com wrote: > Perhaps "haste" is not what you want here. How about "urgency"? I was using it in the sense of the English phrase "more haste, less speed": http://dictionary.cambridge.org/dictionary/english/more-haste-less-speed But yes, urgency is

Re: Remediation Plan for WoSign and StartCom

On Wednesday, October 19, 2016 at 3:13:50 PM UTC-7, okaphone.e...@gmail.com wrote: > Perhaps "haste" is not what you want here. How about "urgency"? > Yep. Changed in the wiki page. Thanks, Kathleen ___ dev-security-policy mailing list

Re: Remediation Plan for WoSign and StartCom

Perhaps "haste" is not what you want here. How about "urgency"? CU Hans ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remediation Plan for WoSign and StartCom

On Wednesday, October 19, 2016 at 11:50:55 AM UTC-7, Gervase Markham wrote: > > Today at the CAB Forum I outlined some of Mozilla's thinking on how we > rate the severity of incidents. It might be helpful to reproduce that > here. This is what I said: > Thanks, Gerv! I added that text to the

Re: Remediation Plan for WoSign and StartCom

On 19/10/16 11:35, longol...@gmail.com wrote: > Hey Kathleen, hey list, > > I really don't get why Mozilla is pushing so hard on the Chinese and > at the same time let others get away. For example the Comodo case > from today. Isn't that a much worse incident than what has happened > here.

Re: Remediation Plan for WoSign and StartCom

On Wednesday, October 19, 2016 at 12:58:49 AM UTC-7, Kurt Roeckx wrote: > I at least have some concerns about the current gossip draft and talked > a little to dkg about this. I should probably bring this up on the trans > list. > Please do, we would like to see this brought to closure soon

Re: Remediation Plan for WoSign and StartCom

On 19 October 2016 at 02:58, Kurt Roeckx wrote: > On 2016-10-19 01:37, Rob Stradling wrote: >> >> On 18/10/16 23:49, Gervase Markham wrote: >>> >>> On 18/10/16 15:42, Ryan Hurst wrote: I do not understand the desire to require StartCom / WoSign to not utilize their

Re: Remediation Plan for WoSign and StartCom

On 2016-10-19 01:37, Rob Stradling wrote: On 18/10/16 23:49, Gervase Markham wrote: On 18/10/16 15:42, Ryan Hurst wrote: I do not understand the desire to require StartCom / WoSign to not utilize their own logs as part of the associated quorum policy. My original logic was that it could be

Re: Remediation Plan for WoSign and StartCom

It is true, that without gossip, CT is dependent on browsers monitoring the log ecosystem, this is one reason why in the Chrome policy the one Google log is required. I would argue, with the monitoring Google does and the one Google log policy that this risk is mitigated sufficiently, even

Re: Remediation Plan for WoSign and StartCom

Kurt Roeckx wrote: > Since the previous audit wasn't one that covered a whole year, I > expect the new audit to start where the previous one stopped and > have it a year from that point. this might be more of a question for cabforum but why do audits have to be non-overlapping? i would think

Re: Remediation Plan for WoSign and StartCom

On Tue, 18 Oct 2016 15:49:26 -0700 Gervase Markham wrote: > On 18/10/16 15:42, Ryan Hurst wrote: > > I do not understand the desire to require StartCom / WoSign to not > > utilize their own logs as part of the associated quorum policy. > > My original logic was that it could

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 23:49, Gervase Markham wrote: > On 18/10/16 15:42, Ryan Hurst wrote: >> I do not understand the desire to require StartCom / WoSign to not >> utilize their own logs as part of the associated quorum policy. > > My original logic was that it could be seen that the log owner is >

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 16:04, Han Yuwei wrote: > For the CT support, is there any plan to implement it into effect in > Firefox? And if implemented, what would happen if server's > certificate don't have enough SCTs? The mechanism is being implemented. When it's closer to being implemented, there will be a

Re: Remediation Plan for WoSign and StartCom

在 2016年10月19日星期三 UTC+8上午6:42:18，Ryan Hurst写道： > All, > > I do not understand the desire to require StartCom / WoSign to not utilize > their own logs as part of the associated quorum policy. > > Certificate Transparency's idempotency is for not dependent on the practices > of the operator. By

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 15:42, Ryan Hurst wrote: > I do not understand the desire to require StartCom / WoSign to not > utilize their own logs as part of the associated quorum policy. My original logic was that it could be seen that the log owner is trustworthy. However, you are right that CT does not

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 14:33, Ryan Sleevi wrote: > I think there's some confusion there. CNNIC's audits "expire" on Feb > "29" 2017 (I say "29" because of ambiguity on "1 year"). That is, > within 3 months of Feb "29", 2017, CNNIC would be expected to provide > a new audit, which covers February 29, 2016

Re: Remediation Plan for WoSign and StartCom

All, I do not understand the desire to require StartCom / WoSign to not utilize their own logs as part of the associated quorum policy. Certificate Transparency's idempotency is for not dependent on the practices of the operator. By requiring the use of a third-party log (in this case

Re: Remediation Plan for WoSign and StartCom

On Tue, Oct 18, 2016 at 01:35:59PM -0700, Gervase Markham wrote: > On 18/10/16 12:46, Kurt Roeckx wrote: > > Are you saying you're expecting an audit report from November 2015 > > to November 2016, and so have the period from November to March > > covered twice? > > There seems to be a persistent

Re: Remediation Plan for WoSign and StartCom

On Tue, Oct 18, 2016 at 2:33 PM, Ryan Sleevi wrote: > > I think there's some confusion there. CNNIC's audits "expire" on Feb "29" > 2017 (I say "29" because of ambiguity on "1 year"). That is, within 3 months > of Feb "29", 2017, CNNIC would be expected to provide a new audit,

Re: Remediation Plan for WoSign and StartCom

On Tuesday, October 18, 2016 at 1:36:37 PM UTC-7, Gervase Markham wrote: > On 18/10/16 12:46, Kurt Roeckx wrote: > > Are you saying you're expecting an audit report from November 2015 > > to November 2016, and so have the period from November to March > > covered twice? > > There seems to be a

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 12:46, Kurt Roeckx wrote: > Are you saying you're expecting an audit report from November 2015 > to November 2016, and so have the period from November to March > covered twice? There seems to be a persistent misunderstanding here. https://cert.webtrust.org/SealFile?seal=2092=pdf

Re: Remediation Plan for WoSign and StartCom

On Tue, Oct 18, 2016 at 10:02:00AM -0700, Gervase Markham wrote: > On 18/10/16 09:03, Kurt Roeckx wrote: > > You said the period was until February 29, 2016. I assume the next > > period starts on March 1, 2016 and is for 1 year. I don't expect it to > > from from March to November, it would be an

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 06:02, Peter Bowen wrote: > I think making it clear which entries in certdata.txt have additional > constraints would be very helpful. Here's a start: https://wiki.mozilla.org/CA:Root_Store_Trust_Mods I believe the ANSSI root has now been removed and so CNNIC is the only one

Re: Remediation Plan for WoSign and StartCom

Measure with a micrometer, mark with chalk and cut with an axe... it's the best you can do. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remediation Plan for WoSign and StartCom

Hi Peter, On 18/10/16 06:02, Peter Bowen wrote: > I think making it clear which entries in certdata.txt have additional > constraints would be very helpful. Is it maybe possible to do so by > adding new attributes to the NSS_TRUST object instead of simply > putting it on a webpage? That way it

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 09:03, Kurt Roeckx wrote: > You said the period was until February 29, 2016. I assume the next > period starts on March 1, 2016 and is for 1 year. I don't expect it to > from from March to November, it would be an 8 month period. Surely if audits last one year, one would be auditing

Re: Remediation Plan for WoSign and StartCom

On 2016-10-18 17:26, Gervase Markham wrote: On 18/10/16 07:17, Kurt Roeckx wrote: On 2016-10-18 14:51, Gervase Markham wrote: The audit report CNNIC has submitted covers the period from November 2, 2015 to February 29, 2016. Therefore, we would expect them to be starting the process of

Re: Remediation Plan for WoSign and StartCom

在 2016年10月18日星期二 UTC+8下午10:38:07，Inigo Barreira写道： > Hi all, > > > I´ve been reading some emails that need clarification form both sides. > > Firstly I´d like to remind, if I´m not wrong, that Kathleen proposed an > action plan for distrusting StartCom, which has been taken as the final >

Re: Remediation Plan for WoSign and StartCom

Hi Inigo, On 18/10/16 07:34, Inigo Barreira wrote: > So, regarding the situation of StartCom I think that some people has > lost what happened and it´s considering Wosign and Startcom the same. Kathleen may also respond, but my understanding is that (based on her consideration of the arguments

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 07:17, Kurt Roeckx wrote: > On 2016-10-18 14:51, Gervase Markham wrote: >> >> The audit report CNNIC has submitted covers the period from November 2, >> 2015 to February 29, 2016. Therefore, we would expect them to be >> starting the process of getting another yearly audit in about 2

Re: Remediation Plan for WoSign and StartCom

Hi all, I´ve been reading some emails that need clarification form both sides. Firstly I´d like to remind, if I´m not wrong, that Kathleen proposed an action plan for distrusting StartCom, which has been taken as the final decission, but with a small option to regain the trust for StartCom

Re: Remediation Plan for WoSign and StartCom

On 2016-10-18 14:51, Gervase Markham wrote: The audit report CNNIC has submitted covers the period from November 2, 2015 to February 29, 2016. Therefore, we would expect them to be starting the process of getting another yearly audit in about 2 weeks anyway, although it won't be done until next

Re: Remediation Plan for WoSign and StartCom

On 17/10/16 16:26, Kathleen Wilson wrote: > ones who use NSS validation. I’m not sure what we can do about other > consumers of the NSS root store, other than publish what we are doing > and hope those folks read the news and update their version of their > root store as they see appropriate for

Re: Remediation Plan for WoSign and StartCom

Hi Ryan, Kathleen has responded, but here are my two cents: On 14/10/16 13:21, Ryan Sleevi wrote: > It seems to accomplish this, you're willing to continue to trust that > WoSign will not demonstrate any of the past behaviours it already > demonstrated - such as backdating and misissuance, but

Re: Remediation Plan for WoSign and StartCom

On Tuesday, 18 October 2016 00:27:09 UTC+1, Kathleen Wilson wrote: > I’m not sure what I could reasonably require (and enforce) of the CA in > regards to communicating with their customers. As I understand it QiHoo 360 says they intend to co-operate in order to eventually get the new StartCom

Re: Remediation Plan for WoSign and StartCom

> I’m not sure what I could reasonably require (and enforce) of the CA in > regards to communicating with their customers. > I recall that my security blog about CNNIC got censored in China, so I'm not > sure what Mozilla can do about informing the CA's customers of this pending >

Re: Remediation Plan for WoSign and StartCom

Oh, I read too quickly and saw it as a list of certificates whose expiration dates were within each month. In retrospect, that was not the most likely way the numbers would be distributed -- apologies for causing confusion. On Sat, Oct 15, 2016 at 6:20 PM, Kurt Roeckx wrote: >

Re: Remediation Plan for WoSign and StartCom

On Sat, Oct 15, 2016 at 06:07:50PM -0400, Eric Mill wrote: > For the convenience of the thread -- assuming that a 1-year-oriented policy > covered the certs up to and including those listed as 2017-10-01, then > summing up Kurt's numbers: > > * Certs expiring by Oct 2017: 2,088,329 > * Certs

Re: Remediation Plan for WoSign and StartCom

For the convenience of the thread -- assuming that a 1-year-oriented policy covered the certs up to and including those listed as 2017-10-01, then summing up Kurt's numbers: * Certs expiring by Oct 2017: 2,088,329 * Certs expiring after Oct 2017: 1,419,593 On Sat, Oct 15, 2016 at 4:28 AM, Kurt

Re: Remediation Plan for WoSign and StartCom

On Fri, Oct 14, 2016 at 11:23:55PM +0200, Hanno Böck wrote: > On Fri, 14 Oct 2016 13:21:32 -0700 (PDT) > Ryan Sleevi wrote: > > > In particular, I'm hoping to expand upon the choice to allow existing > > certs to continue to be accepted and to not remove the affected roots > >

Re: Remediation Plan for WoSign and StartCom

On Friday, October 14, 2016 at 2:24:37 PM UTC-7, Hanno Böck wrote: > From my understanding the problem here is that the alternative of simply > whitelisting the existing certificates isn't feasible, because there > are too many of them. Well, there's a spectrum, right? That's been discussed on

Re: Remediation Plan for WoSign and StartCom

On Fri, 14 Oct 2016 13:21:32 -0700 (PDT) Ryan Sleevi wrote: > In particular, I'm hoping to expand upon the choice to allow existing > certs to continue to be accepted and to not remove the affected roots > until 2019. Hi, From my understanding the problem here is that the

Re: Remediation Plan for WoSign and StartCom

On Thursday, October 13, 2016 at 9:50:02 AM UTC-7, Kathleen Wilson wrote: > 1) Distrust certificates chaining up to Affected Roots with a notBefore date > after October 21, 2016. If additional back-dating is discovered (by any > means) to circumvent this control, then Mozilla will immediately

Re: Remediation Plan for WoSign and StartCom

On Wednesday, October 12, 2016 at 8:12:29 PM UTC-7, Percy wrote: > WoSign has so far announced nothing about those incidents or immediate > distrust (Apple and Mozilla) to its end users. On the contrary, WoSign had a > press release dated Oct 8th >

Re: Remediation Plan for WoSign and StartCom

On 14/10/16 15:46, Gervase Markham wrote: > On 14/10/16 11:37, Rob Stradling wrote: >> Sure, but aren't we talking about specifying criteria for which log(s) >> StartCom/WoSign _can't_ use in future? >> >> If Mozilla would prefer to forbid StartCom/WoSign from using their own >> or each other's

Re: Remediation Plan for WoSign and StartCom

On 14/10/16 11:37, Rob Stradling wrote: > Sure, but aren't we talking about specifying criteria for which log(s) > StartCom/WoSign _can't_ use in future? > > If Mozilla would prefer to forbid StartCom/WoSign from using their own > or each other's logs, then ISTM that it would be best to specify >

Re: Remediation Plan for WoSign and StartCom

99% uptime sounds good but it allows being down for three and half days in a year. It's not actually a very high availabillity. ;-) CU Hans ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Remediation Plan for WoSign and StartCom

On 14/10/16 10:50, Gervase Markham wrote: > On 14/10/16 10:41, Rob Stradling wrote: >> Gerv, does Mozilla need to make a final decision on this point immediately? >> >> I very much hope that there will be more CT logs by the time StartCom >> and/or WoSign are readmitted into Mozilla's trust list.

Re: Remediation Plan for WoSign and StartCom

On 13/10/16 23:42, Nick Lamb wrote: > Please can Mozilla ensure that both EY Hong Kong and the overarching > parent organisation in the United Kingdom (in Southwark) are informed > of this ban and get a copy of Mozilla's findings if they haven't > already ? This is a good idea; I will try and

Re: Remediation Plan for WoSign and StartCom

On 14/10/16 10:41, Rob Stradling wrote: > Gerv, does Mozilla need to make a final decision on this point immediately? > > I very much hope that there will be more CT logs by the time StartCom > and/or WoSign are readmitted into Mozilla's trust list. Why not delay > making this decision until

Re: Remediation Plan for WoSign and StartCom

On 13/10/16 20:52, Gervase Markham wrote: > StartCom/WoSign have indicated ro me that they may have trouble > complying with the non-Google log requirement because it's hard to find > a non-Google log which can scale sufficiently. I suggest we allow them > some leeway on this but they need to

Re: Remediation Plan for WoSign and StartCom

On 2016-10-14 10:19, Nick Lamb wrote: On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer wrote: Will there be any requirements around the qualification status of the logs, or could anyone who wanted to be "nice" just stand up a log, and have these CAs obtain precerts from them? I don't

Re: Remediation Plan for WoSign and StartCom

On 2016-10-14 03:20, Matt Palmer wrote: On Thu, Oct 13, 2016 at 09:49:50AM -0700, Kathleen Wilson wrote: 5. 100% embedded CT for all issued certificates, with embedded SCTs from at least one Google and one non-Google log not controlled by the CA. Will there be any requirements around the

Re: Remediation Plan for WoSign and StartCom

On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer wrote: > Will there be any requirements around the qualification status of the logs, > or could anyone who wanted to be "nice" just stand up a log, and have these > CAs obtain precerts from them? I don't think Mozilla has declared any

Re: Remediation Plan for WoSign and StartCom

On Friday, October 14, 2016 at 9:47:24 AM UTC+11, Percy wrote: > > Others have noted the mismatch here with an October 1 date elsewhere in > > the document. I think we should pick a single date in the future, to > > allow the CAs concerned to wind down operations without leaving > > customers

Re: Remediation Plan for WoSign and StartCom

On Thu, Oct 13, 2016 at 09:49:50AM -0700, Kathleen Wilson wrote: > 5. 100% embedded CT for all issued certificates, with embedded SCTs from > at least one Google and one non-Google log not controlled by the CA. Will there be any requirements around the qualification status of the logs, or could

Re: Remediation Plan for WoSign and StartCom

> Others have noted the mismatch here with an October 1 date elsewhere in > the document. I think we should pick a single date in the future, to > allow the CAs concerned to wind down operations without leaving > customers having just obtained certs which will stop working in a few > months.

Re: Remediation Plan for WoSign and StartCom

On Thursday, 13 October 2016 20:52:54 UTC+1, Gervase Markham wrote: > To be clear, this is a permanent ban, applicable worldwide, but only to > the Hong Kong branch of E (If further issues are found with E > audits elsewhere, then we might consider something with wider scope.) Please can Mozilla

Re: Remediation Plan for WoSign and StartCom

On 13/10/16 17:49, Kathleen Wilson wrote: > Thanks again to all of you who have put in so much time and effort to > determine what happened with WoSign and StartCom and discuss what to > do about it. You are welcome. As people will have read, the current decision at Mozilla is to treat the

Re: Remediation Plan for WoSign and StartCom

On Thursday, October 13, 2016 at 10:39:05 AM UTC-7, Han Yuwei wrote: > > Is this the final decision or still pending? Please consider this the draft of my decision. We are actively working on the Mozilla action items, but this plan is still open for discussion. Thanks, Kathleen

Re: Remediation Plan for WoSign and StartCom

在 2016年10月14日星期五 UTC+8上午12:50:02，Kathleen Wilson写道： > All, > > Thanks again to all of you who have put in so much time and effort to > determine what happened with WoSign and StartCom and discuss what to do about > it. > > Based on the information that I have seen regarding WoSign, I believe

Re: Remediation Plan for WoSign and StartCom

On Thursday, October 13, 2016 at 10:17:28 AM UTC-7, Jonathan Rudenberg wrote: > Can you clarify if the notBefore cutoff is October 1, 2016, and > not October 21, 2016? There are two conflicting dates in the listed actions. My thinking is that we would distrust certs issued after next week (Oct

Re: Remediation Plan for WoSign and StartCom

On Oct 13, 2016, at 12:49, Kathleen Wilson wrote: > > 1) Distrust certificates chaining up to Affected Roots with a notBefore date > after October 21, 2016. If additional back-dating is discovered (by any > means) to circumvent this control, then Mozilla will immediately

Remediation Plan for WoSign and StartCom

All, Thanks again to all of you who have put in so much time and effort to determine what happened with WoSign and StartCom and discuss what to do about it. Based on the information that I have seen regarding WoSign, I believe that WoSign intentionally bent the rules in order to continue