Re: SSL Certs for Malicious Websites

2016-05-16 Thread Kathleen Wilson
> > This discussion should consider what's best for Mozilla's users. Perhaps > > that aligns precisely with the minimum requirements in the EVGs, or perhaps > > it doesn't. Mozilla are free to specify additional requirements if they > > feel the need to do so, just as Microsoft did recently... >

Re: SSL Certs for Malicious Websites

2016-05-16 Thread Peter Bowen
On Mon, May 16, 2016 at 6:06 AM, Rob Stradling wrote: > On 16/05/16 01:43, Peter Bowen wrote: > > This discussion should consider what's best for Mozilla's users. Perhaps > that aligns precisely with the minimum requirements in the EVGs, or perhaps > it doesn't. Mozilla

Re: SSL Certs for Malicious Websites

2016-05-16 Thread Gervase Markham
On 16/05/16 01:13, Kathleen Wilson wrote: > 3) If a website is using its SSL certificate to mask injection of malware and > evidence of that is presented to the issuing CA, is that sufficient misuse > for the CA to be required to revoke the certificate? Counter-question to many of these: who

RE: SSL Certs for Malicious Websites

2016-05-16 Thread Ben Wilson
Gerv wrote, "Counter-question to many of these: who defines what is malware, and who made them king?" The contract that the CA enters into with the subscriber should have done that. Subscriber Agreements should have language in them that says something to the effect, "We can revoke your

Re: CSV Format of CA Program reports

2016-05-16 Thread Kathleen Wilson
The new reports are at the following new links. A couple columns were added: 'Parent Name', 'SHA-256 Fingerprint'. https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCertsCSV I have also updated the links in

Re: Disclosure of intermediates that chain to multiple roots

2016-05-16 Thread Rob Stradling
On 13/05/16 22:09, Richard Barnes wrote: Thanks for explaining the specifics, Rob. To restate and check my understanding, this is a "Y-shaped" scenario, with the following CAs (by CN): (1) AddTrust External CA Root (included, owned by Comodo) (2) UTN-USERFirst-Hardware (included, owned by

Re: SSL Certs for Malicious Websites

2016-05-16 Thread Rob Stradling
On 16/05/16 17:20, Kathleen Wilson wrote: This discussion should consider what's best for Mozilla's users. Perhaps that aligns precisely with the minimum requirements in the EVGs, or perhaps it doesn't. Mozilla are free to specify additional requirements if they feel the need to do so, just as

Re: SSL Certs for Malicious Websites

2016-05-16 Thread Matt Palmer
On Mon, May 16, 2016 at 09:20:40AM -0700, Kathleen Wilson wrote: > In regards to Mozilla policy, maybe we should consider adding text about > Mozilla's expectations for CAs when they find out that a TLS/SSL > certificate that they issued is being used to do bad things. Mozilla should expect that

Re: CSV Format of CA Program reports

2016-05-16 Thread Rob Stradling
Thanks Kathleen. PublicAllIntermediateCertsCSV is missing quite a few entries compared to my own CSV export of the "All Public Intermediate Certs" report. I've reviewed the differences. It looks like you're now omitting incomplete records and records for intermediates that didn't actually

Re: CSV Format of CA Program reports

2016-05-16 Thread Kathleen Wilson
On Monday, May 16, 2016 at 11:27:21 AM UTC-7, Kathleen Wilson wrote: > The new reports are at the following new links. A couple columns were added: > 'Parent Name', 'SHA-256 Fingerprint'. > > https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts >

Re: SSL Certs for Malicious Websites

2016-05-16 Thread Matt Palmer
On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote: > On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote: > > > Some CAs may choose to not issue to sites known to inject malware, but > > this outside the scope of the SSL requirements. The EV Guidelines it > > very clear that the

Re: SSL Certs for Malicious Websites

2016-05-16 Thread Kurt Roeckx
On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote: > "By providing more reliable third-party verified identity and address > information regarding the business, EV Certificates may help to [...] > Assist law enforcement organizations in their investigations of > phishing and other online

Re: SSL Certs for Malicious Websites

2016-05-16 Thread Rob Stradling
On 16/05/16 01:43, Peter Bowen wrote: Some CAs may choose to not issue to sites known to inject malware, but this outside the scope of the SSL requirements. The EV Guidelines it very clear that the reputation and actions of the Subject are not in scope: Peter, I'd just like to point out that

RE: SSL Certs for Malicious Websites

2016-05-16 Thread Peter Gutmann
Matt Palmer writes: >On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote: >> knowingly issuing/tolerating certificates for sites known to inject >> malware is >> * contrary to user expectaions > >[Citation needed] So you're saying users expect CAs to certify malware

Re: SSL Certs for Malicious Websites

2016-05-16 Thread Richard Z
On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote: > Some CAs may choose to not issue to sites known to inject malware, but > this outside the scope of the SSL requirements. The EV Guidelines it > very clear that the reputation and actions of the Subject are not in > scope: knowingly