Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Hanno Böck
On Fri, 14 Oct 2016 13:21:32 -0700 (PDT) Ryan Sleevi wrote: > In particular, I'm hoping to expand upon the choice to allow existing > certs to continue to be accepted and to not remove the affected roots > until 2019. Hi, From my understanding the problem here is that the

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Ryan Sleevi
On Friday, October 14, 2016 at 2:24:37 PM UTC-7, Hanno Böck wrote: > From my understanding the problem here is that the alternative of simply > whitelisting the existing certificates isn't feasible, because there > are too many of them. Well, there's a spectrum, right? That's been discussed on

Re: StartCom & Qihoo Incidents

2016-10-14 Thread Eddy Nigg
On 10/14/2016 01:00 PM, Gervase Markham wrote: K) StartCom impersonating mozilla.com. https://bugzilla.mozilla.org/show_bug.cgi?id=471702 StartCom's (former) CEO Eddy Nigg obtained a key and certificate for www.mozilla.com and placed it on an Internet-facing server. I do consider it a

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Ryan Sleevi
On Thursday, October 13, 2016 at 9:50:02 AM UTC-7, Kathleen Wilson wrote: > 1) Distrust certificates chaining up to Affected Roots with a notBefore date > after October 21, 2016. If additional back-dating is discovered (by any > means) to circumvent this control, then Mozilla will immediately

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread bigiain
On Friday, October 14, 2016 at 9:47:24 AM UTC+11, Percy wrote: > > Others have noted the mismatch here with an October 1 date elsewhere in > > the document. I think we should pick a single date in the future, to > > allow the CAs concerned to wind down operations without leaving > > customers

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Kurt Roeckx
On 2016-10-14 10:19, Nick Lamb wrote: On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer wrote: Will there be any requirements around the qualification status of the logs, or could anyone who wanted to be "nice" just stand up a log, and have these CAs obtain precerts from them? I don't

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Gervase Markham
On 14/10/16 10:41, Rob Stradling wrote: > Gerv, does Mozilla need to make a final decision on this point immediately? > > I very much hope that there will be more CT logs by the time StartCom > and/or WoSign are readmitted into Mozilla's trust list. Why not delay > making this decision until

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Kurt Roeckx
On 2016-10-14 03:20, Matt Palmer wrote: On Thu, Oct 13, 2016 at 09:49:50AM -0700, Kathleen Wilson wrote: 5. 100% embedded CT for all issued certificates, with embedded SCTs from at least one Google and one non-Google log not controlled by the CA. Will there be any requirements around the

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Nick Lamb
On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer wrote: > Will there be any requirements around the qualification status of the logs, > or could anyone who wanted to be "nice" just stand up a log, and have these > CAs obtain precerts from them? I don't think Mozilla has declared any

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Rob Stradling
On 13/10/16 20:52, Gervase Markham wrote: > StartCom/WoSign have indicated ro me that they may have trouble > complying with the non-Google log requirement because it's hard to find > a non-Google log which can scale sufficiently. I suggest we allow them > some leeway on this but they need to

StartCom remediation plan

2016-10-14 Thread Inigo Barreira
All, In this link, https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf, you´ll find the detailed remediation plan for StartCom as was notified last week. It took us some time to have all the people needed for these tasks and clarify the dates for fixing all the possible

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Rob Stradling
On 14/10/16 10:50, Gervase Markham wrote: > On 14/10/16 10:41, Rob Stradling wrote: >> Gerv, does Mozilla need to make a final decision on this point immediately? >> >> I very much hope that there will be more CT logs by the time StartCom >> and/or WoSign are readmitted into Mozilla's trust list.

Re: StartCom & Qihoo Incidents

2016-10-14 Thread Gervase Markham
On 12/10/16 20:11, Ryan Sleevi wrote: > As Gerv suggested this was the official call for incidents with > respect to StartCom, it seems appropriate to start a new thread. There are indeed more of these than I remember or knew about. Perhaps it would have been sensible to start a StartCom issues

StartCom remediation plan

2016-10-14 Thread Inigo Barreira
All, In this link, https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf, you´ll find the detailed remediation plan for StartCom as was notified last week. It took us some time to have all the people needed for these tasks and clarify the dates for fixing all the possible

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Gervase Markham
On 13/10/16 23:42, Nick Lamb wrote: > Please can Mozilla ensure that both EY Hong Kong and the overarching > parent organisation in the United Kingdom (in Southwark) are informed > of this ban and get a copy of Mozilla's findings if they haven't > already ? This is a good idea; I will try and

Re: StartCom & Qihoo Incidents

2016-10-14 Thread Peter Bowen
On Fri, Oct 14, 2016 at 3:44 PM, Peter Gutmann wrote: > Ryan Sleevi writes: > >>What is the goal of the root program? Should there be a higher bar for >>removing CAs than adding them? Does trust increase or decrease over time? > > Another thing I'd

Re: StartCom & Qihoo Incidents

2016-10-14 Thread Peter Gutmann
Peter Bowen writes: >The CA/Browser Forum is not a regulatory body. They publish guidelines but >do not set requirements nor regulate compliance. It's a bit hard to describe its actual functioning, in theory they just advise, but then so does ISO, IEEE, and others. They're

Re: StartCom & Qihoo Incidents

2016-10-14 Thread Peter Bowen
On Fri, Oct 14, 2016 at 4:32 PM, Peter Gutmann wrote: > Peter Bowen writes: > >>The CA/Browser Forum is not a regulatory body. They publish guidelines but >>do not set requirements nor regulate compliance. > > It's a bit hard to describe its actual

Re: StartCom & Qihoo Incidents

2016-10-14 Thread Erwann Abalea
Le samedi 15 octobre 2016 01:33:05 UTC+2, Peter Gutmann a écrit : > Peter Bowen writes: > > >The CA/Browser Forum is not a regulatory body. They publish guidelines but > >do not set requirements nor regulate compliance. > > It's a bit hard to describe its actual functioning,

Re: StartCom & Qihoo Incidents

2016-10-14 Thread Ryan Sleevi
On Friday, October 14, 2016 at 3:44:50 PM UTC-7, Peter Gutmann wrote: > Another thing I'd like to bring up is the absolute silence of the CAB forum > over all this. It has not been. > Apple have quietly unilaterally distrusted, Mozilla have > debated at length (three months now) and are taking

Re: StartCom & Qihoo Incidents

2016-10-14 Thread Peter Gutmann
Ryan Sleevi writes: >On Friday, October 14, 2016 at 3:44:50 PM UTC-7, Peter Gutmann wrote: >> Another thing I'd like to bring up is the absolute silence of the CAB forum >> over all this. > >It has not been. I haven't heard anything from them. If they've made any statements,

StartCom remediation plan

2016-10-14 Thread Inigo Barreira
All, In this link, https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf, you´ll find the detailed remediation plan for StartCom as was notified last week. It took us some time to have all the people needed for these tasks and clarify the dates for fixing all the

Re: StartCom remediation plan

2016-10-14 Thread 谭晓生
Dear Gerv, We’ll rewrite all the code with different programing language or buy 3rd party components (for example: PKI), Wosign team using .Net, but my team never use .Net, they are good at C/C++ and PHP, Python. Thanks, Xiaosheng Tan 在 2016/10/14 下午11:01,“dev-security-policy 代表 Gervase

Re: StartCom remediation plan

2016-10-14 Thread Christian Felsing
Am 14.10.2016 um 17:25 schrieb Han Yuwei: > There's no any open-source solution? Maybe Mozilla could build one? Hi, maybe EJBCA (https://www.ejbca.org/) could be a solution for your problem. Christian ___ dev-security-policy mailing list

Re: StartCom remediation plan

2016-10-14 Thread Gervase Markham
Hi Xiaosheng, On 14/10/16 16:06, 谭晓生 wrote: > We’ll rewrite all the code with different programing language or buy > 3rd party components (for example: PKI), Wosign team using .Net, but > my team never use .Net, they are good at C/C++ and PHP, Python. It would be great to be clear about what the

Re: StartCom remediation plan

2016-10-14 Thread Han Yuwei
在 2016年10月14日星期五 UTC+8下午11:23:10,Gervase Markham写道: > Hi Xiaosheng, > > On 14/10/16 16:06, 谭晓生 wrote: > > We’ll rewrite all the code with different programing language or buy > > 3rd party components (for example: PKI), Wosign team using .Net, but > > my team never use .Net, they are good at

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Rob Stradling
On 14/10/16 15:46, Gervase Markham wrote: > On 14/10/16 11:37, Rob Stradling wrote: >> Sure, but aren't we talking about specifying criteria for which log(s) >> StartCom/WoSign _can't_ use in future? >> >> If Mozilla would prefer to forbid StartCom/WoSign from using their own >> or each other's

Re: StartCom remediation plan

2016-10-14 Thread Gervase Markham
Hi Inigo, On 14/10/16 09:16, Inigo Barreira wrote: > In this link, > https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf, > you´ll find the detailed remediation plan for StartCom as was notified last > week. Thanks for this. Is this a correct summary of the situation as

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Gervase Markham
On 14/10/16 11:37, Rob Stradling wrote: > Sure, but aren't we talking about specifying criteria for which log(s) > StartCom/WoSign _can't_ use in future? > > If Mozilla would prefer to forbid StartCom/WoSign from using their own > or each other's logs, then ISTM that it would be best to specify >

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Gervase Markham
On 14/10/16 15:46, Gervase Markham wrote: > I think the rule we are putting in place is that: "StartCom/WoSign > SHOULD NOT fulfil the non-Google log requirement by using logs that they > run themselves. For as long as they do so, they will need to demonstrate > ongoing evidence of efforts to get

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Erwann Abalea
Bonsoir, Le vendredi 14 octobre 2016 22:21:44 UTC+2, Ryan Sleevi a écrit : > On Thursday, October 13, 2016 at 9:50:02 AM UTC-7, Kathleen Wilson wrote: > > 1) Distrust certificates chaining up to Affected Roots with a notBefore > > date after October 21, 2016. If additional back-dating is

Re: StartCom & Qihoo Incidents

2016-10-14 Thread Peter Gutmann
Ryan Sleevi writes: >What is the goal of the root program? Should there be a higher bar for >removing CAs than adding them? Does trust increase or decrease over time? Another thing I'd like to bring up is the absolute silence of the CAB forum over all this. Apple have quietly

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread Percy
On Wednesday, October 12, 2016 at 8:12:29 PM UTC-7, Percy wrote: > WoSign has so far announced nothing about those incidents or immediate > distrust (Apple and Mozilla) to its end users. On the contrary, WoSign had a > press release dated Oct 8th >

Re: StartCom & Qihoo Incidents

2016-10-14 Thread Ryan Sleevi
On Friday, October 14, 2016 at 3:01:16 AM UTC-7, Gervase Markham wrote: > There are indeed more of these than I remember or knew about. Perhaps it > would have been sensible to start a StartCom issues list earlier. In my > defence, investigating one CA takes up a lot of time on its own, let >

Re: Remediation Plan for WoSign and StartCom

2016-10-14 Thread okaphone . elektronika
99% uptime sounds good but it allows being down for three and half days in a year. It's not actually a very high availabillity. ;-) CU Hans ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org