Re: Grace Period for Sub-CA Disclosure

2017-03-30 Thread Gervase Markham via dev-security-policy
On 28/03/17 12:21, Rob Stradling wrote: > Increased attack surface. An undisclosed dormant sub-CA most likely has > its private key in an online HSM, and so I think it's prudent to assume > that it's more vulnerable (to being compromised by an attacker, or to > being accidentally used to misissue

Re: Grace Period for Sub-CA Disclosure

2017-03-30 Thread Rob Stradling via dev-security-policy
On 30/03/17 13:11, Gervase Markham via dev-security-policy wrote: On 28/03/17 12:21, Rob Stradling wrote: Increased attack surface. An undisclosed dormant sub-CA most likely has its private key in an online HSM, and so I think it's prudent to assume that it's more vulnerable (to being

Re: Criticism of Google Re: Google Trust Services roots

2017-03-30 Thread Peter Kurrasch via dev-security-policy
By "not new", are you referring to Google being the second(?) instance where a company has purchased an individual root cert from another company? It's fair enough to say that Google isn't the first but I'm not aware of any commentary or airing of opposing viewpoints as to the suitability of

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2017-03-30 Thread Patrick Tronnier via dev-security-policy
On Sunday, March 26, 2017 at 11:48:43 PM UTC-4, wangs...@gmail.com wrote: > We compiled an analysis document on our CP/CPS’s Compliance with the BRs for > everyone to review and comment. You can find the document at the following > address of the >

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-30 Thread Hector Martin via dev-security-policy
On 2017-03-30 23:30, Alex Gaynor via dev-security-policy wrote: >>> 1. HTTP >>> 2. "I explicitly asked for security and didn't get it" (HTTPS with no >>> validation) >>> 3. HTTPS > > You're not wrong that (2) is better than (1). It's also indistinguishable > from a downgrade attack from (3). But

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-30 Thread Nick Lamb via dev-security-policy
Doesn't Chrome's behaviour already "penalise" plaintext HTTP? You can't build a login form, or use shiny new features. We aren't where we'd ideally be, everybody is agreed about that. That's not the same thing as agreeing our direction of travel is wrong. I am far from home reduced to using

Automated email reminders about intermediate certs missing audit or CP/CPS

2017-03-30 Thread Kathleen Wilson via dev-security-policy
All, Within the next few days, we plan to start sending automated email reminders to CAs about their intermediate cert records in the Common CA Database that are missing audit or CP/CPS information. The email template is here:

Re: Criticism of Google Re: Google Trust Services roots

2017-03-30 Thread Gervase Markham via dev-security-policy
On 29/03/17 20:42, Jakob Bohm wrote: > That goal would be equally (in fact better) served by new market > entrants getting cross-signed by incumbents, like Let's encrypt did. Google will be issuing from Google-branded intermediates under the ex-GlobalSign roots. So the chains would be basically

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-30 Thread okaphone.elektronika--- via dev-security-policy
Right. It is then. It says private keys can only be stored with permission of the subscriber and encryption must always be used to transfer them. And of course the certificate must be revoked if/when it becomes known that a private key has gotten to the wrong person. Well... NOT my private

Re: Automated email reminders about intermediate certs missing audit or CP/CPS

2017-03-30 Thread Kathleen Wilson via dev-security-policy
On Thursday, March 30, 2017 at 10:35:37 AM UTC-7, Kathleen Wilson wrote: > Within the next few days, we plan to start sending automated email reminders > to CAs about their intermediate cert records in the Common CA Database that > are missing audit or CP/CPS information. > > The email template

RE: Criticism of Google Re: Google Trust Services roots

2017-03-30 Thread Richard Wang via dev-security-policy
To be transparent, WoSign are NOT "acquiring the HARICA root" that we NEVER contact HARICA, and we don't think our brand is "tarnishing", we are working hard to try to regain the trust and confidence in this community. Best Regards, Richard -Original Message- From: