Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2017-03-31 Thread wangsn1206--- via dev-security-policy
在 2017年3月30日星期四 UTC+8下午10:34:00,Patrick Tronnier写道: > On Sunday, March 26, 2017 at 11:48:43 PM UTC-4, wangs...@gmail.com wrote: > > We compiled an analysis document on our CP/CPS’s Compliance with the BRs > > for everyone to review and comment. You can find the document at the > > following

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2017-03-31 Thread wangsn1206--- via dev-security-policy
在 2017年3月30日星期四 UTC+8下午10:34:00,Patrick Tronnier写道: > On Sunday, March 26, 2017 at 11:48:43 PM UTC-4, wangs...@gmail.com wrote: > > We compiled an analysis document on our CP/CPS’s Compliance with the BRs > > for everyone to review and comment. You can find the document at the > > following

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread Jakob Bohm via dev-security-policy
On 31/03/2017 19:31, tarah.syman...@gmail.com wrote: On Friday, March 31, 2017 at 9:51:03 AM UTC-7, Jakob Bohm wrote: Dear Tarah, Below some friendly speculation as to what the parts that some bloggers claimed was included (if those claims were somehow true) might have been (i.e. where *you*

Re: Criticism of Google Re: Google Trust Services roots

2017-03-31 Thread Gervase Markham via dev-security-policy
On 31/03/17 17:39, Peter Bowen wrote: >>> For example, how frequently should roots >>> be allowed to change hands? What would Mozilla's response be if >>> GalaxyTrust (an operator not in the program) >>> were to say that they are acquiring the HARICA root? >> >> From the above URL: "In addition,

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread tarah.symantec--- via dev-security-policy
On Friday, March 31, 2017 at 9:51:03 AM UTC-7, Jakob Bohm wrote: > Dear Tarah, > > Below some friendly speculation as to what the parts that some bloggers > claimed was included (if those claims were somehow true) might have > been (i.e. where *you* might look for it in internal Symantec >

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread tarah.symantec--- via dev-security-policy
> Yep, but there must have been an API (at some level) for generating or > processing the QuickInvite URL. That was what I was suggesting might > have been the issue. So, it's hard for me to answer this question because I didn't see any POC, but 1) it's not physically possible for private keys

Symantec Issues List

2017-03-31 Thread Gervase Markham via dev-security-policy
As we continue to consider how best to react to the most recent incident involving Symantec, and given that there is a question of whether it is part of a pattern of behaviour, it seemed best to produce an issues list as we did with WoSign. This means Symantec has proper opportunity to respond to

Re: Criticism of Google Re: Google Trust Services roots

2017-03-31 Thread Jakob Bohm via dev-security-policy
On 30/03/2017 08:08, Gervase Markham wrote: On 29/03/17 20:42, Jakob Bohm wrote: That goal would be equally (in fact better) served by new market entrants getting cross-signed by incumbents, like Let's encrypt did. Google will be issuing from Google-branded intermediates under the

Re: Criticism of Google Re: Google Trust Services roots

2017-03-31 Thread Peter Kurrasch via dev-security-policy
The revised example is not entirely what I had in mind (more on that in a minute) but as written now is mostly OK by me. I do have a question as to whether the public discussion as mentioned must take place before the actual transfer? In other words, will Mozilla require that whatever entity is

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread Vincent Lynch via dev-security-policy
> > Finally, what have you actually done to address EV revocation? You clearly > didn't bother to tell Commonwealth Bank: > > https://www.commbank.com.au/ > > One of the largest banks in Australia that their EV status would evaporate > in Chrome. So what did you do to inform your customers about

Re: Next CA Communication

2017-03-31 Thread Kathleen Wilson via dev-security-policy
I have moved the draft of the April 2017 CA Communication to production, so the link has changed to: https://mozillacaprogram.secure.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a05o03WrzBC It is also available here:

Re: Symantec Issues List

2017-03-31 Thread Ryan Sleevi via dev-security-policy
On Fri, Mar 31, 2017 at 2:39 PM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > As we continue to consider how best to react to the most recent incident > involving Symantec, and given that there is a question of whether it is > part of a pattern of

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread tarah.symantec--- via dev-security-policy
> > Yeah OK, I got a few things wrong on my blog post, I can fix that shortly. > It's no big deal. At least I'm informing people about security - claiming > that we're just "looking for hits" is ridiculous. Most people pay no > attention to security, I can't speak for others but I'm trying to

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread mono.riot--- via dev-security-policy
Maybe I'm alone in this but, while entertaining, I'm taken aback a bit if this is official Symantec communication in a forum like m.d.s.p. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Criticism of Google Re: Google Trust Services roots

2017-03-31 Thread Florian Weimer via dev-security-policy
* Peter Kurrasch via dev-security-policy: > By "not new", are you referring to Google being the second(?) instance > where a company has purchased an individual root cert from another > company? It's fair enough to say that Google isn't the first but I'm > not aware of any commentary or airing of

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread Peter Bowen via dev-security-policy
> On Mar 31, 2017, at 6:01 PM, Daniel Baxter via dev-security-policy > wrote: > > On Saturday, April 1, 2017 at 6:27:27 AM UTC+11, Jakob Bohm wrote: >> Oh, come on, if that's her job title, that's her job title, and at any >> CA, that is actually an

Re: Grace Period for Sub-CA Disclosure

2017-03-31 Thread Ryan Sleevi via dev-security-policy
On Fri, Mar 31, 2017 at 12:24 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > As previously stated, I think this will be too short if the issuance > happens at a time when a non-CCADB root program (or the CCADB > infrastructure) is closed for holidays,

Re: Symantec Issues List

2017-03-31 Thread Peter Bowen via dev-security-policy
On Fri, Mar 31, 2017 at 4:38 PM, Ryan Sleevi via dev-security-policy wrote: > On Fri, Mar 31, 2017 at 2:39 PM, Gervase Markham wrote: > >> As we continue to consider how best to react to the most recent incident >> involving Symantec, and given that there is

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread Daniel Baxter via dev-security-policy
On Saturday, April 1, 2017 at 6:27:27 AM UTC+11, Jakob Bohm wrote: > Oh, come on, if that's her job title, that's her job title, and at any > CA, that is actually an important job that /someone/ should have. I meant the content of her reply, not her job title. > Unfortunately, when initially

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread aractuspuphlicus--- via dev-security-policy
On Saturday, April 1, 2017 at 6:51:30 AM UTC+11, Vincent Lynch wrote: > > It is simply a bug, related to an OID included in the certificate. This has > been documented by Chrome > . OK, I'll update that, thanks.

Re: Criticism of Google Re: Google Trust Services roots

2017-03-31 Thread Gervase Markham via dev-security-policy
On 30/03/17 15:01, Peter Kurrasch wrote: > By "not new", are you referring to Google being the second(?) > instance where a company has purchased an individual root cert from > another company? It's fair enough to say that Google isn't the first > but I'm not aware of any commentary or airing of

Re: Criticism of Google Re: Google Trust Services roots

2017-03-31 Thread Peter Bowen via dev-security-policy
On Fri, Mar 31, 2017 at 8:18 AM, Gervase Markham via dev-security-policy wrote: > On 30/03/17 15:01, Peter Kurrasch wrote: >> By "not new", are you referring to Google being the second(?) >> instance where a company has purchased an individual root cert from

RE: Criticism of Google Re: Google Trust Services roots

2017-03-31 Thread Richard Wang via dev-security-policy
Qihoo 360 CSO Mr. Tan updated this in the recent CAB Forum meeting in USA : CEO of WoSign is NA, Richard Wang is the COO. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of