Re: Symantec Issues List

2017-04-03 Thread Gervase Markham via dev-security-policy
On 03/04/17 02:37, Peter Bowen wrote: > I believe Issue L is incorrectly dated. Thank you for this; I have updated Issue L to hopefully be more accurate, but I intend to keep it as a separate issue. Gerv ___ dev-security-policy mailing list

Re: Symantec Issues List

2017-04-03 Thread Gervase Markham via dev-security-policy
On 01/04/17 05:57, Peter Bowen wrote: > The GeoRoot program was very similar to that offered by many CAs a few > years ago. CyberTrust (then Verizon, now DigiCert) has the OmniRoot > program, Entrust has a root signing program[1], and GlobalSign Trusted > Root[2] are just a few examples. While

Re: Symantec Issues List

2017-04-03 Thread Gervase Markham via dev-security-policy
On 01/04/17 00:38, Ryan Sleevi wrote: > On Fri, Mar 31, 2017 at 2:39 PM, Gervase Markham via dev-security-policy < > Thanks for organizing this information, as much of it was related to and > relevant to Google's recent announcement. I want to take this opportunity > to share additional details

Re: Grace Period for Sub-CA Disclosure

2017-04-03 Thread Ryan Sleevi via dev-security-policy
On Mon, Apr 3, 2017 at 11:18 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 04/04/2017 05:03, Ryan Sleevi wrote: > >> On Mon, Apr 3, 2017 at 7:18 PM, Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >> I see it

Re: Grace Period for Sub-CA Disclosure

2017-04-03 Thread Ryan Sleevi via dev-security-policy
On Mon, Apr 3, 2017 at 7:18 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I see it as part of the underlying reasoning. Mozilla et al wants > disclosure in order to take action if the disclosed facts are deemed > unacceptable (under policy or

Re: Grace Period for Sub-CA Disclosure

2017-04-03 Thread Jakob Bohm via dev-security-policy
On 04/04/2017 05:30, Ryan Sleevi wrote: On Mon, Apr 3, 2017 at 11:18 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: So why does Mozilla want disclosure and not just a blanket X on a form stating that all SubCAs are adequately audited, follow BRs etc.?

Re: Grace Period for Sub-CA Disclosure

2017-04-03 Thread Jakob Bohm via dev-security-policy
On 03/04/2017 21:48, Ryan Sleevi wrote: On Mon, Apr 3, 2017 at 3:36 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: The assumptions are: 0. All relevant root programs set similar/identical policies or they get incorporatated into the CAB/F BRs on a

Questions for Symantec

2017-04-03 Thread Gervase Markham via dev-security-policy
Hi Steve and Rick, You have told me that you are considering your response(s) to the Symantec issues list, which is fine. Based on the list and further discussions which have been happening in m.d.s.policy, and on your recent audit publication, I thought it would be helpful to give a few specific

Re: Grace Period for Sub-CA Disclosure

2017-04-03 Thread Jakob Bohm via dev-security-policy
On 01/04/2017 03:49, Ryan Sleevi wrote: On Fri, Mar 31, 2017 at 12:24 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: As previously stated, I think this will be too short if the issuance happens at a time when a non-CCADB root program (or the CCADB

Re: DRAFT - BR Self Assessments

2017-04-03 Thread Kathleen Wilson via dev-security-policy
I updated https://wiki.mozilla.org/CA:BRs-Self-Assessment to add a section called 'Annual BR Self Assessment', which states: "CAs with included root certificates that have the Websites trust bit set must do an annual self-assessment of their compliance with the BRs, and must update their CP

Re: Grace Period for Sub-CA Disclosure

2017-04-03 Thread Ryan Sleevi via dev-security-policy
On Mon, Apr 3, 2017 at 12:58 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > taking a holiday and not being able to process a disclosure of a new > SubCA. > Considering that the CCADB does not require any of these parties to process a disclosure, can you

Re: Symantec Issues List

2017-04-03 Thread Ryan Sleevi via dev-security-policy
On Mon, Apr 3, 2017 at 12:46 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > How about this simple explanation (purely a guess, not at all checked): > I think we should focus on objective facts and statements. While there are a number of possible ways to

Re: Next CA Communication

2017-04-03 Thread Kathleen Wilson via dev-security-policy
On Saturday, April 1, 2017 at 3:59:28 AM UTC-7, Gervase Markham wrote: > On 31/03/17 22:20, Kathleen Wilson wrote: > > Please let me know asap if you see any problems, typos, etc. in this > > version. > > Now that policy 2.4.1 has been published, we should update Action 3 to > say the following

Re: Grace Period for Sub-CA Disclosure

2017-04-03 Thread Peter Bowen via dev-security-policy
On Mon, Apr 3, 2017 at 1:45 PM, Jakob Bohm via dev-security-policy wrote: > On 03/04/2017 21:48, Ryan Sleevi wrote: >> >> On Mon, Apr 3, 2017 at 3:36 PM, Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >>> >>> >>> The

Re: Criticism of Google Re: Google Trust Services roots

2017-04-03 Thread Peter Kurrasch via dev-security-policy
I must be missing something still? The implication here is that a purchaser who is not yet part of the root program is permitted to take possession of the root cert private key and possibly the physical space, key personnel, networking infrastructure, revocation systems, and responsibility for

Re: Next CA Communication

2017-04-03 Thread Kathleen Wilson via dev-security-policy
On Monday, April 3, 2017 at 10:13:22 AM UTC-7, Kathleen Wilson wrote: > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ > still shows version 2.4. It's been updated to version 2.4.1. Thanks, Kathleen ___

Re: Grace Period for Sub-CA Disclosure

2017-04-03 Thread Ryan Sleevi via dev-security-policy
On Mon, Apr 3, 2017 at 3:36 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > The assumptions are: > > 0. All relevant root programs set similar/identical policies or they > get incorporatated into the CAB/F BRs on a future date. > This is not correct at

Re: Grace Period for Sub-CA Disclosure

2017-04-03 Thread Nick Lamb via dev-security-policy
Further to Ryan's reply, we can once again take lessons from the real world Ordinarily notice in law can be given by sending a letter and waiting a few days. There is no obligation to prove the letter was delivered, let alone read and comprehended, only that it was sent and that it was

Re: Grace Period for Sub-CA Disclosure

2017-04-03 Thread Jakob Bohm via dev-security-policy
On 03/04/2017 19:24, Ryan Sleevi wrote: On Mon, Apr 3, 2017 at 12:58 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: taking a holiday and not being able to process a disclosure of a new SubCA. Considering that the CCADB does not require any of these

Re: Grace Period for Sub-CA Disclosure

2017-04-03 Thread Peter Bowen via dev-security-policy
On Mon, Apr 3, 2017 at 12:36 PM, Jakob Bohm via dev-security-policy wrote: > On 03/04/2017 19:24, Ryan Sleevi wrote: >> >> On Mon, Apr 3, 2017 at 12:58 PM, Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >>> >>> >>>

Re: Grace Period for Sub-CA Disclosure

2017-04-03 Thread Jakob Bohm via dev-security-policy
On 04/04/2017 00:31, Peter Bowen wrote: On Mon, Apr 3, 2017 at 1:45 PM, Jakob Bohm via dev-security-policy wrote: On 03/04/2017 21:48, Ryan Sleevi wrote: On Mon, Apr 3, 2017 at 3:36 PM, Jakob Bohm via dev-security-policy <