Responses to April 2017 CA Communication

2017-04-26 Thread Kathleen Wilson via dev-security-policy
All, The responses to Mozilla's April 2017 CA Communication are being published here: https://wiki.mozilla.org/CA:Communications#April_2017_Responses Reminder: I have postponed the response deadline to May 5, and I made a note of that here: https://wiki.mozilla.org/CA:Communications#April_2017

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-26 Thread okaphone.elektronika--- via dev-security-policy
I think this is getting weird. At first (some other thread) it get's explained that e.g. LetsEncrypt does not do anything beyond domain validation and possibly on notification take down a few certificates of phishing site. And that was "... all OK because we want SSL to be used everywhere, and

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-26 Thread Ryan Sleevi via dev-security-policy
On Wed, Apr 26, 2017 at 4:02 PM, okaphone.elektronika--- via dev-security-policy wrote: > I think this is getting weird. > > At first (some other thread) it get's explained that e.g. LetsEncrypt does > not do anything beyond domain validation and possibly

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-26 Thread okaphone.elektronika--- via dev-security-policy
On Wednesday, 26 April 2017 22:43:19 UTC+2, Ryan Sleevi wrote: > On Wed, Apr 26, 2017 at 4:02 PM, okaphone.elektronika wrote: > > > I think this is getting weird. > > > > At first (some other thread) it get's explained that e.g. LetsEncrypt does > > not do anything beyond domain validation and

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-26 Thread Ryan Sleevi via dev-security-policy
On Wed, Apr 26, 2017 at 5:17 PM, okaphone.elektronika--- via dev-security-policy wrote: > > If this is about the possible consequences of compromise, then I'd say you > should try to adres that. But please do come up with something that still > allows for

Re: Updating Bugzilla Product/Component groups for CA Program Bugs

2017-04-26 Thread Kathleen Wilson via dev-security-policy
The Bugzilla Product/Components for CA Program bugs have been changed. All of the CA Program bugs are now in the NSS Product group in Bugzilla. The NSS Product group in Bugzilla now has the following Components: Build CA Certificate Mis-Issuance CA Certificate Root Program CA Certificates Code

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-26 Thread Peter Kurrasch via dev-security-policy
Hi Ryan--To your first comment, I'm afraid I won't have the time to take a closer look at the discussion on 3.2.2.4. Hopefully a path from single domain to unlimited domains exists (or will). It makes sense to me

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-26 Thread Ryan Sleevi via dev-security-policy
On Wed, Apr 26, 2017 at 3:17 PM, Peter Kurrasch wrote: > Hi Ryan-- > > To your first comment, I'm afraid I won't have the time to take a closer > look at the discussion on 3.2.2.4. Hopefully a path from single domain to > unlimited domains exists (or will). It makes sense to me

RE: CA Validation quality is failing

2017-04-26 Thread Jeremy Rowley via dev-security-policy
Status Update: We are still scanning our database to discover all certificates containing incorrect data. So far, the count is at 1510. The issues fall into two categories: 1) a failure to properly convey that BRs prohibit inclusion of meta data (BR 7.1.4.2.2.j) and 2) auto-population of

RE: Symantec Conclusions and Next Steps

2017-04-26 Thread Steve Medin via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Friday, April 21, 2017 6:17 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

Expanding Aaron Wu's role in CA Program

2017-04-26 Thread Kathleen Wilson via dev-security-policy
All, As many of you know, Aaron Wu has been doing the Information Verification[1] for root inclusion/update requests, has helped me organize the CA Program Bugzilla Bugs[2], and continues to expand in his role in helping with Mozilla's CA Certificates Module[3]. I have asked Aaron to begin

Re: Symantec Conclusions and Next Steps

2017-04-26 Thread Rob Stradling via dev-security-policy
On 25/04/17 23:50, Ryan Sleevi via dev-security-policy wrote: Continuing to look through the audits, I happened to notice a few other things that stood out, some more pressing than others. More pressing: I can find no disclosure with Salesforce or crt.sh of at least two CAs that are listed 'in