Re: Taiwan GRCA Root Renewal Request

2017-06-01 Thread Kathleen Wilson via dev-security-policy
On Friday, May 26, 2017 at 9:32:57 AM UTC-7, Kathleen Wilson wrote: > On Wednesday, March 15, 2017 at 5:01:13 PM UTC-7, Kathleen Wilson wrote: > All, > > I requested that this CA perform a BR Self Assessment, and they have attached > their completed BR Self Assessment to the bug here: >

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-01 Thread Peter Bowen via dev-security-policy
On Thu, Jun 1, 2017 at 5:49 AM, Ryan Sleevi via dev-security-policy wrote: > On Thu, Jun 1, 2017 at 4:35 AM, Gervase Markham via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On 31/05/17 18:02, Matthew Hardeman wrote: >> >

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-01 Thread Peter Kurrasch via dev-security-policy
So how about this:A proper certificate is one that...- contains the data as provided by the requester that the requester intended to use;- contains the data as provided by the issuer that the issuer intended to

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-01 Thread Jakob Bohm via dev-security-policy
On 31/05/2017 18:04, Gervase Markham wrote: It has been suggested we need a formal definition of what we consider mis-issuance. The closest we have is currently a couple of sentence in section 7.3: "A certificate that includes domain names that have not been verified according to section

Re: StartCom issuing bogus certificates

2017-06-01 Thread Gervase Markham via dev-security-policy
On 01/06/17 01:48, Yuhong Bao wrote: > I don't think there is anything important on example.com though How would you like it if a CA decided there was nothing important on your website and so decided it was OK to misissue certificates for it? This requirement is a positive requirement ("must

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-01 Thread Gervase Markham via dev-security-policy
On 31/05/17 18:02, Matthew Hardeman wrote: > Perhaps some reference to technologically incorrect syntax (i.e. an > incorrectly encoded certificate) being a mis-issuance? Well, if it's so badly encoded Firefox doesn't recognise it, we don't care too much (apart from how it speaks to

RE: Policy 2.5 Proposal: Clarify requirement for multi-factor auth

2017-06-01 Thread Doug Beattie via dev-security-policy
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of Gervase > Markham via dev-security-policy > Sent: Wednesday, May 31, 2017 7:24 AM > To: mozilla-dev-security-pol...@lists.mozilla.org >

RE: StartCom issuing bogus certificates

2017-06-01 Thread Inigo Barreira via dev-security-policy
Hi all, Firstly I´d like to apologize for not having answering before and for posting an initial response that was not correct not accurate and not related what it´s being discussed right now. It was my fault for not having checked before with my team, which is in China and they are 6 hours

Re: Policy 2.5 Proposal: Clarify requirement for multi-factor auth

2017-06-01 Thread Gervase Markham via dev-security-policy
Hi Doug, On 01/06/17 10:54, Doug Beattie wrote: > Can you give some examples of validation functions that need to be enforced > by multifactor authentication? There are some that I don't think can be done > using multi-factor authentication, such as domain validation via email (the > link to

Re: StartCom issuing bogus certificates

2017-06-01 Thread Vincent Lynch via dev-security-policy
Hi Inigo, You mentioned there would be a report attached but I believe you forgot to send it? Can you upload the report and provide a URL? I believe that's the 'best practice' for sharing files here as it allows non-subscribers to access the file via the Google Groups archive. -Vincent On Thu,

Re: Policy 2.5 Proposal: Clarify requirement for multi-factor auth

2017-06-01 Thread Ryan Sleevi via dev-security-policy
On Thu, Jun 1, 2017 at 6:52 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Doug, > > On 01/06/17 10:54, Doug Beattie wrote: > > Can you give some examples of validation functions that need to be > enforced by multifactor authentication? There are

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-01 Thread Ryan Sleevi via dev-security-policy
On Thu, Jun 1, 2017 at 4:35 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 31/05/17 18:02, Matthew Hardeman wrote: > > Perhaps some reference to technologically incorrect syntax (i.e. an > incorrectly encoded certificate) being a mis-issuance? > >

Re: Policy 2.5 Proposal: Clarify requirement for multi-factor auth

2017-06-01 Thread Gervase Markham via dev-security-policy
On 01/06/17 13:45, Ryan Sleevi wrote: > The reason why I don't think it's a valid reasoning is that if we accept > that this provision in the policy could be read to cover such emails, then > we're implicitly agreeing that the act of clicking that email is performing > a validation function

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-01 Thread Matthew Hardeman via dev-security-policy
On Thursday, June 1, 2017 at 8:03:33 AM UTC-5, Gervase Markham wrote: > > My point is not that we are entirely indifferent to such problems, but > that perhaps the category of "mis-issuance" is the wrong one for such > errors. I guess it depends what we mean by "mis-issuance" - which is the >

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-01 Thread Nick Lamb via dev-security-policy
I think a broad definition is appropriate here. Mozilla is not obliged to do anything at all, much less anything drastic if it is discovered that mis-issuance has occurred. At most we might think it time to re-evaluate this policy. Fools are endlessly inventive so a too narrow definition runs

RE: StartCom issuing bogus certificates

2017-06-01 Thread Inigo Barreira via dev-security-policy
Hi https://bugzilla.mozilla.org/attachment.cgi?id=8873408 https://bugzilla.mozilla.org/attachment.cgi?id=8873409 these are the 2 documents I tried to upload to the

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-01 Thread Gervase Markham via dev-security-policy
On 01/06/17 13:49, Ryan Sleevi wrote: > I would encourage you to reconsider this, or perhaps I've misunderstood > your position. To the extent that Mozilla's mission includes "The > effectiveness of the Internet as a public resource depends upon > interoperability (protocols, data formats,

Re: Policy 2.5 Proposal: Clarify requirement for multi-factor auth

2017-06-01 Thread Gervase Markham via dev-security-policy
On 01/06/17 14:22, Doug Beattie wrote: > If this is the case, then in what cases do you see 2-factor auth being a > requirement where it was not before? Well, Mozilla policy didn't require that all RA accounts had multi-factor, only those directly capable of causing certificate issuance. Maybe

RE: Policy 2.5 Proposal: Clarify requirement for multi-factor auth

2017-06-01 Thread Doug Beattie via dev-security-policy
From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Thursday, June 1, 2017 8:46 AM To: Gervase Markham Cc: Doug Beattie ; mozilla-dev-security-policy Subject: Re: Policy 2.5 Proposal: Clarify