Re: Symantec response to Google proposal

2017-06-05 Thread Peter Kurrasch via dev-security-policy
Hi Gerv--Is Mozilla willing to consider a simpler approach in this matter? For example, it seems that much of the complexity of the Google/Symantec proposal stems from this new PKI idea. I think Mozilla could

New undisclosed intermediates

2017-06-05 Thread Alex Gaynor via dev-security-policy
Happy Monday! Another week, another set of intermediate certs that have shown up in CT without having been properly disclosed: https://crt.sh/mozilla-disclosures#undisclosed There are four intermediates here, and with exception of the StartCom one, they were all issued more than a year ago. As

On remedies for CAs behaving badly

2017-06-05 Thread Matthew Hardeman via dev-security-policy
Hi all, I thought it prudent in light of the recent response from Symantec regarding the Google Chrome proposal for remediation to raise the question of the possible remedies the community and the root programs have against a CA behaving badly (mis-issuances, etc.) Symantec makes a number of

Re: On remedies for CAs behaving badly

2017-06-05 Thread Ryan Sleevi via dev-security-policy
On Mon, Jun 5, 2017 at 11:52 AM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Has there ever been an effort by the root programs to directly assess > monetary penalties to the CAs -- never for inclusion -- but rather as part > of a remediation

Re: On remedies for CAs behaving badly

2017-06-05 Thread Moudrick M. Dadashov via dev-security-policy
+1 Thanks, M.D. On 6/5/2017 7:16 PM, Ryan Sleevi via dev-security-policy wrote: On Mon, Jun 5, 2017 at 11:52 AM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Has there ever been an effort by the root programs to directly assess monetary penalties to

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-05 Thread Ryan Sleevi via dev-security-policy
On Mon, Jun 5, 2017 at 6:21 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > If you read the paper, it contains a proposal for the CAs to countersign > the computed super-crl to confirm that all entries for that CA match the > actual revocations and

Re: On remedies for CAs behaving badly

2017-06-05 Thread Matt Palmer via dev-security-policy
On Mon, Jun 05, 2017 at 08:25:22PM -0500, Peter Kurrasch via dev-security-policy wrote: >Consider, too, that removing trust from a CA has an economic sanction >built-in: loss of business. For many CA's I imagine that serves as >motivation enough for good behavior but others...possibly

Re: [EXT] Symantec response to Google proposal

2017-06-05 Thread Martin Heaps via dev-security-policy
As an incidental, I am negatively influenced by reading Symantecs response: On Friday, 2 June 2017 16:48:45 UTC+1, Steve Medin wrote: > > https://www.symantec.com/connect/blogs/symantec-s-response-google- > s-subca-proposal > > > > > Our primary objective has always been to minimize any

Re: On remedies for CAs behaving badly

2017-06-05 Thread Peter Kurrasch via dev-security-policy
Consider, too, that removing trust from a CA has an economic sanction built-in: loss of business. For many CA's I imagine that serves as motivation enough for good behavior but others...possibly not.Either way,

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-05 Thread Jakob Bohm via dev-security-policy
On 02/06/2017 17:12, Ryan Sleevi wrote: On Fri, Jun 2, 2017 at 10:09 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 02/06/2017 15:54, Ryan Sleevi wrote: On Fri, Jun 2, 2017 at 9:33 AM, Peter Bowen wrote: On Fri, Jun 2, 2017 at