Re: Symantec Update on SubCA Proposal

2017-07-21 Thread Gervase Markham via dev-security-policy
On 21/07/17 07:00, Rick Andrews wrote: > In light of all of these implications, we respectfully request that Mozilla, > Google and the community consider the dates Symantec has proposed, which are > the results of our earnest and extensive efforts to implement the spirit of > the SubCA

Re: Symantec Update on SubCA Proposal

2017-07-21 Thread Rick Andrews via dev-security-policy
On Thursday, July 20, 2017 at 12:31:56 PM UTC-7, Gervase Markham wrote: > Hi Steve, > > Thanks for posting this. I appreciate the level of detail provided, > which is useful in giving us a basis for discussion. It's a little > regrettable, though, that it was published a couple of weeks after we

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-21 Thread Peter Bowen via dev-security-policy
Steve, I think this level of public detail is very helpful when it comes to understanding the proposal. On Thu, Jul 20, 2017 at 8:00 AM, Steve Medin via dev-security-policy wrote: > 1) December 1, 2017 is the earliest credible date that any RFP >

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-21 Thread Alex Gaynor via dev-security-policy
On Thu, Jul 20, 2017 at 11:00 AM, Steve Medin wrote: > 1) *December 1, 2017 is the earliest credible date that any RFP > respondent can provide the Managed CA solution proposed by Google, assuming > a start date of August 1, 2017. Only one RFP respondent initially

Re: How long to resolve unaudited unconstrained intermediates?

2017-07-21 Thread Rob Stradling via dev-security-policy
On 20/07/17 15:24, Gervase Markham via dev-security-policy wrote: On 12/07/17 21:18, Ben Wilson wrote: For CAs with emailProtection and proper name constraints, where would such CAs appear in https://crt.sh/mozilla-disclosures? https://crt.sh/mozilla-disclosures#constrainedother? Or a new

Re: Regarding CA requirements as to technical infrastructure utilized in automated domain validations, etc. (if any)

2017-07-21 Thread Matthew Hardeman via dev-security-policy
It seems that a group of Princeton researchers just presented a live theoretical* misissuance by Let's Encrypt. They did a sub-prefix hijack via a technique other than those I described here and achieved issuance while passing-through traffic for other destination within the IP space of the

RE: Certificate with invalid dnsName issued from Baltimore intermediate

2017-07-21 Thread Ben Wilson via dev-security-policy
Just as a follow up, these two certificates (with www.intesasanpaolovita..biz) were revoked on 19 July 2017. See http://ca.intesasanpaolo.com/portalCais0/crl/servext2.crl. -Original Message- From: dev-security-policy

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-21 Thread Rick Andrews via dev-security-policy
On Friday, July 21, 2017 at 12:39:54 PM UTC-7, Peter Bowen wrote: > Steve, > > I think this level of public detail is very helpful when it comes to > understanding the proposal. > > On Thu, Jul 20, 2017 at 8:00 AM, Steve Medin via dev-security-policy > wrote: > > 1) December 1, 2017 is the

Re: [EXT] Symantec Update on SubCA Proposal

2017-07-21 Thread Rick Andrews via dev-security-policy
On Friday, July 21, 2017 at 12:07:02 PM UTC-7, Alex Gaynor wrote: > On Thu, Jul 20, 2017 at 11:00 AM, Steve Medin wrote: > > > 1) *December 1, 2017 is the earliest credible date that any RFP > > respondent can provide the Managed CA solution proposed by Google, assuming > > a start date of