Re: 2018.03.12 Let's Encrypt Wildcard Certificate Encoding Issue

2018-03-13 Thread Matthew Hardeman via dev-security-policy
The fact that this mis-issuance occurred does raise a question for the community. For quite some time, it has been repeatedly emphasized that maintaining a non-trusted but otherwise identical staging environment and practicing all permutations of tests and issuances -- especially involving new

Re: 2018.03.12 Let's Encrypt Wildcard Certificate Encoding Issue

2018-03-13 Thread Tom via dev-security-policy
> During final tests for the general availability of wildcard certificate support, the Let's Encrypt operations team issued six test wildcard certificates under our publicly trusted root: > > https://crt.sh/?id=353759994 > https://crt.sh/?id=353758875 > https://crt.sh/?id=353757861 >

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Kai Engert via dev-security-policy
On 12.03.2018 22:19, Kathleen Wilson via dev-security-policy wrote: > Wayne and I have posted a Mozilla Security Blog regarding the current > plan for distrusting the Symantec TLS certs. > > https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/ Hello Kathleen and

Re: 2018.03.12 Let's Encrypt Wildcard Certificate Encoding Issue

2018-03-13 Thread josh--- via dev-security-policy
On Tuesday, March 13, 2018 at 3:33:50 AM UTC-5, Tom wrote: > > During final tests for the general availability of wildcard > certificate support, the Let's Encrypt operations team issued six test > wildcard certificates under our publicly trusted root: > > > > https://crt.sh/?id=353759994 > >

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Jeremy Rowley via dev-security-policy
Same question. Does this mean the key used to sign the digicert roots is subject to the distrust without exception? > On Mar 13, 2018, at 1:36 PM, Kai Engert via dev-security-policy > wrote: > >> On 12.03.2018 22:19, Kathleen Wilson via

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Kai Engert via dev-security-policy
On 12.03.2018 22:19, Kathleen Wilson via dev-security-policy wrote: > Wayne and I have posted a Mozilla Security Blog regarding the current > plan for distrusting the Symantec TLS certs. > > https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/ Hello Kathleen and

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Kai Engert via dev-security-policy
On 13.03.2018 15:35, Ryan Sleevi via dev-security-policy wrote: > >> Are the DigiCert transition CAs, which are part of the exclusion list, >> and which you say are used for "Managed Partner Infrastructure", >> strictly limited to support the needs of the Apple and Google companies? > > > No.

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Peter Bowen via dev-security-policy
On Tue, Mar 13, 2018 at 7:19 AM, Kai Engert via dev-security-policy wrote: > On 13.03.2018 14:59, Ryan Sleevi wrote: >> the blog post says, the subCAs controlled by Apple and Google are the >> ONLY exceptions. >> >> However, the Mozilla Firefox

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Peter Bowen via dev-security-policy
On Tue, Mar 13, 2018 at 7:55 AM, Kai Engert via dev-security-policy wrote: > On 13.03.2018 15:35, Ryan Sleevi via dev-security-policy wrote: >> >>> Are the DigiCert transition CAs, which are part of the exclusion list, >>> and which you say are used for

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Ryan Sleevi via dev-security-policy
On Tue, Mar 13, 2018 at 10:55 AM, Kai Engert wrote: > On 13.03.2018 15:35, Ryan Sleevi via dev-security-policy wrote: > > > >> Are the DigiCert transition CAs, which are part of the exclusion list, > >> and which you say are used for "Managed Partner Infrastructure", > >> strictly

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Ryan Sleevi via dev-security-policy
On Tue, Mar 13, 2018 at 10:19 AM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 13.03.2018 14:59, Ryan Sleevi wrote: > > the blog post says, the subCAs controlled by Apple and Google are the > > ONLY exceptions. > > > > However, the Mozilla

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Ryan Sleevi via dev-security-policy
On Tue, Mar 13, 2018 at 10:52 AM, Peter Bowen wrote: > On Tue, Mar 13, 2018 at 7:19 AM, Kai Engert via dev-security-policy > wrote: > > On 13.03.2018 14:59, Ryan Sleevi wrote: > >> the blog post says, the subCAs controlled by Apple

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Kai Engert via dev-security-policy
On 13.03.2018 15:59, Peter Bowen wrote: >> >> Which companies, other than Apple and Google, benefit from DigiCert >> running the Manager Partner Infrastructure and from DigiCert being part >> of the exclusion list? > > An unlimited set. Any company who purchases a certificate from > DigiCert

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Ryan Sleevi via dev-security-policy
On Tue, Mar 13, 2018 at 11:50 AM, Ryan Sleevi wrote: > > > On Tue, Mar 13, 2018 at 11:26 AM, Kai Engert wrote: > >> On 13.03.2018 15:59, Peter Bowen wrote: >> >> >> >> Which companies, other than Apple and Google, benefit from DigiCert >> >> running the Manager

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Kathleen Wilson via dev-security-policy
As I didn't write the blog post, I certainly can't speak to the intent The intent of the blog post was to let folks know about an error they may encounter when Firefox 60 goes into Beta. And to have a place to point folks to if they run into the error and ask about it. It was *not* our

Re: 2018.03.12 Let's Encrypt Wildcard Certificate Encoding Issue

2018-03-13 Thread jsha--- via dev-security-policy
On Tuesday, March 13, 2018 at 2:02:45 PM UTC-7, Ryan Sleevi wrote: > I'm hoping that LE can provide more details about the change management > process and how, in light of this incident, it may change - both in terms > of automated testing and in certificate policy review. Forgot to reply to this

Re: 2018.03.12 Let's Encrypt Wildcard Certificate Encoding Issue

2018-03-13 Thread Ryan Sleevi via dev-security-policy
On Tue, Mar 13, 2018 at 4:13 PM, Matthew Hardeman via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I am not at all suggesting consequences for Let's Encrypt, but rather > raising a question as to whether that position on new inclusions / renewals > is appropriate. If

Re: 2018.03.12 Let's Encrypt Wildcard Certificate Encoding Issue

2018-03-13 Thread Matthew Hardeman via dev-security-policy
On Tue, Mar 13, 2018 at 4:02 PM, Ryan Sleevi wrote: > > > On Tue, Mar 13, 2018 at 4:13 PM, Matthew Hardeman via dev-security-policy > wrote: > >> I am not at all suggesting consequences for Let's Encrypt, but rather >> raising a question

Re: 2018.03.12 Let's Encrypt Wildcard Certificate Encoding Issue

2018-03-13 Thread jsha--- via dev-security-policy
On Tuesday, March 13, 2018 at 2:02:45 PM UTC-7, Ryan Sleevi wrote: > availability of certificate linting tools - such as ZLint, x509Lint, > (AWS's) certlint, and (GlobalSign's) certlint - there's no dearth of > availability of open tools and checks. Given the industry push towards > integration of

Re: Mozilla Security Blog re Symantec TLS Certs

2018-03-13 Thread Ryan Sleevi via dev-security-policy
On Tue, Mar 13, 2018 at 11:26 AM, Kai Engert wrote: > On 13.03.2018 15:59, Peter Bowen wrote: > >> > >> Which companies, other than Apple and Google, benefit from DigiCert > >> running the Manager Partner Infrastructure and from DigiCert being part > >> of the exclusion list? > > >