On 25/02/2019 16:17, Nick Lamb via dev-security-policy wrote:
> On Sat, 23 Feb 2019 10:16:27 +0100
> Kurt Roeckx via dev-security-policy
> wrote:
>> I would also like to have a comment from the current root owner
>> (digicert?) on what they plan to do with it.
>
> Two other things would be
Apart from the concerns others have already raised, I am bothered by the
wording of one of the Dark Matter commitments, which says that "TLS certs
intended for public trust" will be logged. What does public trust mean? Does
it include certificates intended only for use within their country?
Here's the summary of Mozilla's audit reminder emails that were sent
last Tuesday. (I was on vacation last week).
Note that per previous discussion, the date logic for sending these
emails has been updated, and is documented here:
If DarkMatter is issuing from a CA that chains to a Quovadis root trusted by
Mozilla, the issuance is in scope of the Mozilla policy. But that also
means the cert is publicly trusted. Thus, I read it as "all TLS certs issued
from the public ICA are publicly logged", which matches what Scott told
Hi all,
Sorry for the delayed response. Been traveling and haven't had a chance to
properly format my thoughts until now.
As you all know, DigiCert recently acquired the Quovadis CA. As the operator
of the CA, DigiCert is responsible for the issuing CA controlled by
DarkMatter. DarkMatter
The answer to the question of what certificates they intend to CT log or
not may be interesting as a point of curiosity, but the in-product CT
logging requirements of certain internet browsers (Chrome, Safari) would
seem to ultimately force them to CT log the certificates that are intended
to be
On Mon, Feb 25, 2019 at 12:15 PM Richard Salz wrote:
> You miss the point of my question.
>
> What types of certs would they issue that would NOT expect to be trusted
> by the public?
>
>>
>>>
I get the question in principle. If it is a certificate not intended for
public trust, I suppose I
> Von: dev-security-policy Im
> Auftrag von Matthew Hardeman via dev-security-policy
> On Mon, Feb 25, 2019 at 12:15 PM Richard Salz wrote:
>
> > You miss the point of my question.
> >
> > What types of certs would they issue that would NOT expect to be
> > trusted by the public?
> I get the
One other thing I wanted to get ahead of is that we are revoking three Dark
Matter issuing CAs tomorrow. This revocation was planned well before this
discussion started. These three certificates were issued in 2016 with
improper name constraints. The 2017 certificates currently used are
G’day Paul,
I cannot speak for other CAs, I can only surmise what another CA that is as
risk intolerant as we are might do. For us, we will collision test since there
is some probability of a collision and the test is the only way to completely
mitigate that risk.
There is a limitation in our
Hi Scott,
Comments inline.
On February 25, 2019 at 4:58:00 PM, Scott Rea via dev-security-policy (
dev-security-policy@lists.mozilla.org) wrote:
G’day Corey,
To follow up on this thread, we have confirmed with the developers of the
platform that the approach used to include 64-bit output from
G’day Corey,
To follow up on this thread, we have confirmed with the developers of the
platform that the approach used to include 64-bit output from a CSPRNG in the
serialNumber is to generate the required output and then test it to see if it
can be a valid serialNumber. If it is not a valid
On 25/02/2019 11:42, Scott Rea wrote:
G’day Paul,
I cannot speak for other CAs, I can only surmise what another CA that is as
risk intolerant as we are might do. For us, we will collision test since there
is some probability of a collision and the test is the only way to completely
mitigate
Mozilla seems to be more and more of a problem.
Not only is there issues with Certificates there is also built in problems in
Linux distributions.
Considering how much new work is starting for Machine Learning, drone and
vehicle controls, we need Mozilla to be just as reliable as Google and
There are other ways to achieve a guarantee of non-collision besides
re-generating. For example, we incorporate the timestamp of issuance into the
serial number alongside the random bits. You could also incorporate a
sequential value into your serial number. Both methods serve to guarantee
On Sat, 23 Feb 2019 10:16:27 +0100
Kurt Roeckx via dev-security-policy
wrote:
> I would also like to have a comment from the current root owner
> (digicert?) on what they plan to do with it.
Two other things would be interesting from Digicert on this topic
1. To what extent does DarkMatter
16 matches
Mail list logo