Re: Use of Certificate/Public Key Pinning

2019-08-13 Thread Paul Wouters via dev-security-policy
On Mon, 12 Aug 2019, Nuno Ponte via dev-security-policy wrote: Recently, we (Multicert) had to rollout a general certificate replacement due to the serial number entropy issue. Some of the most troubled cases to replace the certificates were customers doing certificate pinning on mobile apps.

Re: Use of Certificate/Public Key Pinning

2019-08-13 Thread Matthew Hardeman via dev-security-policy
I feel that there's a great deal of consultancy and assistance that CAs and PKI professionals could bring to their more sophisticated customers with scenarios such as these where public key pinning an a field-deployed application may present problems for certificates being revoked. A best

Re: [FORGED] Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Mirro via dev-security-policy
在 2019年8月13日星期二 UTC+8下午5:57:38,Man Ho写道: > For EV certificate being useful in email, email client software should > give a special EV treatment to such certificate.  I am not aware of any > email client software that support any special EV treatment at all.  Do > you have more information to

Re: Entrust Root Certification Authority - G4 Inclusion Request

2019-08-13 Thread Bruce via dev-security-policy
On Friday, July 26, 2019 at 1:25:13 PM UTC-4, Wayne Thayer wrote: > ==Bad== > * The most recent BR audit report lists two additional qualifications > related to the Network Security requirements: > ** During the Period, there were instances of some Certificate Systems not > undergoing a

Use of Certificate/Public Key Pinning

2019-08-13 Thread Nuno Ponte via dev-security-policy
Dear m.d.s.p., I would like to bring into discussion the use of certificate/public key pinning and the impacts on the 5-days period for certificate revocation according to BR §4.9.1.1. Recently, we (Multicert) had to rollout a general certificate replacement due to the serial number entropy

Re: Use of Certificate/Public Key Pinning

2019-08-13 Thread Tom Ritter via dev-security-policy
PKP is a footgun. Deploying it without being prepared for the situations you've described is ill-advised. There's a few options available for organizations who want to pin, in increasing order of sophistication: Enforce Certificate Transparency. You're not locked into any CA or key, only that

Re: Extending Audit Letter Validation to Intermediate Cert records in CCADB

2019-08-13 Thread Kathleen Wilson via dev-security-policy
On 8/8/19 9:03 AM, Ryan Sleevi wrote: On Wed, Aug 7, 2019 at 6:28 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: I have been working towards extending Audit Letter Validation (ALV) to intermediate certificate records in the CCADB. This is involving

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Daniel Marschall via dev-security-policy
I share the opinion with Jakob, except with the CVE. Please remove this change. It is unnecessary and kills the EV market. But if you insist on keeping that UI change, maybe you can at least give the lock symbol a different color if it is an EV cert?

Request to Include 4 Microsoft Root CAs

2019-08-13 Thread Wayne Thayer via dev-security-policy
This request is for inclusion of the Microsoft RSA Root Certificate Authority 2017, Microsoft ECC Root Certificate Authority 2017, Microsoft EV RSA Root Certificate Authority 2017, and Microsoft EV ECC Root Certificate Authority 2017 trust anchors as documented in the following bug:

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Peter Gutmann via dev-security-policy
Daniel Marschall via dev-security-policy writes: >I share the opinion with Jakob, except with the CVE. Please remove this >change. It is unnecessary and kills the EV market. And that was my motivation for the previous question: We know from a decade of data that EV certs haven't made any

Re: [FORGED] Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Kurt Roeckx via dev-security-policy
On 2019-08-13 05:27, Peter Gutmann wrote: Wayne Thayer via dev-security-policy writes: Mozilla has announced that we plan to relocate the EV UI in Firefox 70, which is expected to be released on 22-October. Details below. Just out of interest, how are the CAs taking this? If there's no

Re: [FORGED] Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Man Ho via dev-security-policy
For EV certificate being useful in email, email client software should give a special EV treatment to such certificate.  I am not aware of any email client software that support any special EV treatment at all.  Do you have more information to share with us? -- Man Ho On 13-Aug-19 5:12 PM,

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Jakob Bohm via dev-security-policy
DO NOT SHIP THIS. Revert the change immediately and request a CVE number for the nightlies with this change included. That Chrome does something harmful is not surprising, and is no justification for a supposedly independent browser to do the same. A policy of switching from positive to