Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Nick Lamb via dev-security-policy
On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) Josef Schneider via dev-security-policy wrote: > Not legally probably and this also depends on the jurisdiction. Since > an EV cert shows the jurisdiction, a user can draw conclusions from > that. Yes it is true that crimes are illegal. This has not

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Jakob Bohm via dev-security-policy
On 29/08/2019 10:58, Nick Lamb wrote: > On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) > Josef Schneider via dev-security-policy > wrote: > >> Not legally probably and this also depends on the jurisdiction. Since >> an EV cert shows the jurisdiction, a user can draw conclusions from >> that. > > Yes

Re: Symantec migration update

2019-08-29 Thread Jakob Bohm via dev-security-policy
Note that while not used by Mozilla, the Time Stamping Authority services formerly owned by Symantec have some unique business continuity requirements: 1. Time stamp signatures, by their very purpose, need to remain valid and trusted for decades after signing, even if no more signatures are

Re: DigiCert OCSP services returns 1 byte

2019-08-29 Thread Peter Bowen via dev-security-policy
On Thu, Aug 29, 2019 at 10:38 AM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Aug 29, 2019 at 1:15 PM Jeremy Rowley via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Thanks for posting this Curt. We investigated and

RE: Symantec migration update

2019-08-29 Thread Jeremy Rowley via dev-security-policy
Yeah - these types of weird continuity requirements are all over the place and the reason the consolidation has taken this long. A lot of the effort has been trying to figure out how to replace things tied to old hardware with updated systems, essentially rebuilding things (like the timestamp

RE: DigiCert OCSP services returns 1 byte

2019-08-29 Thread Jeremy Rowley via dev-security-policy
Thanks for posting this Curt. We investigated and posted an incident report on Bugzilla. The root cause was related to pre-certs and an error in generating certificates for them. We're fixing the issue (should be done shortly). I figured it'd be good to document here why pre-certs fall under

Re: DigiCert OCSP services returns 1 byte

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 1:15 PM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Thanks for posting this Curt. We investigated and posted an incident > report on Bugzilla. The root cause was related to pre-certs and an error in > generating certificates for

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Lee via dev-security-policy
On 8/29/19, Nick Lamb via dev-security-policy wrote: > On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) > Josef Schneider via dev-security-policy > wrote: > >> Not legally probably and this also depends on the jurisdiction. Since >> an EV cert shows the jurisdiction, a user can draw conclusions from >>

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Nick Lamb via dev-security-policy
On Thu, 29 Aug 2019 17:05:43 +0200 Jakob Bohm via dev-security-policy wrote: > The example given a few messages above was a different jurisdiction > than those two easily duped company registries. I see. Perhaps Vienna, Austria has a truly exemplary registry when it comes to such things. Do you

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
This string is about Mozilla’s announced plan to remove the EV UI from Firefox in October. Over time, this will tend to eliminate confirmed identity information about websites from the security ecosystem, as EV website owners may decide it’s not worth using a n EV certificate if browsers

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > In this case, the use of EV certificates, and the presumption of > > reputation, would lead to actively worse security. > > > > Did I misunderstand the scenario? > > Don't argue

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 3:10:49 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > In this case, the use of EV certificates, and the presumption of > > > reputation, would lead to

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Josef Schneider via dev-security-policy
Am Donnerstag, 29. August 2019 10:59:40 UTC+2 schrieb Nick Lamb: > On Wed, 28 Aug 2019 11:51:37 -0700 (PDT) > Josef Schneider via dev-security-policy > wrote: > > > Not legally probably and this also depends on the jurisdiction. Since > > an EV cert shows the jurisdiction, a user can draw

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Lee via dev-security-policy
On 8/29/19, Nick Lamb wrote: > On Thu, 29 Aug 2019 13:33:26 -0400 > Lee via dev-security-policy > wrote: > >> That it isn't my financial institution. Hopefully I'd have the >> presence of mind to save the fraud site cert, but I'd either find the >> business card of the person I've been dealing

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 12:17:22 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 2:49 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Sure, I’m happy to explain, using Bank of America as an example. > > > Kirk, > > Thanks for

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ian Carroll via dev-security-policy
On Thursday, August 29, 2019 at 11:49:16 AM UTC-7, Kirk Hall wrote: > On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote: > > On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote: > > > This string is about Mozilla’s announced plan to remove the EV UI

RE: DigiCert OCSP services returns 1 byte

2019-08-29 Thread Jeremy Rowley via dev-security-policy
Let me try that again since I didn't explain my original post very well. Totally worth it since I got a sweet Yu-gi-oh reference out of fit. What happened at DigiCert is that the OCSP service failed to return a signed response for a certificate where a pre-certificate existed by a certificate

Re: DigiCert OCSP services returns 1 byte

2019-08-29 Thread Jeremy Rowley via dev-security-policy
Oh, I wasnt arguing that this isnt an issue. The opposite in fact. I was documenting why it is an issue ie, that a ca can't argue this isnt a compliance concern. It comes up a lot but I dont remember seeing it here. From: Ryan Sleevi Sent: Thursday, August 29, 11:38 AM Subject: Re: DigiCert

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Jonathan Rudenberg via dev-security-policy
On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote: > This string is about Mozilla’s announced plan to remove the EV UI from > Firefox in October. Over time, this will tend to eliminate confirmed > identity information about websites from the security ecosystem, as EV >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Jakob Bohm via dev-security-policy
On 29/08/2019 19:47, Nick Lamb wrote: > On Thu, 29 Aug 2019 17:05:43 +0200 > Jakob Bohm via dev-security-policy > wrote: > >> The example given a few messages above was a different jurisdiction >> than those two easily duped company registries. > > I see. Perhaps Vienna, Austria has a truly

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Nick Lamb via dev-security-policy
On Thu, 29 Aug 2019 13:33:26 -0400 Lee via dev-security-policy wrote: > That it isn't my financial institution. Hopefully I'd have the > presence of mind to save the fraud site cert, but I'd either find the > business card of the person I've been dealing with there or find an > old statement,

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote: > On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote: > > This string is about Mozilla’s announced plan to remove the EV UI from > > Firefox in October. Over time, this will tend to eliminate

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 2:49 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Sure, I’m happy to explain, using Bank of America as an example. Kirk, Thanks for providing this example. Could you help me understand how it helps determine that things are

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread James Burton via dev-security-policy
These so called "extended" validation vetting checks on companies for extended validation certificates are supposed to provide the consumer on the website with an high level of assurance that the company has been properly validated but the fact is that these so called "extended" validation vetting

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ronald Crane via dev-security-policy
On 8/29/2019 11:07 AM, Nick Lamb via dev-security-policy wrote: ... If you _work_ for such an institution [e.g.,a bank], the best thing you could do to protect your customers against Phishing, a very popular attack that TLS is often expected to mitigate, is offer WebAuthn You also could

Re: DigiCert OCSP services returns 1 byte

2019-08-29 Thread Jeremy Rowley via dev-security-policy
Yes. That was the point of my post. There is a requirement fo return an ocsp repsonse for a pre cert where the cert hasn't issued because of the Mozilla policy. Hence our failure was a Mozilla policy violation even if no practical system can use the response because no actual cert (without a

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 8:54 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > What the heck does it mean when sometimes you say you are posting "in a > personal capacity" and sometimes you don't? It sounds like you were very prescient in your inability to

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Could you point to the browsing phishing filters and anti-phishing > services > > that do? It might be an opportunity for you to find out how they deal > with > > this, and report

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > Could you point to the browsing phishing filters and anti-phishing > > services > > > that do? It

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 5:28:29 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 8:23 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote: > > > On Thu, Aug 29, 2019 at 6:26

2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

2019-08-29 Thread Jacob Hoffman-Andrews via dev-security-policy
Also filed at https://bugzilla.mozilla.org/show_bug.cgi?id=1577652 On 2019.08.28 we read Apple’s bug report at https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 about DigiCert’s OCSP responder returning incorrect results for a precertificate. This prompted us to run our own investigation.

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ryan Sleevi via dev-security-policy
On Thu, Aug 29, 2019 at 8:23 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote: > > On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy < > >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Matt Palmer via dev-security-policy
On Thu, Aug 29, 2019 at 02:14:10PM -0700, Kirk Hall via dev-security-policy wrote: > For EV certificates, the appeal for website owners over the past 10 years > has been that they get a distinctive EV UI that they believe protects > their consumers and their brands (again, don't argue with me but

Representing one's employer

2019-08-29 Thread Peter Bowen via dev-security-policy
(forking this to a new subject) On Thu, Aug 29, 2019 at 5:54 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > What the heck does it mean when sometimes you say you are posting "in a > personal capacity" and sometimes you don't? To me, it always appears that