Dear Ryan!
> From: dev-security-policy On
> Behalf Of Ryan Sleevi via dev-security-policy
> Sent: Freitag, 3. Juli 2020 23:30
> To: Peter Bowen
> Cc: Ryan Sleevi ; Pedro Fuentes ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: SECURITY RELEVANT FOR CAs: The curious case of the
On Sat, Jul 4, 2020 at 6:22 AM Pedro Fuentes via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> El viernes, 3 de julio de 2020, 18:18:49 (UTC+2), Ryan Sleevi escribió:
> > Pedro's option is to reissue a certificate for that key, which as you
> point
> > out, keeps the
El viernes, 3 de julio de 2020, 18:18:49 (UTC+2), Ryan Sleevi escribió:
> Pedro's option is to reissue a certificate for that key, which as you point
> out, keeps the continuity of CA controls associated with that key within
> the scope of the audit. I believe this is the heart of Pedro's risk
>
Thanks, Ryan.
I’m happy we are now in understanding to this respect.
Then I’d change the literally ongoing plan. We should have the new CAs
hopefully today. Then I would do maybe also today the reissuance of the bad
ones and I’ll revoke the offending certificates during the period.
Best.
On Sat, Jul 4, 2020 at 9:17 AM Buschart, Rufus
wrote:
> Dear Ryan!
>
> > From: dev-security-policy
> On Behalf Of Ryan Sleevi via dev-security-policy
> > Sent: Freitag, 3. Juli 2020 23:30
> > To: Peter Bowen
> > Cc: Ryan Sleevi ; Pedro Fuentes ;
> mozilla-dev-security-pol...@lists.mozilla.org
Ryan,
I'm moving our particular discussions to Bugzilla.
I just want to clarify, again, that I'm not proposing to delay the revocation
of the offending CA certificate, what I'm proposing is to give more time to the
key destruction. Our position right now, is that the certificate would be
Pedro: I said I understood you, and I thought we were discussing in the
abstract.
I encourage you to reread this thread to understand why such a response
varies on a case by case basis. I can understand your *attempt* to balance
things, but I don’t think it would be at all appropriate to treat
On Sat, Jul 4, 2020 at 11:06 AM Ryan Sleevi via dev-security-policy
wrote:
>
> On Sat, Jul 4, 2020 at 12:52 PM mark.arnott1--- via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > This is insane!
> > Those 300 certificates are used to secure healthcare information
On Friday, July 3, 2020 at 5:30:47 PM UTC-4, Ryan Sleevi wrote:
> On Fri, Jul 3, 2020 at 4:19 PM Peter Bowen wrote:
>
I feel compelled to respond here for the first time even though I have never
participated in CA/B forum proceeding and have never read through a single one
of the 55 BRs that
On Friday, July 3, 2020 at 5:30:47 PM UTC-4, Ryan Sleevi wrote:
> On Fri, Jul 3, 2020 at 4:19 PM Peter Bowen wrote:
>
I feel compelled to respond here for the first time even though I have never
participated in CA/B forum proceeding and have never read through a single one
of the 55 BRs that
On Sat, Jul 4, 2020 at 12:52 PM mark.arnott1--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> This is insane!
> Those 300 certificates are used to secure healthcare information systems
> at a time when the global healthcare system is strained by a global
> pandemic. I
Dear Mr. Wilson,
Could you please share the risk assessment that you have received from
Mr. Sleevi?
I believe it would be very useful for the CAs to understand the gravity
of the issue.
Sincerely yours,
T.K. (No hat)
On 7/4/2020 12:23 PM, Ryan Sleevi via dev-security-policy wrote:
On Fri,
On Saturday, July 4, 2020 at 3:01:34 PM UTC-4, Peter Bowen wrote:
> On Sat, Jul 4, 2020 at 11:06 AM Ryan Sleevi via dev-security-policy
> wrote:
> One of the challenges is that not everyone in the WebPKI ecosystem has
> aligned around the same view of incidents as learning opportunities.
> This
Just chiming in as another subscriber and relying party, with a view to
speaking to the other subscribers on this topic.
To the extent that your use case is not specifically the WebPKI as pertains
to modern browsers, it was clear to me quite several years ago and gets
clearer every day: the
Eric Mill via dev-security-policy
writes:
>This is a clear, straightforward statement of perhaps the single biggest core
>issue that limits the agility and security of the Web PKI
That's not the biggest issue by a long shot. The biggest issue is that the
public PKI (meaning public/commercial
On Sat, Jul 4, 2020 at 9:21 PM Peter Gutmann
wrote:
> So the problem isn't "everyone should do what the Web PKI wants, no matter
> how
> inappropriate it is in their environment", it's "CAs (and protocol
> designers)
> need to acknowledge that something other than the web exists and
>
On Sat, Jul 4, 2020 at 9:41 PM Peter Gutmann
wrote:
> Ryan Sleevi writes:
>
> >And they are accomodated - by using something other than the Web PKI.
>
> That's the HTTP/2 "let them eat cake" response again. For all intents and
> purposes, PKI *is* the Web PKI. If it wasn't, people wouldn't be
On Sat, Jul 04, 2020 at 12:51:32PM -0700, Mark Arnott via dev-security-policy
wrote:
> I think that the lack of fairness comes from the fact that the CA/B forum
> only represents the view points of two interests - the CAs and the Browser
> vendors. Who represents the interests of industries and
On Sat, Jul 4, 2020 at 3:15 PM Buschart, Rufus via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> ...especially since many of those millions of certificates are not even
> TLS certificates and their consumers never expected the hard revocation
> deadlines of the BRGs to be
From: Eric Mill
Sent: Sonntag, 5. Juli 2020 00:55
To: Buschart, Rufus (SOP IT IN COR)
Cc: mozilla-dev-security-policy
; r...@sleevi.com;
mark.arno...@gmail.com
Subject: Re: SECURITY RELEVANT FOR CAs: The curious case of the Dangerous
Delegated Responder Cert
On Sat, Jul 4, 2020 at 3:15 PM
On Sat, Jul 04, 2020 at 07:42:12PM -0700, Peter Bowen wrote:
> On Sat, Jul 4, 2020 at 7:12 PM Matt Palmer via dev-security-policy
> wrote:
> >
> > On Sat, Jul 04, 2020 at 08:42:03AM -0700, Mark Arnott via
> > dev-security-policy wrote:
> > > I was informed yesterday that I would have to replace
On Sat, Jul 4, 2020 at 5:32 PM Mark Arnott via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Why aren't we hearing more from the 14 CAs that this affects. Correct me
> if I am wrong, but the CA/B form has something like 23 members?? An issue
> that affects 14 CAs
On Sat, Jul 4, 2020 at 10:42 PM Peter Bowen via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> As several others have indicated, WebPKI today is effectively a subset
> of the more generic shared PKI. It is beyond time to fork the WebPKI
> from the general PKI and strongly
Thank you Ryan for spending your 4th of July weekend answering my questions!
From my purely technical understanding, without knowing too much about the
history in the discussion between the ETSI community and you nor about the
“Überbau” of the audit schemes, I would believe that most of the
On Saturday, July 4, 2020 at 2:06:53 PM UTC-4, Ryan Sleevi wrote:
> On Sat, Jul 4, 2020 at 12:52 PM mark.arnott1--- via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>
> As part of this, you should re-evaluate certificate pinning. As one of the
> authors of that
Indeed, you’re welcome to do so, but I also don’t think these are easily
adjusted for or corrected. ETSI ESI is trying to solve a different need and
use case, and it’s structure and design reflect that.
And that’s ok! There’s nothing inherently wrong with that. They are trying
to develop a set of
Dear Mark!
> -Original Message-
> From: dev-security-policy On
> Behalf Of Ryan Sleevi via dev-security-policy
> Sent: Samstag, 4. Juli 2020 20:06
>
> On Sat, Jul 4, 2020 at 12:52 PM mark.arnott1--- via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > This
Ryan Sleevi writes:
>And they are accomodated - by using something other than the Web PKI.
That's the HTTP/2 "let them eat cake" response again. For all intents and
purposes, PKI *is* the Web PKI. If it wasn't, people wouldn't be worrying
about having to reissue/replace certificates that will
On Sat, Jul 04, 2020 at 08:42:03AM -0700, Mark Arnott via dev-security-policy
wrote:
> I was informed yesterday that I would have to replace just over 300
> certificates in 5 days because my CA is required by rules from the CA/B
> forum to revoke its subCA certificate.
The possibility of such an
On Sat, Jul 4, 2020 at 7:12 PM Matt Palmer via dev-security-policy
wrote:
>
> On Sat, Jul 04, 2020 at 08:42:03AM -0700, Mark Arnott via dev-security-policy
> wrote:
> > I was informed yesterday that I would have to replace just over 300
> > certificates in 5 days because my CA is required by
30 matches
Mail list logo