Re: CAs not compliant with CAA CP/CPS requirement

2017-09-09 Thread Andy Warner via dev-security-policy
Google Trust Services published updated CP & CPS versions earlier today covering CAA checking. I'd suggest checking all CAs again tomorrow. Given the range of timezones CA operational staffs operate across, some may not have had a chance to publish their updates yet. In terms of the 'rush' I

Re: Google Trust Services - Minor SCT issue disclosure

2018-08-23 Thread Andy Warner via dev-security-policy
tools to further ensure that we have strong knowledge of the pedigree of all code and how it was built and deployed. On Thu, Aug 23, 2018 at 10:55 AM Nick Lamb wrote: > On Thu, 23 Aug 2018 05:50:05 -0700 (PDT) > Andy Warner via dev-security-policy > wrote: > > > May 21s

Re: Google Trust Services - Minor SCT issue disclosure

2018-08-24 Thread Andy Warner via dev-security-policy
the evolving the code to the point it became more complicated than it needed to be. On Thu, Aug 23, 2018 at 9:40 AM Ryan Sleevi wrote: > > > On Thu, Aug 23, 2018 at 8:50 AM, Andy Warner via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: >> >> * NOTE:

Google Trust Services - Minor SCT issue disclosure

2018-08-23 Thread Andy Warner via dev-security-policy
Please note, Google wrote this report for internal use immediately after the issue. We intended to post it to m.d.s.p at that time, but securing internal approvals took a while and the posting ended-up on the back burner for a bit. It was a minor issue, but we want the community to be aware of

Re: Google Trust Services - Minor SCT issue disclosure

2018-08-23 Thread Andy Warner via dev-security-policy
t; order to help other CAs out, do you think there are testing methodologies > that could have helped catch this earlier? > > Alex > > On Thu, Aug 23, 2018 at 8:50 AM Andy Warner via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Please no

Google Trust Services - CRL handling of expired certificates not fully compliant with RFC 5280 Section 3.3

2019-08-30 Thread Andy Warner via dev-security-policy
This is an initial report and we expect to provide some additional details and the completion timeline after a bit more verification and full deployment of in-flight mitigations. We are posting the most complete information we have currently to comply with Mozilla reporting timelines and will

Re: Google Trust Services - CRL handling of expired certificates not fully compliant with RFC 5280 Section 3.3

2019-09-13 Thread Andy Warner via dev-security-policy
A quick follow-up to close this out. The push to fully address the issue was completed globally shortly before 16:00 UTC on 2019-09-02. After additional review, we're confident the only certificates affected were these two: https://crt.sh/?id=760396354 https://crt.sh/?id=759833603 Google

Re: DigiCert OCSP services returns 1 byte

2019-09-20 Thread Andy Warner via dev-security-policy
Google Trust Services (GTS) reached out to Wayne directly, but I'm also posting here as the conversation seems to be rapidly converging on solutions. GTS still has reservations that the proposed solutions may be problematic to implement and may leave a number of CAs and one very common CA

Re: DigiCert OCSP services returns 1 byte

2019-09-23 Thread Andy Warner via dev-security-policy
The last thing we intended was for our prior mail to be interpreted as negative and without substance.  That said, it is clear our mail was not received in the light in which it was intended. We would like to rectify that. We have been closely monitoring this thread and as it began to converge

Re: DigiCert OCSP services returns 1 byte

2019-09-23 Thread Andy Warner via dev-security-policy
shorter timeline that needs to be honored for CAA. -- Andy Warner Google Trust Services On Mon, Sep 23, 2019 at 3:57 PM Kurt Roeckx wrote: > On Mon, Sep 23, 2019 at 02:53:26PM -0700, Andy Warner via > dev-security-policy wrote: > > > > 1. The new text added to the Mozilla Recomm

GTS - OCSP serving issue 2020-04-09

2020-04-14 Thread Andy Warner via dev-security-policy
m.d.s.p community, Google Trust Services just filed https://bugzilla.mozilla.org/show_bug.cgi?id=1630040 which contains the same information as the report that follows. >From 2020-04-08 16:25 UTC to 2020-04-09 05:40 UTC, Google Trust Services' EJBCA based CAs (GIAG4, GIAG4ECC, GTSY1-4) served