Re: DRAFT: May CA Communication

2014-05-02 Thread Peter Bowen
On Fri, May 2, 2014 at 1:09 PM, Kathleen Wilson kwil...@mozilla.com wrote: On 5/2/14, 11:17 AM, Peter Bowen wrote: On Fri, May 2, 2014 at 10:05 AM, Kathleen Wilson kwil...@mozilla.com wrote: In regards to action #5, I think we need to add another option to allow CAs to specify if they have

EKUs covered in the Mozilla CA Program

2014-05-12 Thread Peter Bowen
Is there a list of Extended Key Usages that are within scope for the Mozilla CA Program? The definition for technically constrained indicates that the CA certificates must include all EKUs that the CA is authorized to issue certificates for. I assume if the only included EKUs are not in scope

Re: [SPAM] Re: EKUs covered in the Mozilla CA Program

2014-05-13 Thread Peter Bowen
On Tue, May 13, 2014 at 6:27 AM, Rob Stradling rob.stradl...@comodo.com wrote: On 13/05/14 14:10, Gervase Markham wrote: On 13/05/14 03:22, Peter Bowen wrote: Is there a list of Extended Key Usages that are within scope for the Mozilla CA Program? I hope I can get this right... I believe

Re: EKUs covered in the Mozilla CA Program

2014-05-13 Thread Peter Bowen
On Tue, May 13, 2014 at 11:45 AM, David Keeler dkee...@mozilla.com wrote: On 05/13/2014 06:48 AM, Peter Bowen wrote: I think the biggest question probably is id-kp-clientAuth. From a quick scan of the NSS certdb code, it seems that setting this EKU in a CA cert would allow it to issue

Re: EKUs covered in the Mozilla CA Program

2014-05-14 Thread Peter Bowen
On Wed, May 14, 2014 at 2:25 AM, Gervase Markham g...@mozilla.org wrote: On 13/05/14 14:48, Peter Bowen wrote: I would add the old Netscape Step-Up/SGC (2.16.840.1.113730.4.1) and any EKU (2.5.29.37.0) to the list as well. The point of the bug I reference is that we'd like to stop caring

Re: New wiki page on certificate revocation plans

2014-08-05 Thread Peter Bowen
On Tue, Aug 5, 2014 at 2:02 AM, Gervase Markham g...@mozilla.org wrote: On 04/08/14 18:16, Erwann Abalea wrote: OCSP is painful and costly to optimize, x509labs shows great availability and good performance for most CA/location combination, but this is in contradiction with real user

Re: Audits of CA conformance to the BRs

2014-08-13 Thread Peter Bowen
On Wed, Aug 13, 2014 at 11:16 AM, Kathleen Wilson kwil...@mozilla.com wrote: 2) BR point-in-time audits may not be sufficient. https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy Any Certificate Authority being considered for root

Re: Wildcard cert, no intermediate

2014-08-20 Thread Peter Bowen
On Wed, Aug 20, 2014 at 1:55 PM, fhw...@gmail.com wrote: I've encountered a wildcard end-entity certificate on a live server that chains directly to the root cert. There is no intermediate certificate and the root is in the Mozilla trust store. I assume this is a frowned upon practice that

Re: Allow Redaction of issues detailed in BR Audit statements?

2014-08-26 Thread Peter Bowen
On Tue, Aug 26, 2014 at 11:35 AM, Kathleen Wilson kwil...@mozilla.com wrote: I am running into a problem with BR audit statements that list details about issues that have been found. https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements ...The first BR audit for each CA and

Re: Allow Redaction of issues detailed in BR Audit statements?

2014-08-26 Thread Peter Bowen
On Tue, Aug 26, 2014 at 1:24 PM, Kathleen Wilson kwil...@mozilla.com wrote: On Tue, Aug 26, 2014 at 1:09 PM, Kathleen Wilson kwil...@mozilla.com wrote: BR 9.5 – 1024-bit certs with validity beyond 2013 (in order to support legacy customer apps) BR 13.2.6 - OCSP giving status “good” for

Re: The case for point in time readiness audits (PITRAs)

2014-09-02 Thread Peter Bowen
On Tue, Sep 2, 2014 at 1:26 PM, Kathleen Wilson kwil...@mozilla.com wrote: -- The BR PITRA shall include a performance audit covering at least one month, or more as determined by the auditor. Does this make sense? A point in time audit would seem to intrinsically not cover a period of

Re: Short-lived certs

2014-09-04 Thread Peter Bowen
On Thu, Sep 4, 2014 at 7:54 AM, Ben Wilson ben.wil...@digicert.com wrote: Options for trying this out might fit under an exception, if one were created, for test, experimental, temporary, pilot, provisional, etc. certificate types. Ben, I think there is value in allowing some level of

Re: Organization info in certs not being properly recognized byFirefox

2014-10-27 Thread Peter Bowen
On Mon, Oct 27, 2014 at 10:58 AM, John Nagle na...@sitetruth.com wrote: On 27/10/14 08:16, Ryan Sleevi wrote: snip If you're trusting certificates to assert information about either the identity of the entity behind the key or that the CA has done due diligence, well, you're using certificates

Re: [Cryptography] New free TLS CA coming

2014-11-19 Thread Peter Bowen
On Wed, Nov 19, 2014 at 11:27 PM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Mark Atwood m...@mark.atwood.name writes: So Mozilla et al have been giving CAcert the runaround for over 4 years now, and then suddenly they create a more centralized less audited Let's Encrypt shows up, and it's

Re: Updating Peers of Mozilla's CA Certificates and CA Certificate Policy modules

2015-02-07 Thread Peter Bowen
On Fri, Feb 6, 2015 at 2:15 PM, Kathleen Wilson kwil...@mozilla.com wrote: On 2/6/15 1:52 PM, Peter Bowen wrote: Can you clarify the definition of peer in this context? In other modules, it means someone who can approve changes without further approval. I envision that the migration

Removed roots

2015-02-07 Thread Peter Bowen
There are currently spreadsheets for roots that are included in the Mozilla trust store and roots have applied to be in the trust store. Is there any tracking of roots that were removed? How about any time one of the trust bits or EV policy IDs are removed? (I'm not sure that the later has ever

Re: Second Discussion of KIR S.A. Root Inclusion Request

2015-02-09 Thread Peter Bowen
On Mon, Feb 9, 2015 at 4:19 PM, Ryan Sleevi ryan-mozdevsecpol...@sleevi.com wrote: Section 3.2.2 describes a means for validating domain ownership that is not described within Section 11.1.1 of the BR 1.2.3. In particular, it uses the WHOIS information (described in 11.1.1 p3) in conjunction

Re: Certificate Profiles

2015-03-15 Thread Peter Bowen
[mailto:dev-security-policy- bounces+steve.roylance=globalsign@lists.mozilla.org] On Behalf Of Peter Bowen Sent: 15 March 2015 00:59 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Certificate Profiles I've been trying to figure out what is required, forbidden, and optional for X.509

Re: Certificate Profiles

2015-03-16 Thread Peter Bowen
On Mon, Mar 16, 2015 at 1:04 PM, Erwann Abalea eaba...@gmail.com wrote: Le lundi 16 mars 2015 19:30:47 UTC+1, Peter Bowen a écrit : On Mon, Mar 16, 2015 at 10:52 AM, Erwann Abalea eaba...@gmail.com wrote: Le dimanche 15 mars 2015 01:59:10 UTC+1, Peter Bowen a écrit : I've been trying

Re: Removed roots

2015-03-18 Thread Peter Bowen
On Wed, Mar 18, 2015 at 4:04 PM, Kathleen Wilson kwil...@mozilla.com wrote: On 2/7/15 3:02 PM, Peter Bowen wrote: There are currently spreadsheets for roots that are included in the Mozilla trust store and roots have applied to be in the trust store. Is there any tracking of roots that were

Re: Propose Removal of E-Guven root

2015-03-19 Thread Peter Bowen
On Thu, Mar 19, 2015 at 4:39 PM, David Keeler dkee...@mozilla.com wrote: On 03/19/2015 01:01 PM, Peter Bowen wrote: Given this ratio, I find it very hard to believe that they would be able to receive an audit report without qualifications that Mozilla would deem unacceptable. Maybe I'm

Re: Propose Removal of E-Guven root

2015-03-19 Thread Peter Bowen
On Wed, Mar 18, 2015 at 12:40 PM, Kathleen Wilson kwil...@mozilla.com wrote: I propose removing the following root cert from NSS, due to inadequate audit statements. Issuer: CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi O = Elektronik Bilgi Guvenligi A.S. C = TR In the Pilot CT

Re: Certificate Profiles

2015-03-16 Thread Peter Bowen
On Mon, Mar 16, 2015 at 10:52 AM, Erwann Abalea eaba...@gmail.com wrote: Le dimanche 15 mars 2015 01:59:10 UTC+1, Peter Bowen a écrit : I've been trying to figure out what is required, forbidden, and optional for X.509 certificates that conform to the Mozilla requirements. It isn't all

Require separation between Issuing CAs and Policy CAs

2015-03-24 Thread Peter Bowen
Today the Mozilla CA policy and the CAB Forum categorize CAs as either Root CAs or Intermediate CAs. However the reality is that the line is not always clear between the two and this leads to uncertainty of what requirements apply in various circumstances. For example, the Baseline Requirements

Re: 答复: Consequences of mis-issuance under CNNIC

2015-03-24 Thread Peter Bowen
Anyin, It seems that the mailing list strips attachments. I copied the ones you attached to this message a shared location. They are at: https://pzb-public-files.s3-us-west-2.amazonaws.com/B1.pdf https://pzb-public-files.s3-us-west-2.amazonaws.com/B2.pdf Thanks, Peter On Mon, Mar 23, 2015 at

Re: 答复: Consequences of mis-issuance under CNNIC

2015-03-25 Thread Peter Bowen
On Wed, Mar 25, 2015 at 10:10 AM, Kathleen Wilson kwil...@mozilla.com wrote: All, I appreciate your thoughtful and constructive feedback on this situation. The suggestions regarding the CNNIC root certificates that I've interpreted from this discussion are as follows. These are listed in no

Re: ç­”å¤ : Consequences of mis-issuance under CNNIC

2015-03-25 Thread Peter Bowen
On Wed, Mar 25, 2015 at 12:20 PM, Gervase Markham g...@mozilla.org wrote: On 25/03/15 17:45, Ryan Sleevi wrote: That is, in a hypothetical world where E1 is pursued (for any CA), the CA can simply backdate the certificate. They'd be non-compliant with the Baseline Requirements, presumably, but

Re: 答复: Consequences of mis-issuance under CNNIC

2015-03-25 Thread Peter Bowen
On Wed, Mar 25, 2015 at 1:32 PM, Daniel Micay danielmi...@gmail.com wrote: B) Take away EV treatment (green bar) from the China Internet Network Information Center EV Certificates Root certificate. Note that the CNNIC ROOT certificate is not enabled for EV treatment. The lock indicating a

Re: Consequences of mis-issuance under CNNIC

2015-03-30 Thread Peter Bowen
On Mon, Mar 30, 2015 at 2:22 PM, jjo...@mozilla.com wrote: On Monday, March 30, 2015 at 8:34:47 AM UTC-7, Richard Barnes wrote: As a compromise, however, I would be willing to add the CNNIC intermediates to the Mozilla root list (F). [...] Rather, we should plan to remove them after a fixed

Re: address prefixes allowed for domain control validation

2015-03-22 Thread Peter Bowen
On Sun, Mar 22, 2015 at 4:18 PM, Kathleen Wilson kwil...@mozilla.com wrote: admin@domain administrator@domain webmaster@domain hostmaster@domain postmaster@domain What do you all think? (Note this is also in Baseline Requirements section 11.1.1) It is hard to know

RE: TurkTrust Root Renewal Request

2015-02-25 Thread Peter Bowen
Steve, Unless Peter is a member of the forum, the public list is a black hole, as only members can post. The alternative, the questions list, is not publicly readable, so is also a bad choice for open discussion. Therefore, while this thread is not the appropriate place, this forum is probably

Re: How to become a trusted root CA for SSL Certificates

2015-02-21 Thread Peter Bowen
On Tue, Feb 17, 2015 at 7:25 AM, Framarti francescomartin...@gmail.com wrote: i'm working for a company that is issuing trusted SSL OV certificates as a subsidiary CA. I was thinking about becoming a trusted root CA in order to get rid of the fees per each issued certificate to be given to

Re: Consequences of mis-issuance under CNNIC

2015-03-25 Thread Peter Bowen
On Wed, Mar 25, 2015 at 6:24 PM, Peter Kurrasch fhw...@gmail.com wrote: ‎Someone correct me if I'm wrong, but my understanding of the Superfish debacle is that sites that have EV certs would get the green bar treatment on other devices but not on the Lenovo devices where Superfish was

Re: address prefixes allowed for domain control validation

2015-03-23 Thread Peter Bowen
On Mon, Mar 23, 2015 at 9:41 AM, Robin Alden ro...@comodo.com wrote: I wonder if the current publicity will lead all webmail providers to do a review, and then we won't see any further problems... That would be nice! Pertaining to Peter Bowen's suggestion that some CAs who use email

Re: Consequences of mis-issuance under CNNIC

2015-03-23 Thread Peter Bowen
On Mon, Mar 23, 2015 at 3:47 PM, Richard Barnes rbar...@mozilla.com wrote: It has been discovered that an intermediate CA under the CNNIC root has mis-issued certificates for some Google domains. Full details can be found in blog posts by Google [0] and Mozilla [1]. We would like to discuss

Re: Consequences of mis-issuance under CNNIC

2015-03-23 Thread Peter Bowen
On Mon, Mar 23, 2015 at 5:50 PM, Kathleen Wilson kwil...@mozilla.com wrote: Peter, Did you read the blog posts? 1) https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/ 2)

Re: Name-constraining government CAs, or not

2015-05-17 Thread Peter Bowen
On Sun, May 17, 2015 at 5:48 PM, Ryan Sleevi ryan-mozdevsecpol...@sleevi.com wrote: On Sun, May 17, 2015 3:28 pm, Peter Bowen wrote: What if Mozilla puts a simple rule in place? All CAs must either: - Have a WebTrust for BR and ETSI TS 102 042 assessment conducted by a assessor who meets

Re: Name-constraining government CAs, or not

2015-05-17 Thread Peter Bowen
On Sun, May 17, 2015 at 7:59 PM, Ryan Sleevi ryan-mozdevsecpol...@sleevi.com wrote: On Sun, May 17, 2015 6:06 pm, Peter Bowen wrote: I was assuming this discussion was based on the concept that Government CAs did not need to meet all the audit criteria. Otherwise why are we having

Re: Name-constraining government CAs, or not

2015-05-17 Thread Peter Bowen
On Thu, May 14, 2015 at 8:25 AM, Gervase Markham g...@mozilla.org wrote: The topic of name-constraining government CAs, probably to the TLD(s) of their territory(ies), has come up numerous times. I'd like to try and hash out, once and for all, whether we think this is actually a good idea, so

Re: Consequences of mis-issuance under CNNIC

2015-04-02 Thread Peter Bowen
On Thu, Apr 2, 2015 at 7:34 AM, Phillip Hallam-Baker ph...@hallambaker.com wrote: Further no private key should ever be in a network accessible device unless the following apply: 1) There is a path length constraint that limits issue to EE certs. 2) It is an end entity certificate. Perhaps

Re: Name-constraining government CAs, or not

2015-06-12 Thread Peter Bowen
On Fri, Jun 12, 2015 at 3:46 PM, Tom Ritter t...@ritter.vg wrote: Are https://technet.microsoft.com/en-us/library/cc751157.aspx and http://aka.ms/auditreqs the MSFT components (previously?) under NDA? The published requirements are not under NDA. Microsoft released a draft version under NDA

Publicly disclosed and audited policy

2015-06-15 Thread Peter Bowen
The Mozilla CA Certificate policy says that all certificates which are capable of being used to issue new certificates must either be technically constrained or be publicly disclosed and audited. For certificates in the latter category, there are several requirements. I'm hoping to get clarity

Re: Name-constraining government CAs, or not

2015-05-31 Thread Peter Bowen
On Sun, May 31, 2015 at 3:43 PM, Ryan Sleevi ryan-mozdevsecpol...@sleevi.com wrote: On Sat, May 30, 2015 2:47 pm, Brian Smith wrote: IIRC, in the past, we've seen CAs that lapse in compliance with Mozilla's CA policies and that have claimed they cannot do the work to become compliant again

Re: WoSign Root Renewal Request

2015-06-29 Thread Peter Bowen
On Mon, Jun 29, 2015 at 8:38 AM, Jesus F jesusfigueroaala...@gmail.com wrote: The CRL downloaded on june 29th from http://crls8.wosign.com/ca8-ssl4.crl (CRL distribution point in https://root5evtest.wosign.com certificate) has a CRL number of 00. It also applies for the CRL downloaded on the

Re: Letter from US House of Representatives

2015-07-06 Thread Peter Bowen
Thinking about this from a technical perspective, rather than a political one, this seems very similar to a user deciding to add additional certificates to their trust store. I think the primary differences are the need to add a set of certificates and possibly automatically update the list. If

Re: Automated the Included CA List

2015-08-04 Thread Peter Bowen
On Tue, Aug 4, 2015 at 1:17 PM, Kathleen Wilson kwil...@mozilla.com wrote: The Included CAs list is now being automatically generated directly from Salesforce: https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport If everyone is OK with this new report, I will change

Re: Updating Mozilla's CA Certificate Policy

2015-08-24 Thread Peter Bowen
On Thu, Aug 20, 2015 at 11:12 AM, Kathleen Wilson kwil...@mozilla.com wrote: It's time to begin discussions about updating Mozilla's CA Certificate Policy. A list of the things to consider changing is here: https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3 Please review

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

2015-11-11 Thread Peter Bowen
On Wed, Nov 11, 2015 at 12:21 AM, Adriano Santoni wrote: > The issue I raised is not whether ccTLD are allowed in the BRs (they > apparently are, to date) or what kind of entity could be allowed a ccTLD in > their SubCA certificate's permittedSubtrees. > > My point

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

2015-11-11 Thread Peter Bowen
On Wed, Nov 11, 2015 at 3:11 AM, Gervase Markham wrote: > "Presence on the ICANN section of the list" gets closer, but this > doesn't solve the brand-TLD problem. > > Ideally, we would know which TLDs were public-registration and which > were not; ICANN has made noises about

Re: [FORGED] Name issues in public certificates

2015-11-17 Thread Peter Bowen
On Tue, Nov 17, 2015 at 5:31 AM, Rob Stradling <rob.stradl...@comodo.com> wrote: > On 17/11/15 08:25, Peter Gutmann wrote: >> >> Peter Bowen <pzbo...@gmail.com> writes: >> >>> There are a couple of rules that may create false positives, so please >>&

Re: [FORGED] Name issues in public certificates

2015-11-17 Thread Peter Bowen
On Tue, Nov 17, 2015 at 6:12 AM, Richard Wang wrote: > I also found some mistakes for the list: > 1. I see some client certificate in the report that it say the email as common > name is wrong; I filtered for certificates that includes the serverAuth EKU or do not include any

Re: Policy Update Proposal: Remove Code Signing Trust Bit

2015-10-08 Thread Peter Bowen
> On Oct 8, 2015, at 6:27 AM, Peter Kurrasch wrote: > > ‎I will cop to being confused about the Linux situation--I thought some issue > had been identified for one of the distros. > > 1. Impacts to specific products: I had hoped that by now we'd be able to > point to

Re: Letter from US House of Representatives

2015-07-07 Thread Peter Bowen
On Tue, Jul 7, 2015 at 7:51 AM, Richard Barnes rbar...@mozilla.com wrote: To echo Gerv's point: How is the user supposed to evaluate whether to trust the EU list? I was not imaging a first-launch UI to choose, rather an option similar to what is available today for adding CAs. There is a

Re: [FORGED] Name issues in public certificates

2015-11-18 Thread Peter Bowen
On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling wrote: > I would also like to get clarification on if/when the underscore character > may be used in each of the name types. Your report seems to flag > underscores as always prohibited (I think), but I expect that some CAs

Re: [FORGED] Name issues in public certificates

2015-11-17 Thread Peter Bowen
On Tue, Nov 17, 2015 at 2:40 PM, Rob Stradling wrote: > On 17/11/15 17:54, Kurt Roeckx wrote: >> >> On Tue, Nov 17, 2015 at 05:40:28PM +, Rob Stradling wrote: >>> >>> >>> Great. I tried importing the list into postgres but I couldn't persuade >>> it >>> to accept

Re: [FORGED] Name issues in public certificates

2015-11-17 Thread Peter Bowen
er 17, 2015 2:12 PM > To: Jeremy Rowley > Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen; > Peter Gutmann > Subject: Re: [FORGED] Name issues in public certificates > > On 17/11/15 18:27, Jeremy Rowley wrote: >> Encoding an IP Address in a dNSName i

Re: [FORGED] Name issues in public certificates

2015-11-17 Thread Peter Bowen
d, please check it, thanks. > > The attached certificate is No. 6653, please check its EKU, thanks. > > > Best Regards, > > Richard > > > -Original Message- > From: Peter Bowen [mailto:pzbo...@gmail.com] > Sent: Wednesday, November 18, 2015 12:33 AM > To:

Re: [FORGED] Name issues in public certificates

2015-11-18 Thread Peter Bowen
On Wed, Nov 18, 2015 at 10:25 AM, Ryan Sleevi <ryan-mozdevsecpol...@sleevi.com> wrote: > On Wed, November 18, 2015 8:56 am, Peter Bowen wrote: >> On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling <rob.stradl...@comodo.com> >> wrote: >> > I would also

Re: Remove Roots used for only Email and CodeSigning?

2015-09-08 Thread Peter Bowen
On Tue, Sep 8, 2015 at 9:13 AM, Jürgen Brauckmann wrote: > Ryan Sleevi schrieb: >> >> I fear that others using the store for S/MIME or code-signing would think >> the same as you. The reality is that this is not the case, which is why >> it's all the more reason to make an

Re: Remove Roots used for only Email and CodeSigning?

2015-09-08 Thread Peter Bowen
On Tue, Sep 8, 2015 at 11:04 AM, Kurt Roeckx wrote: > On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote: >> 28. Remove Code Signing trust bits. As of Firefox 38, add-ons are signed >> using Mozilla's own roots. There doesn't appear to be anyone else using the >>

Re: Policy Update Proposal: Remove Code Signing Trust Bit

2015-09-10 Thread Peter Bowen
On Thu, Sep 10, 2015 at 3:54 PM, Peter Kurrasch wrote: > It seems to me that the benefits of this proposed change are minimal while > the negative impacts to embedded systems ‎are significant. Perhaps I've > missed something? > > It should be understood that code signing is

Re: Major SSL Root issue...

2015-09-14 Thread Peter Bowen
Sebastien, I apologize, but I don’t follow the issue. What flaw are you reporting? Can you describe in detail the problem? Also, if you think that this is not a publicly known issue, please see https://www.mozilla.org/en-US/security/#For_Developers

Re: Firefox security too strict (HSTS?)?

2015-09-17 Thread Peter Bowen
> On Sep 17, 2015, at 8:29 PM, AnilG wrote: > > On Friday, 18 September 2015 12:29:46 UTC+10, Peter Gutmann wrote: >> base. If you look at Mozilla's own figures at >> https://input.mozilla.org/en-US/, they have a 90% dissatisfaction rating from > > To make my point

Re: Name issues in public certificates

2015-12-09 Thread Peter Bowen
On Wed, Dec 9, 2015 at 9:35 AM, Matthias Hunstock <no-s...@ple4se.org> wrote: > Am 17.11.2015 um 09:04 schrieb Peter Bowen: > >> There are a couple of rules that may create false positives, so please >> don't assume every certificate on the sheet is problematic. > > I

Re: Policy Update Proposal: Timeline for Disclosing SubCAs

2015-12-03 Thread Peter Bowen
On Thu, Dec 3, 2015 at 11:17 AM, Kathleen Wilson <kwil...@mozilla.com> wrote: > On 12/3/15 11:04 AM, Peter Bowen wrote: >> >> On Thu, Dec 3, 2015 at 10:31 AM, Kathleen Wilson <kwil...@mozilla.com> >> wrote: >>>> >>>> On 23/11/15 15:57, Pe

Re: Policy Update Proposal: Timeline for Disclosing SubCAs

2015-12-03 Thread Peter Bowen
On Thu, Dec 3, 2015 at 10:31 AM, Kathleen Wilson <kwil...@mozilla.com> wrote: >> On 23/11/15 15:57, Peter Bowen wrote: >>> >>> I realize that Mozilla carved out allowance for not disclosing, but >>> the CA/Browser Forum did not adopt this, instead only ex

Re: Policy Update Proposal: Timeline for Disclosing SubCAs

2015-12-14 Thread Peter Bowen
On Mon, Dec 14, 2015 at 5:39 PM, Kathleen Wilson wrote: > > Another thing to consider in updating the policy is in regards to test > certificates versus certificates issued to customers. > e.g. Does the disclosure need to happen before test certificates are issued? > Or does

Re: Name issues in public certificates

2015-12-10 Thread Peter Bowen
On Thu, Dec 10, 2015 at 6:07 AM, Matthias Hunstock <no-s...@ple4se.org> wrote: > Am 09.12.2015 um 18:46 schrieb Peter Bowen: > >> Do you have an example where you think IPv6 addresses are not being >> handled correctly? > > Serial 19D70E1B381579 in your document

Re: Nation State MITM CA's ?

2016-01-07 Thread Peter Bowen
On Thu, Jan 7, 2016 at 2:34 PM, David E. Ross <nobody@nowhere.invalid> wrote: > On 1/7/2016 12:29 PM, Kathleen Wilson wrote: >> On 1/7/16 11:15 AM, Peter Bowen wrote: >>> >>> >>> Until such time that the provide this, I don't see how they are any >&g

Re: [FORGED] Name issues in public certificates

2015-11-18 Thread Peter Bowen
On Wed, Nov 18, 2015 at 5:43 PM, Brian Smith <br...@briansmith.org> wrote: > Peter Bowen <pzbo...@gmail.com> wrote: >> >> 2) For commonName attributes in subject DNs, clarify that they can only >> contain: >> >> - IPv4 address in dotted-decimal notat

Re: [FORGED] Name issues in public certificates

2015-11-20 Thread Peter Bowen
On Fri, Nov 20, 2015 at 9:28 AM, wrote: > Yes, thanks. I had CommonName field in mind and that is limited to 64 > characters but SubjectAltName is completely different when it comes to max > length (even though they both hold a FQDN). I had missed that limitation

Re: Policy Update Proposal: Timeline for Disclosing SubCAs

2015-11-20 Thread Peter Bowen
On Tue, Nov 3, 2015 at 4:24 PM, Kathleen Wilson wrote: > Topic to discuss [1]: > “(D3) Make the timeline clear about when the audit statements and disclosure > has to happen for new audited/disclosed subCAs. > > Section 10 of the Inclusion Policy says: >

Re: Name issues in public certificates

2015-11-19 Thread Peter Bowen
On Thu, Nov 19, 2015 at 4:26 PM, Brian Smith <br...@briansmith.org> wrote: > Peter Bowen <pzbo...@gmail.com> wrote: >> >> Robin Alden <ro...@comodo.com> wrote: >> Given that it doesn't, but that that the BRs say "MUST be either a >>

Re: Name issues in public certificates

2015-11-19 Thread Peter Bowen
On Thu, Nov 19, 2015 at 11:57 AM, Robin Alden wrote: > Peter said.. >> While I realize that it is not clear cut in many contexts, RFC 5280 is >> rather clear cut. The authors clearly wanted to avoid stumbling and >> being eaten by a grue, so they wrote: >> >>When the

Re: Policy Update Proposal: Timeline for Disclosing SubCAs

2015-11-23 Thread Peter Bowen
On Tue, Nov 3, 2015 at 4:24 PM, Kathleen Wilson wrote: > Topic to discuss [1]: > “(D3) Make the timeline clear about when the audit statements and disclosure > has to happen for new audited/disclosed subCAs. > > What further clarification needs to be added to Mozilla’s CA

Re: Should we block Blue Coat's 'test' intermediate CA?

2016-05-31 Thread Peter Bowen
On Tue, May 31, 2016 at 9:59 AM, Nick Lamb wrote: > That said, so far as I understand the Mozilla requirement is actually that > such intermediates be disclosed _and audited_. The present disclosure from > Symantec asserts that this intermediate is covered by the same

Re: Job: Is it OK to post a job listing in this forum?

2016-05-27 Thread Peter Bowen
On May 26, 2016, at 3:17 PM, Kathleen Wilson wrote: > I have been asked if it is OK to post job listings in > mozilla.dev.security.policy. Surprisingly, I don't recall ever being asked > that question before, and I am not aware of a written policy about the > content of

Re: Intermediate certificate disclosure deadline in 2 weeks

2016-06-21 Thread Peter Bowen
On Tue, Jun 21, 2016 at 8:26 AM, Rob Stradling wrote: > Revocation of a "parent intermediate" does not exempt "child intermediates" > from the disclosure requirement, AFAICT. So I think the KBC Group CAs do > need to be disclosed to Salesforce. If all paths from a

Re: Intermediate certificate disclosure deadline in 2 weeks

2016-06-22 Thread Peter Bowen
I think there are two things getting conflated here: 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA 2) Disclosure of CA certificates signed by CAs that are the subject of #1 Imagine the following heirarchy: Univercert Root CA (in trust store) --(CA Cert A)-->

Re: Intermediate certificate disclosure deadline in 2 weeks

2016-06-22 Thread Peter Bowen
On Wed, Jun 22, 2016 at 11:19 AM, Ryan Sleevi wrote: > On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote: >> It seems to me that requiring the registration of these subordinate CAs >> bloats the Salesforce database unnecessarily. > > We've historically

Re: Intermediate certificate disclosure deadline in 2 weeks

2016-06-20 Thread Peter Bowen
On Fri, Jun 17, 2016 at 4:12 AM, Rob Stradling wrote: > Friendly reminder to all CA representatives: > > Don't forget the June 30th deadline! And don't leave it until the last > minute if you have lots of intermediate certificates to disclose! > >

Re: Intermediate certificate disclosure deadline in 2 weeks

2016-06-23 Thread Peter Bowen
On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson wrote: > Another issue that needs to be resolved involves the Federal Bridge CA 2013 > (“Federal Bridge”). When a publicly trusted sub CA cross-certifies the > Federal Bridge, then all of the CAs cross-certified by the

Re: Intermediate certificate disclosure deadline in 2 weeks

2016-06-23 Thread Peter Bowen
ross-sign issue that Richard linked to? > > -- Eric > > On Thu, Jun 23, 2016 at 4:39 PM, Ben Wilson <ben.wil...@digicert.com> wrote: >> >> That's correct. >> >> -Original Message- >> From: Peter Bowen [mailto:pzbo...@gmail.com] >> Sent: Thurs

Re: Intermediate certificate disclosure deadline in 2 weeks

2016-06-25 Thread Peter Bowen
On Sat, Jun 25, 2016 at 3:50 AM, Ben Laurie wrote: > On 25 June 2016 at 00:56, Rob Stradling wrote: >> On 24/06/16 14:38, Rob Stradling wrote: >>> >>> I've just updated https://crt.sh/mozilla-disclosures. >>> >>> There's now a separate grouping for

Policy revision proposal - transitive disclosure exception

2016-02-06 Thread Peter Bowen
The Mozilla CA Certificate policy says, in part: "8. All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program, MUST be operated in accordance with Mozilla’s CA Certificate

Re: New requirement: certlint testing

2016-02-08 Thread Peter Bowen
On Mon, Feb 8, 2016 at 12:18 PM, Kathleen Wilson wrote: > We recently added two tests that CAs must perform and resolve errors for > when they are requesting to enable the Websites trust bit for their root > certificate. > > Test 1) Browse to https://crt.sh/ and enter the

Re: New requirement: certlint testing

2016-02-09 Thread Peter Bowen
On Tue, Feb 9, 2016 at 6:55 AM, Erwann Abalea wrote: > Le lundi 8 février 2016 21:43:19 UTC+1, Kathleen Wilson a écrit : >> On 2/8/16 12:22 PM, Kathleen Wilson wrote: >> >> One topic currently under discussion in Bug #1201423 is regarding root >> certificates with serial number

Re: New requirement: certlint testing

2016-02-08 Thread Peter Bowen
On Mon, Feb 8, 2016 at 2:46 PM, Kathleen Wilson wrote: > > Note that I think there are still some things with the certlint tests that > need to be ironed out, before filing bugs for every reported error. I am unaware of anything that is flagged as Fatal or Error on non-CA

More SHA-1 certs

2016-01-31 Thread Peter Bowen
These are all in the last week Sub-CA under SHECA (which has applied to be in the Mozilla program) https://crt.sh/?id=12367776=cablint Sub-CA under DigiCert https://crt.sh/?id=12460684=cablint Sub-CA under Symantec https://crt.sh/?id=12456194=cablint https://crt.sh/?id=12434313=cablint

Re: ComSign Root Renewal Request

2016-01-29 Thread Peter Bowen
Peter, I obviously do not represent ComSign, but several of the items in your list are not really specific to the CPS and instead are more comments on the Mozilla policies. On Fri, Jan 29, 2016 at 4:24 PM, Peter Kurrasch wrote: > * There is a BR from CABF that covers code

Re: OCSP Responders Are An Attack Vector For SHA-1 Collisions

2016-03-09 Thread Peter Bowen
On Wed, Mar 9, 2016 at 12:40 PM, Jakob Bohm wrote: > 1. Use a non-CA OCSP certificate if the relevant clients are known to > support this aspect of the OCSP protocol (I don't know if any OCSP > clients, historic or otherwise, lack this ability). Such an OCSP >

Re: ComSign Root Renewal Request

2016-04-06 Thread Peter Bowen
On Wed, Apr 6, 2016 at 10:58 AM, Kathleen Wilson wrote: > My understanding is that this root certificate is included in both the Apple > and Microsoft root stores and trusted for TLS, so regardless of what > Mozilla's wiki pages say, it is a publicly trusted root

CA ownership (re: Q1 2016 CA communication)

2016-03-22 Thread Peter Bowen
Over the last year or so there seems to be a lot of movement in CA ownership. Would it be worth asking for each root to provide an indication of company/organization ownership? For example, NetLock indicates on their website they were acquired by Docler Holding in 2013. Similarly, TrustWave

Re: A-Trust Root Renewal Request

2016-03-27 Thread Peter Bowen
On Fri, Mar 25, 2016 at 7:33 AM, wrote: > can someone explain to a non security expert, why A-Trust is still not in the > inclusion phase? This bug-report goes over a year now. Is A-Trust not > cooperating promptly and correctly? Is Mozilla working too slow? I really > don't

Re: Request to enable EV for VeriSign Class 3 G4 ECC root

2016-04-21 Thread Peter Bowen
On Thu, Apr 21, 2016 at 9:15 AM, Rick Andrews wrote: > On Thursday, April 21, 2016 at 3:35:55 AM UTC-7, Ryan Sleevi wrote: >> On Wednesday, April 20, 2016 at 5:53:28 PM UTC-7, Matt Palmer wrote: >> > It seems fairly dysfunctional if a single member of the CA/B Forum can

[no subject]

2016-04-29 Thread Peter Bowen
I'm a little confused about the expected scope of audit reports with respect to non-Root issuers. The Mozilla CA policy says: "The term 'subordinate CA' below refers to any organization or legal entity that is in possession or control of a certificate that is capable of being used to issue new

Re: What is the Mozilla Firefox policy concerning SHA-1 Client authentication certificates?

2016-04-27 Thread Peter Bowen
It does to a certain extent. If I have a certificate that uses a 512-bit RSA key and is signed using RSAwithMD2, will Mozilla even attempt to use that certificate for client authentication? On Wed, Apr 27, 2016 at 10:54 AM, Richard Barnes wrote: > For client certificates,

Re: Undisclosed CA certificates

2016-04-27 Thread Peter Bowen
Here is a Google Spreadsheet without the subordinates that have EKU restrictions. I didn't match to SalesForce, so most of these are probably already in there. https://docs.google.com/spreadsheets/d/14lO33nW-tTN86Vq_urmI6IAIWRPZgd1KKfzvrLk5TZQ/edit?usp=sharing On Wed, Apr 27, 2016 at 6:11 PM,

Re: Undisclosed CA certificates

2016-04-27 Thread Peter Bowen
When was the Salesforce data pulled? I see several in that list I entered a while ago. On Wed, Apr 27, 2016 at 5:15 PM, Richard Barnes wrote: > Dear CAs, > > As you guys are working toward the June 30 deadline for disclosing > intermediate certificates in SalesForce, I

Re: Undisclosed CA certificates

2016-04-27 Thread Peter Bowen
d as a guide to CA to help them make sure > they get everything, not to place blame on anyone for being on the list. Of > course, as we get closer to June 30... > > On Wed, Apr 27, 2016 at 8:17 PM, Peter Bowen <pzbo...@gmail.com> wrote: >> >> When was the Salesforce data

  1   2   3   4   >