RE: Certificates with metadata-only subject fields

2017-08-10 Thread Jeremy Rowley via dev-security-policy
...@lists.mozilla.org Subject: RE: Certificates with metadata-only subject fields On this particular issue, it's questionable whether these are a violation of a strict reading of the BRs. Section 7.1.4.2.2(i) defines the OU field. Section 7.1.4.2.2(j) defines "Any other subject". Section 7

RE: Certificates with metadata-only subject fields

2017-08-10 Thread Jeremy Rowley via dev-security-policy
, 2017 12:24 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificates with metadata-only subject fields Can you provide an example of what you believe is a bigger issue that has been masked? Otherwise, it sounds like you're

RE: Certificates with metadata-only subject fields

2017-08-10 Thread Jeremy Rowley via dev-security-policy
metadata. From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Thursday, August 10, 2017 12:24 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificates with metadata-only subject fields Can you provide an example of wh

RE: Certificates with metadata-only subject fields

2017-08-10 Thread Jeremy Rowley via dev-security-policy
to:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Alex Gaynor via dev-security-policy Sent: Thursday, August 10, 2017 7:20 AM To: Ryan Sleevi <r...@sleevi.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificates with metadata-only

Re: Certificates with metadata-only subject fields

2017-08-10 Thread Ryan Sleevi via dev-security-policy
> From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley= > digicert.com@lists.mozilla > .org] On Behalf Of David E. Ross via dev-security-policy > Sent: Wednesday, August 9, 2017 4:35 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: R

RE: Certificates with metadata-only subject fields

2017-08-10 Thread Jeremy Rowley via dev-security-policy
Of David E. Ross via dev-security-policy Sent: Wednesday, August 9, 2017 4:35 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificates with metadata-only subject fields On 8/9/2017 2:54 PM, Jonathan Rudenberg wrote: > >> On Aug 9, 2017, at 17:50, Peter Bowen <pzbo.

Re: Certificates with metadata-only subject fields

2017-08-10 Thread Alex Gaynor via dev-security-policy
As a friend of mine sagely points out, fundamentally the current incentives for a CA are, "Issuing certs gets us money, not issuing certs does not get us anything". That's an incentive structure that badly needs correction -- CAs should be accountable for what they issue. Without speaking to

Re: Certificates with metadata-only subject fields

2017-08-09 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 9, 2017, at 18:34, David E. Ross via dev-security-policy > wrote: > > On 8/9/2017 2:54 PM, Jonathan Rudenberg wrote: >> >>> On Aug 9, 2017, at 17:50, Peter Bowen wrote: >>> >>> The point of certlint was to help identify

Re: Certificates with metadata-only subject fields

2017-08-09 Thread David E. Ross via dev-security-policy
On 8/9/2017 2:54 PM, Jonathan Rudenberg wrote: > >> On Aug 9, 2017, at 17:50, Peter Bowen wrote: >> >> The point of certlint was to help identify issues. While I appreciate >> it getting broad usage, I don't think pushing for revocation of every >> certificate that trips any

Re: Certificates with metadata-only subject fields

2017-08-09 Thread Jonathan Rudenberg via dev-security-policy
> On Aug 9, 2017, at 17:50, Peter Bowen wrote: > > The point of certlint was to help identify issues. While I appreciate > it getting broad usage, I don't think pushing for revocation of every > certificate that trips any of the Error level checks is productive. I agree,

Re: Certificates with metadata-only subject fields

2017-08-09 Thread Peter Bowen via dev-security-policy
lists.mozilla.org] > On Behalf Of Jonathan Rudenberg via dev-security-policy > Sent: Wednesday, August 9, 2017 10:08 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Certificates with metadata-only subject fields > > Baseline Requirements section 7.1.4.2.2(j)

RE: Certificates with metadata-only subject fields

2017-08-09 Thread Jeremy Rowley via dev-security-policy
:08 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Certificates with metadata-only subject fields Baseline Requirements section 7.1.4.2.2(j) says: > All other optional attributes, when present within the subject field, MUST > contain information that has been verified by

Certificates with metadata-only subject fields

2017-08-09 Thread Jonathan Rudenberg via dev-security-policy
Baseline Requirements section 7.1.4.2.2(j) says: > All other optional attributes, when present within the subject field, MUST > contain information that has been verified by the CA. Optional attributes > MUST NOT contain metadata such as ‘.’, ‘‐‘, and ‘ ‘ (i.e. space) characters, > and/or any