On Tue, Sep 19, 2017 at 3:09 PM, Nick Lamb via dev-security-policy
wrote:
> I have no doubt that this was obvious to people who have worked for a public
> CA, but it wasn't obvious to me, so thank you for answering. I think these
> answers give us good
Hi Inigo,
On 15/09/17 17:30, Inigo Barreira wrote:
> There wasn´t a lack of integrity and monitoring, of course not. All PKI logs
> were and are signed, it´s just the auditors wanted to add the integrity to
> other systems which is not so clear that should have this enabled. For
> example, if
Hi Franck,
On 18/09/17 15:49, Franck Leroy wrote:
> Our understanding in April was that as long as StartCom is not
> allowed by Certinomis to issue EE certs, the disclosure was not
> mandated immediately.
I think that we need to establish a timeline of the exact events
involved here.
But I
On 15/09/17 15:35, Inigo Barreira wrote:
> No, those weren´t tests. We allowed the use of curves permitted by the BRs
> but this issue came up in the mozilla policy (I think Arkadiusz posted) and I
> also asked about it in the last CABF F2F (I asked Ryan about it) and then,
> with that outcome
Le lundi 18 septembre 2017 14:52:27 UTC+2, Ryan Sleevi a écrit :
> On Mon, Sep 18, 2017 at 8:12 AM, Inigo Barreira <>
> wrote:
> Then they misissued a CA certificate and failed to disclose it, and we
> should start an incident report into it.
Hello
In April 2017 the mozilla policy in force (v2.4)
On Mon, Sep 18, 2017 at 8:12 AM, Inigo Barreira
wrote:
>
> We are not seeking to identify personal blame. We are seeking to
> understand what, if any, improvements have been made to address such
> issues. In reading this thread, I have difficulty finding any discussion
>
I didn't understand the original below comment by StartCom very well about
the cross-sign, but after Ryan's message I understand it better in
retrospect:
> On Thu, Sep 14, 2017 at 11:05 AM, Inigo Barreira via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> I´ve never said
On Fri, Sep 15, 2017 at 12:30 PM, Inigo Barreira via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> >
> > Hi Inigo,
> >
> > On 14/09/17 16:05, Inigo Barreira wrote:
> > > Those tests were done to check the CT behaviour, there was any other
> > testing of the new systems,
>
> Hi Inigo,
>
> On 14/09/17 16:05, Inigo Barreira wrote:
> > Those tests were done to check the CT behaviour, there was any other
> testing of the new systems, just for the CT.
>
> Is there any reason those tests could not have been done using a parallel
> testing hierarchy (other than the
I'm fairly confused by your answers, if the only thing you tested in
production was CT, why was the system issuing non-compliant certs? Why did
production CT testing come before having established, tested, and verified
a compliant certificate profile?
Alex
On Fri, Sep 15, 2017 at 10:35 AM, Inigo
On 15/09/17 09:24, Inigo Barreira wrote:
> AFAIK, Certinomis only disclosed in the CCADB
That means it's published and available. As noted in my other reply,
information as to exactly what this cross-sign enables trust for would
be most helpful, as I may have misunderstood previous statements on
Hi Inigo,
On 14/09/17 16:05, Inigo Barreira wrote:
> Those tests were done to check the CT behaviour, there was any other testing
> of the new systems, just for the CT.
Is there any reason those tests could not have been done using a
parallel testing hierarchy (other than the fact that you
> Hi Inigo,
>
> To add from the last post.
>
> I know this is unwelcome news to you but I feel that with all these incidents
> happening right now with Symantec and the incidents before, we can't really
> take any more chances. Every incident is eroding trust in this system and if
> we
> want
> > >
> > > > Those tests were done to check the CT behaviour, there was any
> > > > other
> > > testing of the new systems, just for the CT. Those certs were under
> > > control all the time and were lived for some minutes because were
> > > revoked inmediately after checking the certs were
On Friday, September 15, 2017 at 12:30:00 PM UTC+1, James Burton wrote:
> On Friday, September 15, 2017 at 10:56:11 AM UTC+1, Inigo Barreira wrote:
> > >
> > > > Those tests were done to check the CT behaviour, there was any other
> > > testing of the new systems, just for the CT. Those certs
On Friday, September 15, 2017 at 10:56:11 AM UTC+1, Inigo Barreira wrote:
> >
> > > Those tests were done to check the CT behaviour, there was any other
> > testing of the new systems, just for the CT. Those certs were under control
> > all
> > the time and were lived for some minutes because
>
> > Those tests were done to check the CT behaviour, there was any other
> testing of the new systems, just for the CT. Those certs were under control
> all
> the time and were lived for some minutes because were revoked inmediately
> after checking the certs were logged correctly in the CTs.
> Those tests were done to check the CT behaviour, there was any other testing
> of the new systems, just for the CT. Those certs were under control all the
> time and were lived for some minutes because were revoked inmediately after
> checking the certs were logged correctly in the CTs. It´s
> On 14/09/2017 17:05, Inigo Barreira wrote:
> > All,
> >
> > ...
> >>
> >> We should add the existing Certnomis cross-signs to OneCRL to revoke
> >> all the existing certificates. As of 10th August (now a month ago)
> >> StartCom said they have 5 outstanding SSL certs which are valid
> >> due
re de 2017 1:22
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: FW: StartCom inclusion request: next steps
>
> On Thursday, 14 September 2017 16:00:35 UTC+1, Inigo Barreira wrote:
> > Well, finally this is a business and I don´t think none on this list is
> >
On 14/09/2017 17:05, Inigo Barreira wrote:
All,
...
We should add the existing Certnomis cross-signs to OneCRL to revoke all the
existing certificates. As of 10th August (now a month ago) StartCom said they
have 5 outstanding SSL certs which are valid due to the Certnomis cross-
sign.
On Thursday, 14 September 2017 16:00:35 UTC+1, Inigo Barreira wrote:
> Well, finally this is a business and I don´t think none on this list is
> working for free. At the end everyone has his/her salary, etc. But that was
> not the main reason because getting included in the root programs takes
22 matches
Mail list logo