RE: StartCom cross-signs disclosed by Certinomis

2017 13:27 To: Franck Leroy <fr.le...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom cross-signs disclosed by Certinomis Hi Franck, On 03/08/17 08:59, Franck Leroy wrote: > On end of June the audit report form PwC was available but with still some mi

Re: StartCom cross-signs disclosed by Certinomis

Hi Franck, On 03/08/17 08:59, Franck Leroy wrote: > On end of June the audit report form PwC was available but with still some > minor issues. I asked StartCom to correct them. > > On July 14th the audit report and the policy were updated and published on > StartCom website. The audit reports

Re: StartCom cross-signs disclosed by Certinomis

Getting back to this very late... I am studying this situation today. On 07/08/17 10:21, Franck Leroy wrote: > Then in November 2016 I contacted Kathleen and Gerv to know if there was some > stoppers to work with Inigo to help StartCom to be back in the business. > There was no opposition as

RE: StartCom cross-signs disclosed by Certinomis

> > Best regards > > Iñigo Barreira > CEO > StartCom CA Limited > > > -Original Message- > From: dev-security-policy > [mailto:dev-security-policy-bounces+inigo=startcomca.com@lists.mozilla > .org] On Behalf Of Jakob Bohm via dev-security-policy > Sent: l

Re: StartCom cross-signs disclosed by Certinomis

egards > > Iñigo Barreira > CEO > StartCom CA Limited > > > -Original Message- > From: dev-security-policy > [mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] > On Behalf Of Jakob Bohm via dev-security-policy > Sent: lunes, 7 de agosto

RE: StartCom cross-signs disclosed by Certinomis

ity-policy-bounces+inigo=startcomca@lists.mozilla.org] On Behalf Of Percy via dev-security-policy Sent: martes, 8 de agosto de 2017 2:39 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom cross-signs disclosed by Certinomis On Monday, August 7, 2017 at 2:36:10 PM UTC-7, Itzhak Da

RE: StartCom cross-signs disclosed by Certinomis

de 2017 23:36 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom cross-signs disclosed by Certinomis On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote: > 7. At Quihoo: Actually get rid of Richard Wang, not just change his >title from CEO to COO. I didn

RE: StartCom cross-signs disclosed by Certinomis

: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] On Behalf Of Jakob Bohm via dev-security-policy Sent: lunes, 7 de agosto de 2017 22:03 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom cross-signs disclosed by Certinomis

RE: StartCom cross-signs disclosed by Certinomis

-pol...@lists.mozilla.org Subject: Re: StartCom cross-signs disclosed by Certinomis On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote: > 7. At Quihoo: Actually get rid of Richard Wang, not just change his >title from CEO to COO. I didn't map the new hierarchy of the &q

Re: StartCom cross-signs disclosed by Certinomis

On Monday, August 7, 2017 at 2:36:10 PM UTC-7, Itzhak Daniel wrote: > On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote: > > 7. At Quihoo: Actually get rid of Richard Wang, not just change his > >title from CEO to COO. > > I didn't map the new hierarchy of the "Spanish"

Re: StartCom cross-signs disclosed by Certinomis

On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote: > 7. At Quihoo: Actually get rid of Richard Wang, not just change his >title from CEO to COO. I didn't map the new hierarchy of the "Spanish" StartCom CA ("StartCom CA Spain Sociedad Limitada"), having trouble registering to

Re: StartCom cross-signs disclosed by Certinomis

On 07/08/2017 11:21, Franck Leroy wrote: Hello I see many reactions that are not in line with the reality because you don’t have all the history on the subject. I’ll try to summarize. Approximately one year ago Inigo was CTO of Izenpe (CA of the Basque Country) and he left this company in

Re: StartCom cross-signs disclosed by Certinomis

To play the devil's advocate... If everything is as Mr. Leroy of Certinomis points out, I don't see the problem with the cross-sign. In that version of events, the vast majority of the issues in the new PKI (test certs, etc) had already been revoked and measures put in place to prevent that

Re: StartCom cross-signs disclosed by Certinomis

Trust is something you *gain*. I want to believe the internet has come a long way from PGP signing parties. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: StartCom cross-signs disclosed by Certinomis

Hello I see many reactions that are not in line with the reality because you don’t have all the history on the subject. I’ll try to summarize. Approximately one year ago Inigo was CTO of Izenpe (CA of the Basque Country) and he left this company in order to join StartCom. Not long after he

RE: StartCom cross-signs disclosed by Certinomis

> > In this larger light, it would also seem that StartCom, having misissued a number of certificates already under their new hierarchy, which present a risk to Mozilla users (revocation is neither an excuse nor a mitigation for misissuance), should be required to take corrective steps and

Re: StartCom cross-signs disclosed by Certinomis

On Friday, 4 August 2017 03:16:45 UTC+2, Matt Palmer wrote: > On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via > dev-security-policy wrote: > > However, I think it is fine for Certinomis to cross-sign with new StartCom > > subCA certs, as long as Certinomis ensures that Mozilla's

Re: StartCom cross-signs disclosed by Certinomis

On Friday, August 4, 2017 at 12:27:13 AM UTC, Kathleen Wilson wrote: > Along this line of discussion, I have not felt comfortable with StartCom's > current root inclusion request (bug #1381406), because Hanno raised a concern > about the private key used by the new root is also used by two

Re: StartCom cross-signs disclosed by Certinomis

On 8/3/17 5:27 PM, Kathleen Wilson via dev-security-policy wrote: > On Thursday, August 3, 2017 at 4:34:27 PM UTC-7, Ryan Sleevi wrote: > In bug #1311832 there is a note about cross-signing: > "[1] The new (replacement) root certificates may be cross-signed by the > Affected Roots. However, the

Re: StartCom cross-signs disclosed by Certinomis

On Thu, Aug 03, 2017 at 08:47:17AM +, Inigo Barreira via dev-security-policy wrote: > And what I don´t understand are those comments of "very sloppy isuance > practices" , "many non-BR compliants", "specially given the historic issues > with StartCom" and consider them very unfair. These are

Re: StartCom cross-signs disclosed by Certinomis

On Thu, Aug 03, 2017 at 11:20:19AM +, Inigo Barreira via dev-security-policy wrote: > We´re revoking all those unrevoked certs to avoid any more problems. Revoking problematic certificates doesn't avoid any problems. The problems have already been created. > Regarding the pre-certs, yes, I

Re: StartCom cross-signs disclosed by Certinomis

On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via dev-security-policy wrote: > However, I think it is fine for Certinomis to cross-sign with new StartCom > subCA certs, as long as Certinomis ensures that Mozilla's Root Store > Policy is being followed. ... which they didn't. So

Re: StartCom cross-signs disclosed by Certinomis

On Thu, Aug 03, 2017 at 05:27:03PM -0700, Kathleen Wilson via dev-security-policy wrote: > Along this line of discussion, I have not felt comfortable with StartCom's > current root inclusion request (bug #1381406), because Hanno raised a > concern about the private key used by the new root is

Re: StartCom cross-signs disclosed by Certinomis

On Thursday, August 3, 2017 at 4:34:27 PM UTC-7, Ryan Sleevi wrote: > I do hope you can clarify whether remediations apply to keys operated by > organizations, or whether they apply to the organization themselves. https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 says: "StartCom may apply

Re: StartCom cross-signs disclosed by Certinomis

On Friday, August 4, 2017 at 8:02:16 AM UTC+9, Kathleen Wilson wrote: > On Thursday, August 3, 2017 at 3:09:25 PM UTC-7, Kurt Roeckx wrote: > > I would really like to see that they have at least opened a bug to > > request the inclusion of that CA before it's cross-signed. > > Here's StartCom's

Re: StartCom cross-signs disclosed by Certinomis

On Thursday, August 3, 2017 at 3:09:25 PM UTC-7, Kurt Roeckx wrote: > I would really like to see that they have at least opened a bug to > request the inclusion of that CA before it's cross-signed. Here's StartCom's current root inclusion request:

Re: StartCom cross-signs disclosed by Certinomis

On Thu, Aug 03, 2017 at 01:43:08PM -0700, Kathleen Wilson via dev-security-policy wrote: > On Thursday, August 3, 2017 at 9:49:41 AM UTC-7, Jonathan Rudenberg wrote: > > Even absent the BR-violating certificates and disclosure timeline, I > > believe this cross-sign is problematic because it

Re: StartCom cross-signs disclosed by Certinomis

> On Aug 3, 2017, at 12:26, Kathleen Wilson via dev-security-policy > wrote: > > All, > > I have conflicting opinions about this situation: > > On the one hand, I want to see better behavior, and am inclinded to add these > two intermediate certs to

Re: StartCom cross-signs disclosed by Certinomis

All, I have conflicting opinions about this situation: On the one hand, I want to see better behavior, and am inclinded to add these two intermediate certs to OneCRL, and tell StartCom and Certinomis to start over and do things right. On the other hand, I'm not convinced yet that the issued

RE: StartCom cross-signs disclosed by Certinomis

[mailto:jonat...@titanous.com] Sent: jueves, 3 de agosto de 2017 16:52 To: Inigo Barreira <in...@startcomca.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom cross-signs disclosed by Certinomis > On Aug 3, 2017, at 04:47, Inigo Barreira via dev-security-policy > &

Re: StartCom cross-signs disclosed by Certinomis

> On Aug 3, 2017, at 04:47, Inigo Barreira via dev-security-policy > wrote: > > For those which are not revoked are due to use different curves (P-384, > P-521) that have been discussed in the mozilla m.d.s.p as well as the CAB > Forum and there´s no

Re: StartCom cross-signs disclosed by Certinomis

a > CEO > StartCom CA Limited > > -Original Message- > From: Patrick Figel [mailto:patrick@figel.email] > Sent: jueves, 3 de agosto de 2017 13:07 > To: Inigo Barreira <in...@startcomca.com>; Franck Leroy > <fr.le...@gmail.com>; mozilla-dev-security-pol...@lists.m

RE: StartCom cross-signs disclosed by Certinomis

igel.email] Sent: jueves, 3 de agosto de 2017 13:07 To: Inigo Barreira <in...@startcomca.com>; Franck Leroy <fr.le...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom cross-signs disclosed by Certinomis On 03/08/2017 10:47, Inigo Barreira via dev-security-p

RE: StartCom cross-signs disclosed by Certinomis

1. It is well established that logging pre-certs constitutes "issuance" for purposes of policy compliance. If you wouldn't issue it, don't log it. Not difficult. And this isn't new. 2. When a new path comes into existence in the Web PKI you don't need to explicitly "use" it as a CA, the

Re: StartCom cross-signs disclosed by Certinomis

On 03/08/2017 10:47, Inigo Barreira via dev-security-policy wrote> 1. The un-revoked test certificates are those pre-sign ones with uncompleted > ctlog. So they are not completed certificates. > https://crt.sh/?opt=cablint=134843670 > https://crt.sh/?opt=cablint=134843674 >

RE: StartCom cross-signs disclosed by Certinomis

ranck Leroy via dev-security-policy Sent: jueves, 3 de agosto de 2017 9:59 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom cross-signs disclosed by Certinomis Hello, the 2 CA certificates signed by Certinomis has been retained till a full successful webtrust audit.

Re: StartCom cross-signs disclosed by Certinomis

Hello, the 2 CA certificates signed by Certinomis has been retained till a full successful webtrust audit. On end of June the audit report form PwC was available but with still some minor issues. I asked StartCom to correct them. On July 14th the audit report and the policy were updated and

Re: StartCom cross-signs disclosed by Certinomis

On Thursday, 3 August 2017 02:12:18 UTC+2, Matt Palmer wrote: > On Wed, Aug 02, 2017 at 06:38:44PM -0400, Jonathan Rudenberg via > dev-security-policy wrote: > > I think the correct response is to add both intermediates to OneCRL > > immediately, especially given the historic issues with

Re: StartCom cross-signs disclosed by Certinomis

On Wed, Aug 02, 2017 at 06:38:44PM -0400, Jonathan Rudenberg via dev-security-policy wrote: > I think the correct response is to add both intermediates to OneCRL > immediately, especially given the historic issues with StartCom. +1. Also a strongly worded letter of "are you f%*king kidding

Re: StartCom cross-signs disclosed by Certinomis

Jonathan, Thank you for bringing this to our attention. I have filed two bugs... 1) https://bugzilla.mozilla.org/show_bug.cgi?id=1386891 Certinomis: Cross-signing of StartCom intermediate certs, and delay in reporting it in CCADB 2) https://bugzilla.mozilla.org/show_bug.cgi?id=1386894 Add