On 11/29/2008 06:43 AM, Frank Hecker:
On the WISeKey end, they could mandate use of SAN in BlackBox-issued
certificates (as opposed to just including it in the default template),
and from the NSS end we could disallow use of CN for storing domain
names.
At least you could have made it a
On 11/29/2008 05:27 PM, Frank Hecker:
Made what a requirement? Mandating use of SAN in BlackBox?
Yes, that's what I actually meant.
But my understanding
(based on your hypothetical scenario) is that this would not be
sufficient, since someone could remove the key material and try to issue
OMG, maybe just maybe the OpenSSL folks should perhaps be told of
this issue and concept so they can update!
-Kyle H
On Mon, Nov 24, 2008 at 11:35 AM, Eddy Nigg [EMAIL PROTECTED] wrote:
On 11/24/2008 07:33 PM, Nelson B Bolyard:
The only solution to this that is apparent to me is for the web
Eddy Nigg wrote:
Frank: I think the critical issues what Mozilla concerns have been
addressed!
I agree, and am going to proceed with approval of this request.
We need to make sure that naming constraints work as expected.
I read through the thread on that, and will read it again to confirm
Frank Hecker wrote:
Per the CA schedule, the next CA on the list for public comment is
WISeKey, which has applied to add its (one) root CA certificate to the
Mozilla root store, as documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=371362
and in the pending
Frank Hecker wrote:
Frank Hecker wrote:
Per the CA schedule, the next CA on the list for public comment is
WISeKey, which has applied to add its (one) root CA certificate to the
Mozilla root store, as documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=371362
and
On 11/23/2008 12:32 AM, Nelson B Bolyard:
There's no foolproof test for determining if a string is a DNS name or
some other kind of name. Various heuristics can be devised, but they
all have problems.
This worries me somewhat and I question the usefulness of the
name-constraints then...
Eddy Nigg wrote, On 2008-11-24 09:14:
On 11/23/2008 12:32 AM, Nelson B Bolyard:
There's no foolproof test for determining if a string is a DNS name or
some other kind of name. Various heuristics can be devised, but they
all have problems.
This worries me somewhat and I question the
On 11/24/2008 07:33 PM, Nelson B Bolyard:
The only solution to this that is apparent to me is for the web to
evolve to the point where browsers no longer accept DNS names in
non-standard locations in the cert, such as in the Subject Common Name.
Which in itself might create quite some
Eddy Nigg wrote, On 2008-11-24 11:35:
On 11/24/2008 07:33 PM, Nelson B Bolyard:
The only solution to this that is apparent to me is for the web to
evolve to the point where browsers no longer accept DNS names in
non-standard locations in the cert, such as in the Subject Common Name.
Which
Hi Eddy,
On Nov 21, 10:37 pm, Eddy Nigg [EMAIL PROTECTED] wrote:
On 11/21/2008 10:12 PM, kgb:
Only validated and approved domain names can be included
in a cert, whether in the Subject DN or the SAN.
It is the default template, and best practice that the SAN
(e.g. RFC822, dnsName) to
On 11/22/2008 12:32 PM, kgb:
Mandatory inclusion of the SAN extension in a certificate is a policy
we can apply and monitor in the future.
To my understanding NSS ignores the subject line according to the RFC.
DNS name constraints constrain subject alt name extensions, not CN=
attributes in
Eddy Nigg wrote, On 2008-11-22 04:10:
On 11/22/2008 12:32 PM, kgb:
Mandatory inclusion of the SAN extension in a certificate is a policy
we can apply and monitor in the future.
To my understanding NSS ignores the subject line according to the RFC.
I think you mean subject NAME, not subject
Hi Eddy,
On Nov 21, 12:36 am, Eddy Nigg [EMAIL PROTECTED] wrote:
On 11/20/2008 06:34 PM, kb:
Probably the most important change in stated practice, is that it is
reflected that every CA is audited at least once annually. This is the
case for all active CAs.
Kevin, thanks for
On 11/21/2008 10:57 AM, kgb:
There is not.
There are no sub CAs within our public hierarchy, that are not of the
BlackBox type, which are external to our physical infrastructure.
There are several PRIVATE CAs (linked to a private customer Root CA)
that use our software and practices and
On 11/18/2008 05:31 AM, Eddy Nigg:
On 11/18/2008 03:54 AM, Eddy Nigg:
Frank, I greatly missed the thorough and systematic work of Kathleen in
this bug and it's a pity she didn't perform another round of
information gathering in case some new evidence was provided. Anyhow,
I couldn't find
Hi Frank,
On Nov 20, 9:21 pm, Frank Hecker [EMAIL PROTECTED] wrote:
Eddy Nigg wrote:
The Wisekey case could be where we might draw the line.
I'm not sure exactly which message (of mine or someone else's) you're
responding to.
In any case I don't think there's a bright line between the
On 11/21/2008 05:16 PM, kgb:
Frank, I agree with you.
Our CA controls, audits, etc. are
designed to ensure that all identities are validated appropriately
prior to
certificate issuance. BlackBox CAs are an extremely
restricted CA context where certificates issued
at the CA are restricted to
Hi Eddy,
On Nov 21, 8:16 pm, Eddy Nigg [EMAIL PROTECTED] wrote:
On 11/21/2008 05:16 PM, kgb:
Frank, I agree with you.
Our CA controls, audits, etc. are
designed to ensure that all identities are validated appropriately
prior to
certificate issuance. BlackBox CAs are an extremely
On 11/21/2008 10:12 PM, kgb:
Only validated and approved domain names can be included
in a cert, whether in the Subject DN or the SAN.
It is the default template, and best practice that the SAN
(e.g. RFC822, dnsName) to be filled in the certificates.
Its the case for some but not all customers.
On Nov 19, 2:27 am, Eddy Nigg [EMAIL PROTECTED] wrote:
On 11/19/2008 01:59 AM, kgb:
Hi Kevin,
WISeKey has made some changes to its practices, since the last public
discussion period.
I'm glad to hear that! Can you point to what specifically has been
changed since then?
Probably the
Hi Eddy,
On Nov 19, 3:14 am, Eddy Nigg [EMAIL PROTECTED] wrote:
Frank:
TheWisekeycase could be where we might draw the line. Provided that
- there is a *good compelling reason* for using sub-ordinate
certificates in first place, limited to the domains under the control of
the owner (via
Eddy Nigg wrote:
The Wisekey case could be where we might draw the line.
I'm not sure exactly which message (of mine or someone else's) you're
responding to.
In any case I don't think there's a bright line between the various
scenarios involving independently-operated subordinate CAs.
On 11/20/2008 10:21 PM, Frank Hecker:
Eddy Nigg wrote:
The Wisekey case could be where we might draw the line.
I'm not sure exactly which message (of mine or someone else's) you're
responding to.
I refereed to the general discussion about sub roots.
In any case I don't think there's a
On 11/20/2008 06:34 PM, kb:
Probably the most important change in stated practice, is that it is
reflected that every CA is audited at least once annually. This is the
case for all active CAs.
Kevin, thanks for clarifying this. It indeed was one of the concerns
raised last time.
The
Eddy Nigg wrote:
The Wisekey case could be where we might draw the line. Provided that
- there is a *good compelling reason* for using sub-ordinate
certificates in first place, limited to the domains under the control of
the owner (via name-constraints) and with reasonable controls in place
Eddy Nigg wrote:
I believe that the policy (and/or other relevant policy guiding
statements) should be clear in respect what Mozilla requires from the
CAs.
It's a nice ideal, but I wonder myself whether it can be achieved. This
is one of the reasons why we have ended up with the
On 11/18/2008 05:14 PM, Ian G:
Eddy Nigg wrote:
I believe that the policy (and/or other relevant policy guiding
statements) should be clear in respect what Mozilla requires from the
CAs.
It's a nice ideal, but I wonder myself whether it can be achieved. This
is one of the reasons why we have
On Nov 18, 2:54 am, Eddy Nigg [EMAIL PROTECTED] wrote:
On 11/14/2008 11:12 PM, Frank Hecker:
...in the short term I'm going to try to restart CA public
In this particular case I think that the practice in question doesn't
meet the requirements of the Mozilla CA policy. This includes in
On 11/19/2008 01:59 AM, kgb:
Hi Kevin,
WISeKey has made some changes to its practices, since the last public
discussion period.
I'm glad to hear that! Can you point to what specifically has been
changed since then?
BlackBox Subordinate CAs are restricted to issue
certificates for domains
Frank:
The Wisekey case could be where we might draw the line. Provided that
- there is a *good compelling reason* for using sub-ordinate
certificates in first place, limited to the domains under the control of
the owner (via name-constraints) and with reasonable controls in place
(like
On 11/14/2008 11:12 PM, Frank Hecker:
...in the short term I'm going to try to restart CA public
discussions on a regular schedule.
Nice to see you back here!
First, the general issue of auditing subordinate CAs was something we
didn't think through much when we did our Mozilla CA policy: We
On 11/18/2008 03:54 AM, Eddy Nigg:
Frank, I greatly missed the thorough and systematic work of Kathleen in
this bug and it's a pity she didn't perform another round of
information gathering in case some new evidence was provided. Anyhow,
I couldn't find anything new in the bug since the last
First, my sincere apologies for being missing from this group over the
past few weeks. A combination of illness (both my own and family),
out-of-town trips, and other Mozilla Foundation business kept me from
having any significant time to devote to CA matters. I am working on
ways to ensure
34 matches
Mail list logo
