info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
CCADB disclosure of id-kp-emailProtection intermediates
350 views
Skip to first unread message
Rob Stradling
Jan 16, 2018, 4:29:49 PM1/16/18
to mozilla-dev-s...@lists.mozilla.org
[Kathleen, Gerv, Wayne: Please correct me if this post misrepresents
Mozilla's policy and/or current expectations. Thanks!]
Mozilla Root Store Policy v2.5 section 5.3.1 [1] permitted the
non-disclosure (and, IINM, non-audit) of certain
non-technically-constrained id-kp-emailProtection intermediate
certificates...until yesterday:
"Instead of complying with the above paragraph, intermediate
certificates issued before 22nd June 2017 may, until 15th January 2018..."
According to [2], there are currently 223 non-technically-constrained
intermediate certificates known to crt.sh that chain to an NSS built-in
root (that has the Email trust bit set) and are capable of issuing
id-kp-emailProtection certificates but not id-kp-serverAuthentication
certificates.
IIUC, the Mozilla policy now requires these intermediate certificates to
have already been disclosed to the CCADB and to be audited.
[1]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#technically-constrained
[2] https://crt.sh/mozilla-disclosures#undisclosed
[3] https://crt.sh/mozilla-disclosures#undisclosedsummary
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Mozilla's policy and/or current expectations. Thanks!]
Mozilla Root Store Policy v2.5 section 5.3.1 [1] permitted the
non-disclosure (and, IINM, non-audit) of certain
non-technically-constrained id-kp-emailProtection intermediate
certificates...until yesterday:
"Instead of complying with the above paragraph, intermediate
certificates issued before 22nd June 2017 may, until 15th January 2018..."
According to [2], there are currently 223 non-technically-constrained
intermediate certificates known to crt.sh that chain to an NSS built-in
root (that has the Email trust bit set) and are capable of issuing
id-kp-emailProtection certificates but not id-kp-serverAuthentication
certificates.
IIUC, the Mozilla policy now requires these intermediate certificates to
have already been disclosed to the CCADB and to be audited.
[1]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#technically-constrained
[2] https://crt.sh/mozilla-disclosures#undisclosed
[3] https://crt.sh/mozilla-disclosures#undisclosedsummary
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Ben Wilson
Jan 16, 2018, 6:07:07 PM1/16/18
to Rob Stradling, mozilla-dev-s...@lists.mozilla.org
What about the Mozilla CA communication that said that CAs had until 15
April 2018?
April 2018?
Ryan Sleevi
Jan 17, 2018, 4:22:21 AM1/17/18
to Ben Wilson, Rob Stradling, mozilla-dev-s...@lists.mozilla.org
Specifically,
https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003mogw7
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003mogw7
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
Rob Stradling
Jan 17, 2018, 5:26:49 AM1/17/18
to dev-secur...@lists.mozilla.org
On 17/01/18 09:21, Ryan Sleevi via dev-security-policy wrote:
> Specifically,
> https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003mogw7
Ben, Ryan,
Hmm, you're right. (I must've skipped over that disclosure deadline
change because I'd already disclosed Comodo's id-kp-emailProtection
intermediates to the CCADB well ahead of the original deadline). The
November 2017 CA Communication does indeed say 15th April 2018, and, in
fact, so does the latest draft of the Mozilla Root Store Policy [1].
However, the Stable version of the Mozilla Root Store Policy [2] still
says 15th January 2018.
Surely the Stable version of the Policy is in force and the Draft
version is not yet in force?
Perhaps Mozilla could consider publishing a v2.5.1 of the Policy that
(compared to v2.5) simply updates this disclosure deadline?
[1] https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md
[2]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
> Specifically,
> https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003mogw7
Ben, Ryan,
Hmm, you're right. (I must've skipped over that disclosure deadline
change because I'd already disclosed Comodo's id-kp-emailProtection
intermediates to the CCADB well ahead of the original deadline). The
November 2017 CA Communication does indeed say 15th April 2018, and, in
fact, so does the latest draft of the Mozilla Root Store Policy [1].
However, the Stable version of the Mozilla Root Store Policy [2] still
says 15th January 2018.
Surely the Stable version of the Policy is in force and the Draft
version is not yet in force?
Perhaps Mozilla could consider publishing a v2.5.1 of the Policy that
(compared to v2.5) simply updates this disclosure deadline?
[1] https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md
[2]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Gervase Markham
Jan 17, 2018, 8:19:35 AM1/17/18
to Rob Stradling
On 17/01/18 10:25, Rob Stradling wrote:
> However, the Stable version of the Mozilla Root Store Policy [2] still
> says 15th January 2018.
>
> Surely the Stable version of the Policy is in force and the Draft
> version is not yet in force?
>
> Perhaps Mozilla could consider publishing a v2.5.1 of the Policy that
> (compared to v2.5) simply updates this disclosure deadline?
We published an erratum, and have noted in every discussion of this
> However, the Stable version of the Mozilla Root Store Policy [2] still
> says 15th January 2018.
>
> Surely the Stable version of the Policy is in force and the Draft
> version is not yet in force?
>
> Perhaps Mozilla could consider publishing a v2.5.1 of the Policy that
> (compared to v2.5) simply updates this disclosure deadline?
issue that the dates have changed.
https://wiki.mozilla.org/CA/Root_Store_Policy_Archive
Perhaps we should have done a 2.5.1 but at the time I thought telling
everyone would be sufficient.
Gerv
Rob Stradling
Jan 18, 2018, 5:45:26 AM1/18/18
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org
On 17/01/18 13:18, Gervase Markham via dev-security-policy wrote:
> On 17/01/18 10:25, Rob Stradling wrote:
> On 17/01/18 10:25, Rob Stradling wrote:
>> However, the Stable version of the Mozilla Root Store Policy [2] still
>> says 15th January 2018.
>>
>> Surely the Stable version of the Policy is in force and the Draft
>> version is not yet in force?
>>
>> Perhaps Mozilla could consider publishing a v2.5.1 of the Policy that
>> (compared to v2.5) simply updates this disclosure deadline?
>
>> says 15th January 2018.
>>
>> Surely the Stable version of the Policy is in force and the Draft
>> version is not yet in force?
>>
>> Perhaps Mozilla could consider publishing a v2.5.1 of the Policy that
>> (compared to v2.5) simply updates this disclosure deadline?
>
> We published an erratum, and have noted in every discussion of this
> issue that the dates have changed.
> https://wiki.mozilla.org/CA/Root_Store_Policy_Archive
>
> Perhaps we should have done a 2.5.1 but at the time I thought telling
> everyone would be sufficient.
>
> Gerv
Gerv, thanks for clarifying.
> issue that the dates have changed.
> https://wiki.mozilla.org/CA/Root_Store_Policy_Archive
>
> Perhaps we should have done a 2.5.1 but at the time I thought telling
> everyone would be sufficient.
>
> Gerv
Mads Egil Henriksveen
Apr 11, 2018, 1:29:33 PM4/11/18
to Rob Stradling, mozilla-dev-s...@lists.mozilla.org
Hi
One of the non-technically-constrained intermediate certificates on the list [2] below is issued by Buypass and this was revoked today - see https://crt.sh/?id=157337628.
This was done to be compliant with Section 5.3.1 of Mozilla Root Store Policy v 2.5 [1] - as specified in Action 1 of November 2017 CA Communication: "By April 15, 2018, all intermediate certificates (that chain up to root certificates included in Mozilla's program) that are capable of issuing S/MIME certificates but are not name constrained must be either audited and disclosed in the Common CA Database, or be revoked".
Please let me know if any further action(s) are required from our side.
Regards
Mads
-----Original Message-----
From: dev-security-policy <dev-security-policy-bounces+mads.henriksveen=buypa...@lists.mozilla.org> On Behalf Of Rob Stradling via dev-security-policy
Sent: tirsdag 16. januar 2018 22:29
To: mozilla-dev-s...@lists.mozilla.org
Subject: CCADB disclosure of id-kp-emailProtection intermediates
[Kathleen, Gerv, Wayne: Please correct me if this post misrepresents Mozilla's policy and/or current expectations. Thanks!]
Mozilla Root Store Policy v2.5 section 5.3.1 [1] permitted the non-disclosure (and, IINM, non-audit) of certain non-technically-constrained id-kp-emailProtection intermediate certificates...until yesterday:
"Instead of complying with the above paragraph, intermediate certificates issued before 22nd June 2017 may, until 15th January 2018..."
According to [2], there are currently 223 non-technically-constrained intermediate certificates known to crt.sh that chain to an NSS built-in root (that has the Email trust bit set) and are capable of issuing id-kp-emailProtection certificates but not id-kp-serverAuthentication certificates.
IIUC, the Mozilla policy now requires these intermediate certificates to have already been disclosed to the CCADB and to be audited.
One of the non-technically-constrained intermediate certificates on the list [2] below is issued by Buypass and this was revoked today - see https://crt.sh/?id=157337628.
This was done to be compliant with Section 5.3.1 of Mozilla Root Store Policy v 2.5 [1] - as specified in Action 1 of November 2017 CA Communication: "By April 15, 2018, all intermediate certificates (that chain up to root certificates included in Mozilla's program) that are capable of issuing S/MIME certificates but are not name constrained must be either audited and disclosed in the Common CA Database, or be revoked".
Please let me know if any further action(s) are required from our side.
Regards
Mads
-----Original Message-----
From: dev-security-policy <dev-security-policy-bounces+mads.henriksveen=buypa...@lists.mozilla.org> On Behalf Of Rob Stradling via dev-security-policy
Sent: tirsdag 16. januar 2018 22:29
To: mozilla-dev-s...@lists.mozilla.org
Subject: CCADB disclosure of id-kp-emailProtection intermediates
[Kathleen, Gerv, Wayne: Please correct me if this post misrepresents Mozilla's policy and/or current expectations. Thanks!]
Mozilla Root Store Policy v2.5 section 5.3.1 [1] permitted the non-disclosure (and, IINM, non-audit) of certain non-technically-constrained id-kp-emailProtection intermediate certificates...until yesterday:
"Instead of complying with the above paragraph, intermediate certificates issued before 22nd June 2017 may, until 15th January 2018..."
According to [2], there are currently 223 non-technically-constrained intermediate certificates known to crt.sh that chain to an NSS built-in root (that has the Email trust bit set) and are capable of issuing id-kp-emailProtection certificates but not id-kp-serverAuthentication certificates.
IIUC, the Mozilla policy now requires these intermediate certificates to have already been disclosed to the CCADB and to be audited.
[1]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#technically-constrained
[2] https://crt.sh/mozilla-disclosures#undisclosed
[3] https://crt.sh/mozilla-disclosures#undisclosedsummary
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#technically-constrained
[2] https://crt.sh/mozilla-disclosures#undisclosed
[3] https://crt.sh/mozilla-disclosures#undisclosedsummary
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Wayne Thayer
Apr 18, 2018, 7:14:34 PM4/18/18
to mozilla-dev-s...@lists.mozilla.org
Mozilla's April 15 deadline for disclosure of email intermediates that are
not technically constrained has now passed. I have created the following
bugs for the certificates listed at https://crt.sh/mozilla-disclos
ures#undisclosed
* Firmaprofesional: https://bugzilla.mozilla.org/show_bug.cgi?id=1455119
* (The "Buypass Class 2 CA 4" has been revoked and will be added to OneCRL)
* Certicamara: https://bugzilla.mozilla.org/show_bug.cgi?id=1455128
* SwissSign: https://bugzilla.mozilla.org/show_bug.cgi?id=1455132
* T-Systems: https://bugzilla.mozilla.org/show_bug.cgi?id=1455137
And for incomplete disclosure (no audit information in CCADB), I have
created bugs for the certificates listed at https://crt.sh/mozilla-disclos
ures#disclosureincomplete
* DocuSign: previously reported in https://bugzilla.mozilla.org/s
how_bug.cgi?id=1444455. Incident report submitted and remediation plan
proposed
* Camerfirma: https://bugzilla.mozilla.org/show_bug.cgi?id=1455147
* DigiCert: https://bugzilla.mozilla.org/show_bug.cgi?id=1455150 (DigiCert
notified me that they would not be able to meet the deadline, but they are
working to resolve these issues)
* Telia: https://bugzilla.mozilla.org/show_bug.cgi?id=1451953 was created a
few weeks ago. Telia states that they plan to revoke the two undisclosed
certificates in April.
- Wayne
not technically constrained has now passed. I have created the following
bugs for the certificates listed at https://crt.sh/mozilla-disclos
ures#undisclosed
* Firmaprofesional: https://bugzilla.mozilla.org/show_bug.cgi?id=1455119
* (The "Buypass Class 2 CA 4" has been revoked and will be added to OneCRL)
* Certicamara: https://bugzilla.mozilla.org/show_bug.cgi?id=1455128
* SwissSign: https://bugzilla.mozilla.org/show_bug.cgi?id=1455132
* T-Systems: https://bugzilla.mozilla.org/show_bug.cgi?id=1455137
And for incomplete disclosure (no audit information in CCADB), I have
created bugs for the certificates listed at https://crt.sh/mozilla-disclos
ures#disclosureincomplete
* DocuSign: previously reported in https://bugzilla.mozilla.org/s
how_bug.cgi?id=1444455. Incident report submitted and remediation plan
proposed
* Camerfirma: https://bugzilla.mozilla.org/show_bug.cgi?id=1455147
* DigiCert: https://bugzilla.mozilla.org/show_bug.cgi?id=1455150 (DigiCert
notified me that they would not be able to meet the deadline, but they are
working to resolve these issues)
* Telia: https://bugzilla.mozilla.org/show_bug.cgi?id=1451953 was created a
few weeks ago. Telia states that they plan to revoke the two undisclosed
certificates in April.
- Wayne
0 new messages