Even though I have until 15-Jan-2018 to comply, I have uploaded a few CAs where EKU contains emailProtection, and here a few more questions.
For CAs with emailProtection and proper name constraints, where would such CAs appear in <https://crt.sh/mozilla-disclosures> https://crt.sh/mozilla-disclosures? <https://crt.sh/mozilla-disclosures#constrainedother> https://crt.sh/mozilla-disclosures#constrainedother ? Or a new section of the list, yet to be determined? And for CAs where EKU contains emailProtection, what are the programmatic criteria that determine whether the CA will be in such list as properly name constrained, since the Baseline Requirements don’t cover email certificates? (Presumably, a properly name-constrained email CA would not require any audit.) Can the mozilla-disclosures list filter on whether there is a WebTrust 2.0/ETSI audit (and not on the BR audit since email certificates aren’t covered by BR audits)? Thanks, Ben From: Alex Gaynor [mailto:agay...@mozilla.com] Sent: Tuesday, July 11, 2017 1:24 PM To: Ben Wilson <ben.wil...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: How long to resolve unaudited unconstrained intermediates? Hey Ben, Take a look at the thread "Disclosing unconstrained emailProtection intermediates to CCADB" by Rob, it explains the change and has the relevant dates by which CAs must comply. Alex On Tue, Jul 11, 2017 at 3:21 PM, Ben Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: By the way, I just noticed on https://crt.sh/mozilla-disclosures#undisclosed that CA certificates with an EKU of eMailProtection (1.3.6.1.5.5.7.3.4) are now listed when they weren't required to be listed previously. Presumably CAs will be given ample time to update these entries. -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+ben <mailto:dev-security-policy-bounces%2Bben> =digicert....@lists.mozilla.org <mailto:digicert....@lists.mozilla.org> ] On Behalf Of Nick Lamb via dev-security-policy Sent: Tuesday, July 11, 2017 7:57 AM To: mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: How long to resolve unaudited unconstrained intermediates? On Tuesday, 11 July 2017 10:56:43 UTC+1, Kurt Roeckx wrote:> > So at least some of them have been notified more than 3 months ago, > and a bug was filed a month later. I think you already gave them too > much time to at least respond to it, and suggest that you sent a new > email indicating that if they don't respond immediately that they will > get added to OneCRL. Agreed. It may also make sense to add telemetry that allows Mozilla to determine whether listing such subCAs in the OneCRL are ever actually blocking anything. This makes a difference in my opinion as to the severity of the breach of policy by the CA in question. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
