Re: DRAFT January 2018 CA Communication

Fri, 26 Jan 2018 09:43:39 -0800 

On 26/01/2018 18:11, Wayne Thayer wrote:

Based on the feedback we've received, but sticking with the original intent
of this communication, I have converted it into a survey. You can find a
draft at:

https://wiki.mozilla.org/CA/Communications#January_2018_CA_Communication

I would appreciate your comments on this. I have set the deadline for
responses to 9-Feb, making the assumption that we can send this out on
Monday.



I think a number of the questions/actions need additional options:

For ACTION 1:

(These 3 are between the 1st and second current option).

Add Option: Our CPS permits these methods, but we have already stopped
  exercising that permission, and any certificates so issued are no
  longer valid (expired or revoked).

Add Option: We previously used these methods, but have already suspended
  doing so, We have reviewed our past implementation for vulnerabilities
  and have reported our findings below.

Add option: We previously used these methods, but have already suspended
  doing so, We will review our past implementation for vulnerabilities
  and report our findings on the mozilla.dev.security.policy list by the
  date specified in the comments section below.


For ACTION 2:

Add option: Our CPS permits these methods, but we only use them in a way
  that already complies with the proposed method 12 in CAB/F ballot 218.

Plus the 3 extra options from ACTION 1

For ACTION 4:

Split the second item into:

Option: We intend to deliver our BR Self Assessment prior to 31-january
  2018

Option: We previously requested an extension and intend to deliver our
  BR Self Assessment prior to 15-April 2018.

For ACTION 5:

Split the or clause into two options (formatting error)

For ACTION 6:

Split into 3 options

Option: We have never issued SSL certificates with a validity period
  greater than 825 days, and will not do so in the future.

Option: We will stop issueing SSL certificates with a validity period
  greater than 825 days on or before 1-March 2018

Option: We will stop issueing SSL certificates with a validity period
  greater than 825 days on or before 1-March 2018.  Some certificates
  issued before 1-March 2018 have a not-before date after 28-Feb 2018
  and more than 825 days before their not-after date.  (But not-after is
  still less than the previously permitted maximum time after the date
  of issuance).

(That 3rd option would apply, at least, to GlobalSign according to
another thread).



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to