Thanks Jakob. I updated the draft as described below. On Fri, Jan 26, 2018 at 10:42 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > I think a number of the questions/actions need additional options: > > For ACTION 1: > > (These 3 are between the 1st and second current option). > > Add Option: Our CPS permits these methods, but we have already stopped > exercising that permission, and any certificates so issued are no > longer valid (expired or revoked). > > Add Option: We previously used these methods, but have already suspended > doing so, We have reviewed our past implementation for vulnerabilities > and have reported our findings below. > > Add option: We previously used these methods, but have already suspended > doing so, We will review our past implementation for vulnerabilities > and report our findings on the mozilla.dev.security.policy list by the > date specified in the comments section below. > > I don't think many CAs are using these methods, so I simplified your suggestion by changing option 3 to "Other (please describe below)" > > For ACTION 2: > > Add option: Our CPS permits these methods, but we only use them in a way > that already complies with the proposed method 12 in CAB/F ballot 218. > > Added. Plus the 3 extra options from ACTION 1 > > I again tried to simplify your suggestion by changing the existing choices to cover these cases. > For ACTION 4: > > Split the second item into: > > Option: We intend to deliver our BR Self Assessment prior to 31-january > 2018 > > Option: We previously requested an extension and intend to deliver our > BR Self Assessment prior to 15-April 2018. > > Done. For ACTION 5: > > Split the or clause into two options (formatting error) > > Fixed. For ACTION 6: > > Split into 3 options > > Option: We have never issued SSL certificates with a validity period > greater than 825 days, and will not do so in the future. > > Option: We will stop issueing SSL certificates with a validity period > greater than 825 days on or before 1-March 2018 > > Option: We will stop issueing SSL certificates with a validity period > greater than 825 days on or before 1-March 2018. Some certificates > issued before 1-March 2018 have a not-before date after 28-Feb 2018 > and more than 825 days before their not-after date. (But not-after is > still less than the previously permitted maximum time after the date > of issuance). > > (That 3rd option would apply, at least, to GlobalSign according to > another thread). > > I rejected this change because it was determined that GlobalSign didn't break any rules or find a loophole that bypasses the new 825-day requirement, and the intent of this action is not to discover which CAs have been issuing 3-year certs. > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
