I would appreciate it if we could move the discussion of exceptions to the deadline for revoking certificates containing underscores to a new thread.
As it relates to this request, any failure to meet the revocation deadline would trigger the creation of an incident bug. (that is unless we as a community decide otherwise) I am not of the opinion that the existence of such a bug would change the outcome of this discussion. If others feel that it might, I am not opposed to holding the discussion open. Meanwhile, i'd suggest we stick to discussing the current facts of this request. - Wayne On Thu, Nov 29, 2018 at 2:17 PM Jeremy Rowley <jeremy.row...@digicert.com> wrote: > We can revoke them all by then. The question is do the browsers really > want us to? > > Since we started a public discussion, here's the details: > > There are several prominent websites that use certs with underscore > characters in connection with major operations. I was hoping to get > permission to post the names of these companies before I started a public > discussion, but se le vie - the discussion already started. These companies > are currently in their blackout period which ends around mid-Jan. We're > scheduled to revoke on Jan 14th per the BR change. However, we've heard > back from several of them that they won't complete the migration by then. > This will take down several of the Fortune 500's websites for a change in > the BRs that no one can understand. What we're wondering is how the > browsers feel about revocation vs. shutting down the sites. Public > discussion is welcome while I still try to get the names. Unfortunately, > most companies of that size require a legal review of the communication > before we can post their name... > > > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> > On Behalf Of Ryan Sleevi via dev-security-policy > Sent: Thursday, November 29, 2018 12:19 PM > To: Wayne Thayer <wtha...@mozilla.com> > Cc: mozilla-dev-security-policy < > mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: DigiCert Assured ID Root CA and Global Root CA EV Request > > This deadline is roughly five weeks before all underscore certificates > must be revoked (per Ballot SC12). Given the number of underscore > certificates under various DigiCert operated hierarchies, would you think > it appropriate to consider whether or not SC12 (and, prior to that, the > existing BR requirements in force when those certificates were issued) was > followed by that date? > > More concretely: If DigiCert were to fail to revoke certificates by that > deadline, would it be a reason to consider denying EV status to these roots > / removing (if a decision is made to grant) it? > > I realize the goal is to close discussion a month prior to that date, but > I suspect such guidance about the risk of failing to abide by SC12, and > failing to revoke by January 15, would be incredibly valuable to DigiCert > and their customers. > > On Thu, Nov 29, 2018 at 1:39 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Reminder: the 3-week discussion period for this request to EV-enable > > two DigiCert roots ends next Friday 7-December. > > > > - Wayne > > > > On Fri, Nov 16, 2018 at 5:00 PM Wayne Thayer <wtha...@mozilla.com> > wrote: > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy