Adding mozilla.dev.security.policy back to this thread per Rob's suggestion:
On Fri, Dec 14, 2018 at 3:27 AM Rob Stradling <r...@sectigo.com> wrote: > On 13/12/2018 19:05, Wayne Thayer wrote: > > Thank you Rob, this is terrific! > > Thanks Wayne. > > > I would like to ask that all CAs to take a look at this report and > > correct any issues that are found with their test websites. > > I just noticed that m.d.s.p was dropped from this sub-thread before you > wrote that, so you probably didn't reach much of your target audience. > (I would forward your message to m.d.s.p, but it's probably better if it > comes directly from you). > > > The report is flagging a number of sites as "Not HTML", which means that > > they are serving some content type other than text/html. > > Currently text/html and text/xml are permitted. > > Webpages are "usually written in HTML or a comparable markup > language...and...Typical web pages provide hypertext that includes a > navigation bar or a sidebar menu linking to other web pages via > hyperlinks, often referred to as links" > (https://en.wikipedia.org/wiki/Web_page). > > Most of the "Not HTML" errors are due to the response being classified > as text/plain, which clearly isn't a markup language and so it doesn't > contain hyperlinks. > > > While I think that Rob has correctly interpreted the meaning of "test > > website", Kathleen and I are not currently planning to categorize > this> as a policy violation. > > That seems reasonable. The report only shows "Not HTML" when there are > no other issues. > > > However, it would still be appreciated if CAs > > help to clean up the report by serving HTML on their test websites. > > > > On Thu, Dec 13, 2018 at 5:54 AM Rufus Buschart <ru...@buschart.de > > <mailto:ru...@buschart.de>> wrote: > > > > Well, it seemed to be obvious to me, because there might be also a > > problem with one of the Issuing CAs / Intermediate CAs in the chain > > between the Root and the Subscriber Certificate. We at Siemens host > > test web sites for every single issuing CA operated by us: > > https://catestsite.siemens.com/ > > > > It is always good to hear when a CA does things because they make sense, > > not just to meet the minimum requirement. > > > > But if the requirement is not as strict as we understood it, that's > > fine for me too. I rather like to err to the safe side than to have > > a bug on MDSP list.... > > > > The requirement is not as strict as you understood it, but it is only a > > minimum requirement. Mozilla is most concerned with the roots we're > > shipping, so the current requirement is satisfactory for us. > > > > /Rufus > > > > What we do in life, echoes in eternity. > > =========================================== > > Rufus J.W. Buschart > > Anna-Pirson-Weg 1c > > 91052 Erlangen > > Phone: +49 (0)9131 - 530 15 85 > > Mobile: +49 (0)152 - 228 94 134 > > Web: http://www.buschart.de > > > > -- > Rob Stradling > Senior Research & Development Scientist > Email: r...@sectigo.com > Bradford, UK > Office: +441274024707 > Sectigo Limited > > This message and any files associated with it may contain legally > privileged, confidential, or proprietary information. If you are not the > intended recipient, you are not permitted to use, copy, or forward it, > in whole or in part without the express consent of the sender. Please > notify the sender by reply email, disregard the foregoing messages, and > delete it immediately. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
