On Friday, January 3, 2020 at 10:27:26 AM UTC-5, Wayne Thayer wrote: > I've made some additional improvements to the survey based on feedback from > Kathleen: > > https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003waNOW > > I'm planning to send this out to CAs on Tuesday. > > On Mon, Dec 23, 2019 at 12:39 PM Wayne Thayer <wtha...@mozilla.com> wrote: > > > On Thu, Dec 19, 2019 at 3:59 PM Jeremy Rowley <jeremy.row...@digicert.com> > > wrote: > > > >> Should anything be mentioned about the allowed algorithms? That's the > >> largest change to the policy and confirming the AlgorithmIdentifiers in > >> each case may take some time. > >> > >> > > I'd argue that this is a clarification rather than a change, and depending > > on the CA, confirming compliance with the updates in section 5.1 may not > > take as long as the CPS updates. I'm not strongly opposed to calling this > > out but I'd argue that it's hard to miss when reviewing all of the updates > > as required by question #1. > >
Perhaps a minor question/nit, but it's better to raise it to remove all doubt: for Action Item 3, if there exists revoked (but still unexpired) end-entity certificates w/o a EKU but the CA has already switched to universally including the EKU in end-entity certificates, should the CA select "All unexpired end-entity certificates that we issue or have issued and are within the scope of Mozilla’s policy currently comply with this requirement" (which loosely interprets the meaning of "unexpired" to encompass "non-revoked" as well), or should the CA select one of the other options? I believe the intent of the discussion in https://groups.google.com/d/msg/mozilla.dev.security.policy/5lAI-8lkQbM/1D392GR1BQAJ indicates that Mozilla doesn't care about revoked certificates in this case, so perhaps the language for option 1 should be clarified to specify "unexpired, non-revoked" to better convey the intent. Thanks, Corey _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
