All, I've posted this draft section 7.4 to the Mozilla wiki - https://wiki.mozilla.org/CA/Root_CA_Lifecycles and updated a draft of it in my Github repository - https://github.com/BenWilson-Mozilla/pkipolicy/commit/061692360626814f857168a7e0e6f36f84264d68. It will become part of version 2.9 of the Mozilla Root Store Policy. (As soon as we wrap up and post version 2.8.1, I will start discussions on version 2.9.) Ben
On Thu, Oct 20, 2022 at 11:18 PM Roman Fischer <roman.fisc...@swisssign.com> wrote: > Hi Ben, > > > > Yes, this is also for SwissSign a very good suggestion! > > > > Thanks > Roman > > > > *From:* Jeremy Rowley <jeremy.row...@digicert.com> > *Sent:* Dienstag, 18. Oktober 2022 22:24 > *To:* Ben Wilson <bwil...@mozilla.com>; dev-security-policy@mozilla.org > *Cc:* Roman Fischer <roman.fisc...@swisssign.com> > *Subject:* RE: Proposed Updates to MRSP to Address Root CA Life Cycles > > > > Thanks Ben! This solves my headaches with S/MIME. > > > > *From:* dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> *On > Behalf Of *Ben Wilson > *Sent:* Tuesday, October 18, 2022 1:57 PM > *To:* dev-security-policy@mozilla.org > *Cc:* Jeremy Rowley <jeremy.row...@digicert.com>; Roman Fischer < > roman.fisc...@swisssign.com> > *Subject:* Re: Proposed Updates to MRSP to Address Root CA Life Cycles > > > > All, > > Based on my understanding of Jeremy's email, here is another version. > > *New Section 7.4 “Root CA Life Cycles”* > > For a root CA certificate trusted for server authentication, Mozilla will > remove the websites trust bit when the CA key material is more than 15 > years old. For a root CA certificate trusted for secure email, Mozilla will > set the "Distrust for S/MIME After Date" for the CA certificate to 18 > years from the CA key material generation date. The CA key material > generation date SHALL be determined by reference to the auditor-witnessed > key generation ceremony report. If the CA operator cannot provide the key > generation ceremony report for a root CA certificate created before July 1, > 2012, then Mozilla will use the “Valid From” date in the root CA > certificate to establish the key material generation date. For transition > purposes, root CA certificates in the Mozilla root store will be distrusted > according to the following schedule: > > Key Material Created > > Removal of Websites Trust Bit > > Distrust for S/MIME After Date > > Before 2006 > > April 15, 2025 > > April 15, 2028 > > 2006-2007 > > April 15, 2026 > > April 15, 2029 > > 2008-2009 > > April 15, 2027 > > April 15, 2030 > > 2010-2011 > > April 15, 2028 > > April 15, 2031 > > 2012- April 14, 2014 > > April 15, 2029 > > April 15, 2032 > > April 15, 2014 - present > > 15 years from creation > > 18 years from creation > > This schedule is subject to change if underlying algorithms become more > susceptible to cryptanalytic attack or if other circumstances arise that > make this schedule obsolete. > > CA operators MUST apply to Mozilla for inclusion of their next generation > root certificate at least 2 years before the applicable distrust date. > > Thoughts? > > Ben > > > > On Fri, Oct 14, 2022 at 3:56 PM Ben Wilson <bwil...@mozilla.com> wrote: > > All, > > Are there any additional comments on Jeremy's proposal for S/MIME > certificates? If we do go this route, then I am thinking that we may need > to make this even more clear than what is proposed in the italicized > language. Modifying the table might also help make things more clear. Any > thoughts or suggestions? > > Ben > > > > On Thu, Sep 22, 2022 at 8:51 AM Roman Fischer <roman.fisc...@swisssign.com> > wrote: > > Dear Ben, > > > > SwissSign supports Jeremy’s suggestion. Due to the longer life-time of > S/MIME certificates, we would welcome a later distrust for S/MIME than for > TLS. > > > > Kind regards > Roman > > > > *From:* 'Jeremy Rowley' via dev-security-policy@mozilla.org < > dev-security-policy@mozilla.org> > *Sent:* Mittwoch, 21. September 2022 17:40 > *To:* Ben Wilson <bwil...@mozilla.com>; Li-Chun CHEN < > lcchen.ci...@gmail.com> > *Cc:* dev-security-policy@mozilla.org; Filippo Valsorda < > fili...@ml.filippo.io>; jespe...@gmail.com <jesperm...@gmail.com> > *Subject:* RE: Proposed Updates to MRSP to Address Root CA Life Cycles > > > > Hey Ben, > > > > s/MIME certificates are issued for 3 years and often put on hardware. This > means that s/MIME certificates issued today will be distrusted before their > expiration if signed by one of the impacted roots. The logic behind > applying the removal to sMIME is also weird as the BRs for s/MIME don’t > exist (yet). This means the concern over s/MIME older roots and their > operation under the standards is quite different than TLS. I think we > should either: 1) extend the timeline for s/MIME so its 3 years from > whenever the last issuance date is or 2) apply a notBefore distrust to > sMIME on the dates listed below. There’s also some confusion on what > distrust means because Mozilla has two different ways to distrust a root – > removal or notBefore. How about something like this: > > > Root CA certificates included in the Mozilla root store will be distrusted > when their CA key material is over 15 years old. The date of CA key > material generation SHALL be determined by reference to the auditor’s key > generation ceremony report. For key material generated before July 1, 2012, > Mozilla will assume that the key material was generated on the “Valid From” > date in the root CA certificate. *Under this section and on the date > listed in this section, Mozilla will remove the root’s TLS bit and set a > notBefore rule for s/MIME certs. Mozilla will remove the roots completely > from the root store 3 years after the notBefore date. *For transition > purposes, root CA certificates in the Mozilla root store will be distrusted > according to the following schedule: > > Key Material Created > > Distrust Date > > Before January 1, 2006 > > April 15, 2025 > > 2006-2007 > > April 15, 2026 > > 2008-2009 > > April 15, 2027 > > 2010-2011 > > April 15, 2028 > > 2012- April 14, 2014 > > April 15, 2029 > > April 15, 2014 - present > > 15 years from creation > > This schedule is subject to change if the underlying algorithms become > more susceptible to cryptanalytic attack. > > CA operators MUST apply to Mozilla for inclusion of their next generation > root certificate at least 2 years before the Distrust Date above. > > > > > > Jeremy > > > > *From:* dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> *On > Behalf Of *Ben Wilson > *Sent:* Monday, September 19, 2022 11:44 AM > *To:* Li-Chun CHEN <lcchen.ci...@gmail.com> > *Cc:* dev-security-policy@mozilla.org; Filippo Valsorda < > fili...@ml.filippo.io>; jespe...@gmail.com <jesperm...@gmail.com> > *Subject:* Re: Proposed Updates to MRSP to Address Root CA Life Cycles > > > > Here is another option (deleting the other MRSP language previously > proposed): > > *Section 7.4 “Root CA Life Cycles”* > > Root CA certificates included in the Mozilla root store will be distrusted > when their CA key material is over 15 years old. The date of CA key > material generation SHALL be determined by reference to the auditor’s key > generation ceremony report. For key material generated before July 1, 2012, > Mozilla will assume that the key material was generated on the “Valid From” > date in the root CA certificate. For transition purposes, root CA > certificates in the Mozilla root store will be distrusted according to the > following schedule: > > Key Material Created > > Distrust Date > > Before January 1, 2006 > > April 15, 2025 > > 2006-2007 > > April 15, 2026 > > 2008-2009 > > April 15, 2027 > > 2010-2011 > > April 15, 2028 > > 2012- April 14, 2014 > > April 15, 2029 > > April 15, 2014 - present > > 15 years from creation > > This schedule is subject to change if the underlying algorithms become > more susceptible to cryptanalytic attack. > > CA operators MUST apply to Mozilla for inclusion of their next generation > root certificate at least 2 years before the Distrust Date above. > > > > Thoughts? > > Ben > > > > On Wed, Sep 14, 2022 at 6:11 AM Li-Chun CHEN <lcchen.ci...@gmail.com> > wrote: > > Hi, Fillppo, > > > > About the details of the Android client compatibility and your comment > "why is cross-signing not an option". You could see Hongkong Post CA's case > in mdsp as > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/a2vWmLIKZy4 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fg%2Fdev-security-policy%2Fc%2Fa2vWmLIKZy4&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZrxXndeXdR8tYNqns%2BDAh3xs9gCXhbNZZcHqq8UK0q0%3D&reserved=0> > and Hongkong Post CA's announcement in > https://www.ecert.gov.hk/news/press/95.html > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ecert.gov.hk%2Fnews%2Fpress%2F95.html&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QLgc6PRqYKbcIUCW1Qp1xwscoNpjQblkStDQm7IDDjA%3D&reserved=0>. > Please also search "Android Fragmentation" key word in internet. > > > > I quoat some information from Hongkong Post CA as below : > > “Our several major subscribers’ of public services have recently > completed research among mobile device users in Hong Kong. It revealed that > usage of the old Android devices version 10 or below (not yet pre-loaded > with Root CA3) could only drop to below 5% for the Hong Kong mobile users > at least after 6 years, taking into account that low-income families would > slowly replace their old mobile devices.” > > Note that " Root CA3 ("Hongkong Post Root CA 3" ) has been included in > Mozilla and Microsoft in May 2019, Google in September 2020, and Apple in > October 2021. Therefore, subscribers are no longer required to install the > cross-certificate to applications such as web servers for being trusted by > common web browsers, when the web browser users use any of the following > web browsers on supported platforms ("Supported Web Browser"): - > > Google Chrome and other supported web browsers on Android 11 or above > > Microsoft Edge and other supported web browsers on Windows 10 or above > > Apple Safari and other supported web browsers on iOS 15 or above, iPadOS > 15 or above, macOS 12 or above. > > Mozilla Firefox version 68 or above on all supported platforms." > > > > "Since 2019, all TLS server certificates have been rolled-over to a new > Hongkong Post Root CA3 Certificate ("Root CA3") to replace the old Root CA1 > which is due for expiry in May 2023. We have also implemented a > cross-certificate signed by the old Root CA1, valid from Aug 2017 to May > 2023 in enabling end-users of Hong Kong who are using old version of > desktop/mobile devices pre-loaded with the old Root CA1 only to access > local websites using TLS server certificates issued under Root CA3. " > > > > “A substantial number of Hong Kong residents using Android version 10 or > below, not yet pre-loaded with Root CA3. Therefore, we plan to model the > previous practice of "Let's Encrypt > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fletsencrypt.org%2F2020%2F12%2F21%2Fextending-android-compatibility.html&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=kYvzvJ8VasAAN3SEE7ga8LoFEXYKblslCkUgr0uC3rQ%3D&reserved=0>" > in managing similar expiry of its Root Certificate in 2021 in order to > minimize the impact of accessibility of local websites governed under Root > CA3 by old Android device users arising from the expiry of Root CA1. “ > > "In order to minimize the impact of accessibility of local websites using > our TLS server certificates by Hong Kong mobile device users to a > manageable level, we consider issuing the new cross-certificate signed by > Root CA1 extended by a longer transition period of 6 years or more (instead > of 3 years to May 2026). Taking into account that during the transition > period, the security strength would not be affected along our existing > certificate chain of trust. We have re-confirmed with our auditor to ensure > our revised plan with no compliance concerns." > > > > Note that Hong Kong Post CA's Root CA1 is RSA 2048 with SHA-1. Their new > cross-sign certificate RSA 4096 with SHA-256 i: > https://crt.sh/?id=7224214828 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D7224214828&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eBUWb1pKtbJnUlrWpaY4RHiNqaqbVB0zfW8%2BnKhBPjE%3D&reserved=0>. > > > > > Thanks to Mr. Man Ho of Hongkong Post Certification Authority, Certizen . > > > > Sincerely Yours, > > > > Li-Chun Chen > > > > > > > > Filippo Valsorda 在 2022年9月8日 星期四上午8:42:03 [UTC+8] 的信中寫道: > > 2022-09-08 00:11 GMT+02:00 Ben Wilson <bwi...@mozilla.com>: > > Thanks. As noted in your comments, the majority of affected root CAs have > indicated that they do not believe that they will have a problem with the > proposed deprecation schedule, but I am still considering modifying the > wording/timeframes for the four or so CAs who might be affected. For > example, one CA operator has since noted that their key is 4096-bit RSA, > that they can provide audit documentation of their key generation, and that > the transition to another root may be difficult for users of Android and > Apple devices. > > > > Thank you for the details. Key generation audits are nice, but without > ongoing audits from that moment to the present, I believe they don't > mitigate the security concerns around what that key might have signed over > its lifetime. > > > > Could the details of the Android and Apple client compatibility issues be > shared on-list, ideally by the affected CAs? It feels like an opportunity > for the ecosystem to learn something if nothing else. > > > > So, I will take a closer look at these four Root CAs as I continue to look > to see how the wording or schedule of the original proposal can be tweaked. > > > > Off-hand, here are the Root Certificates from those affected CA operators > who I recall have previously expressed concern, one way or another: > > > > GlobalSign - https://crt.sh/?id=88 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D88&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oqaG3SdxPrxccU4rSkFf0wuNoJsv4JDJJ0Q9KvhYHMU%3D&reserved=0> > > DigiCert - https://crt.sh/?id=76 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D76&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HKKs0ZGTrqY0kgmta2FaFCaU682LjuVqpga77N%2FLd7w%3D&reserved=0> > > Chunghwa Telecom - https://crt.sh/?id=17183 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D17183&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YWcgTEkTgadJMY6jLjMwZt7dafUaGp%2Fen7UKEYbA1Eg%3D&reserved=0> > > Sectigo - https://crt.sh/?id=331986 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D331986&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xxgXDlQou0fNsYgAgDKRwFKsoVyKzOYXyRdA6zxkh7c%3D&reserved=0> > > > > Others who I believe do not have concerns with the current proposal are: > > > > SECOM - https://crt.sh/?id=144 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D144&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NI%2FND0UoK7jVotsztpdhIUVeDgNJmhW%2Fk03awiplnKw%3D&reserved=0> > > Hong Kong Post - https://crt.sh/?id=4854 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D4854&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FCA%2FB%2BsTrpnXZstj3QL9%2Fz2jX2fwvLJ%2BsMoyy4Um8RI%3D&reserved=0> > > Entrust - https://crt.sh/?id=55 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D55&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aZa7BDljdpbdklvrhKpfds2SODZoZdmB33IYIVD%2BK%2B8%3D&reserved=0> > > GoDaddy - https://crt.sh/?id=39 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D39&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433297680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=tG88v91nAzZzsMn1VfLUVGWvUBGnlxgLQqC%2F8U4TDVI%3D&reserved=0> > and https://crt.sh/?id=27 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D27&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433297680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SXlwYVisg4Nw1CKj1gNnsqlLWG4B8VQgenzJGzKm4TY%3D&reserved=0> > > SecureTrust/Viking Cloud - https://crt.sh/?id=95564 > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D95564&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433297680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zPuvVe9lZMHHoZp34t9zVHyJEMDCuL8KSN2rZrSNQ%2Fs%3D&reserved=0> > > > > > > Ben > > > > > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZdguv3J-uBNatmg7csENQWvk%2BHNRrn41xKTzpw2JGWBQ%40mail.gmail.com > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtaZdguv3J-uBNatmg7csENQWvk%252BHNRrn41xKTzpw2JGWBQ%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433297680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DEemK4JBTdMW6RLS36zBIBeke1wKFxeOoYur7ljuHW4%3D&reserved=0> > . > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BYAPR14MB260034616DFEAF039A7988238E4F9%40BYAPR14MB2600.namprd14.prod.outlook.com > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FBYAPR14MB260034616DFEAF039A7988238E4F9%2540BYAPR14MB2600.namprd14.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433297680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=p%2FmE7nHbWzlqv4y5B%2BObI7jEQcukEM6OF8%2Fcn6TNS7w%3D&reserved=0> > . > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZRAP278MB056259B6D7DAEED5DCE9792BFA4E9%40ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FZRAP278MB056259B6D7DAEED5DCE9792BFA4E9%2540ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433297680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5I3lBL2h40m610Vboa1v5I9jwVS8qxyjXE9vm6v41rA%3D&reserved=0> > . > > -- > You received this message because you are subscribed to the Google Groups " > dev-security-policy@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-security-policy+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYdz4sYKmd5hB0ya6%2BsPFwjRyaBHOsxKUCn4u2boyowow%40mail.gmail.com > <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FCA%252B1gtaYdz4sYKmd5hB0ya6%252BsPFwjRyaBHOsxKUCn4u2boyowow%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433297680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5MShcb5ggDMJNya41YsnSe24vu8TIELNlRBv36IxYrc%3D&reserved=0> > . > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaacp6YQm3bqsPQ5y_zHh2w8GX0-jP-cE_Au0HFvdfSOWg%40mail.gmail.com.