Hi Ben,
We’d like to do some testing to see how cross certificates to Mozilla distrusted roots will work (assume it will). Will Mozilla be removing the roots from the trust store, or is there something else behind “removing the trust bit” that we should know about so we can run some tests? Thanks! Doug From: dev-security-policy@mozilla.org <dev-security-policy@mozilla.org> On Behalf Of Ben Wilson Sent: Wednesday, January 25, 2023 7:52 PM To: dev-security-policy@mozilla.org Subject: Re: Proposed Updates to MRSP to Address Root CA Life Cycles All, I've posted this draft section 7.4 to the Mozilla wiki - https://wiki.mozilla.org/CA/Root_CA_Lifecycles and updated a draft of it in my Github repository - https://github.com/BenWilson-Mozilla/pkipolicy/commit/061692360626814f857168a7e0e6f36f84264d68. It will become part of version 2.9 of the Mozilla Root Store Policy. (As soon as we wrap up and post version 2.8.1, I will start discussions on version 2.9.) Ben On Thu, Oct 20, 2022 at 11:18 PM Roman Fischer <roman.fisc...@swisssign.com <mailto:roman.fisc...@swisssign.com> > wrote: Hi Ben, Yes, this is also for SwissSign a very good suggestion! Thanks Roman From: Jeremy Rowley <jeremy.row...@digicert.com <mailto:jeremy.row...@digicert.com> > Sent: Dienstag, 18. Oktober 2022 22:24 To: Ben Wilson <bwil...@mozilla.com <mailto:bwil...@mozilla.com> >; dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> Cc: Roman Fischer <roman.fisc...@swisssign.com <mailto:roman.fisc...@swisssign.com> > Subject: RE: Proposed Updates to MRSP to Address Root CA Life Cycles Thanks Ben! This solves my headaches with S/MIME. From: dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> <dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> > On Behalf Of Ben Wilson Sent: Tuesday, October 18, 2022 1:57 PM To: dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> Cc: Jeremy Rowley <jeremy.row...@digicert.com <mailto:jeremy.row...@digicert.com> >; Roman Fischer <roman.fisc...@swisssign.com <mailto:roman.fisc...@swisssign.com> > Subject: Re: Proposed Updates to MRSP to Address Root CA Life Cycles All, Based on my understanding of Jeremy's email, here is another version. New Section 7.4 “Root CA Life Cycles” For a root CA certificate trusted for server authentication, Mozilla will remove the websites trust bit when the CA key material is more than 15 years old. For a root CA certificate trusted for secure email, Mozilla will set the "Distrust for S/MIME After Date" for the CA certificate to 18 years from the CA key material generation date. The CA key material generation date SHALL be determined by reference to the auditor-witnessed key generation ceremony report. If the CA operator cannot provide the key generation ceremony report for a root CA certificate created before July 1, 2012, then Mozilla will use the “Valid From” date in the root CA certificate to establish the key material generation date. For transition purposes, root CA certificates in the Mozilla root store will be distrusted according to the following schedule: Key Material Created Removal of Websites Trust Bit Distrust for S/MIME After Date Before 2006 April 15, 2025 April 15, 2028 2006-2007 April 15, 2026 April 15, 2029 2008-2009 April 15, 2027 April 15, 2030 2010-2011 April 15, 2028 April 15, 2031 2012- April 14, 2014 April 15, 2029 April 15, 2032 April 15, 2014 - present 15 years from creation 18 years from creation This schedule is subject to change if underlying algorithms become more susceptible to cryptanalytic attack or if other circumstances arise that make this schedule obsolete. CA operators MUST apply to Mozilla for inclusion of their next generation root certificate at least 2 years before the applicable distrust date. Thoughts? Ben On Fri, Oct 14, 2022 at 3:56 PM Ben Wilson <bwil...@mozilla.com <mailto:bwil...@mozilla.com> > wrote: All, Are there any additional comments on Jeremy's proposal for S/MIME certificates? If we do go this route, then I am thinking that we may need to make this even more clear than what is proposed in the italicized language. Modifying the table might also help make things more clear. Any thoughts or suggestions? Ben On Thu, Sep 22, 2022 at 8:51 AM Roman Fischer <roman.fisc...@swisssign.com <mailto:roman.fisc...@swisssign.com> > wrote: Dear Ben, SwissSign supports Jeremy’s suggestion. Due to the longer life-time of S/MIME certificates, we would welcome a later distrust for S/MIME than for TLS. Kind regards Roman From: 'Jeremy Rowley' via dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> <dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> > Sent: Mittwoch, 21. September 2022 17:40 To: Ben Wilson <bwil...@mozilla.com <mailto:bwil...@mozilla.com> >; Li-Chun CHEN <lcchen.ci...@gmail.com <mailto:lcchen.ci...@gmail.com> > Cc: dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> ; Filippo Valsorda <fili...@ml.filippo.io <mailto:fili...@ml.filippo.io> >; jespe...@gmail.com <mailto:jespe...@gmail.com> <jesperm...@gmail.com <mailto:jesperm...@gmail.com> > Subject: RE: Proposed Updates to MRSP to Address Root CA Life Cycles Hey Ben, s/MIME certificates are issued for 3 years and often put on hardware. This means that s/MIME certificates issued today will be distrusted before their expiration if signed by one of the impacted roots. The logic behind applying the removal to sMIME is also weird as the BRs for s/MIME don’t exist (yet). This means the concern over s/MIME older roots and their operation under the standards is quite different than TLS. I think we should either: 1) extend the timeline for s/MIME so its 3 years from whenever the last issuance date is or 2) apply a notBefore distrust to sMIME on the dates listed below. There’s also some confusion on what distrust means because Mozilla has two different ways to distrust a root – removal or notBefore. How about something like this: Root CA certificates included in the Mozilla root store will be distrusted when their CA key material is over 15 years old. The date of CA key material generation SHALL be determined by reference to the auditor’s key generation ceremony report. For key material generated before July 1, 2012, Mozilla will assume that the key material was generated on the “Valid From” date in the root CA certificate. Under this section and on the date listed in this section, Mozilla will remove the root’s TLS bit and set a notBefore rule for s/MIME certs. Mozilla will remove the roots completely from the root store 3 years after the notBefore date. For transition purposes, root CA certificates in the Mozilla root store will be distrusted according to the following schedule: Key Material Created Distrust Date Before January 1, 2006 April 15, 2025 2006-2007 April 15, 2026 2008-2009 April 15, 2027 2010-2011 April 15, 2028 2012- April 14, 2014 April 15, 2029 April 15, 2014 - present 15 years from creation This schedule is subject to change if the underlying algorithms become more susceptible to cryptanalytic attack. CA operators MUST apply to Mozilla for inclusion of their next generation root certificate at least 2 years before the Distrust Date above. Jeremy From: dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> <dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> > On Behalf Of Ben Wilson Sent: Monday, September 19, 2022 11:44 AM To: Li-Chun CHEN <lcchen.ci...@gmail.com <mailto:lcchen.ci...@gmail.com> > Cc: dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> ; Filippo Valsorda <fili...@ml.filippo.io <mailto:fili...@ml.filippo.io> >; jespe...@gmail.com <mailto:jespe...@gmail.com> <jesperm...@gmail.com <mailto:jesperm...@gmail.com> > Subject: Re: Proposed Updates to MRSP to Address Root CA Life Cycles Here is another option (deleting the other MRSP language previously proposed): Section 7.4 “Root CA Life Cycles” Root CA certificates included in the Mozilla root store will be distrusted when their CA key material is over 15 years old. The date of CA key material generation SHALL be determined by reference to the auditor’s key generation ceremony report. For key material generated before July 1, 2012, Mozilla will assume that the key material was generated on the “Valid From” date in the root CA certificate. For transition purposes, root CA certificates in the Mozilla root store will be distrusted according to the following schedule: Key Material Created Distrust Date Before January 1, 2006 April 15, 2025 2006-2007 April 15, 2026 2008-2009 April 15, 2027 2010-2011 April 15, 2028 2012- April 14, 2014 April 15, 2029 April 15, 2014 - present 15 years from creation This schedule is subject to change if the underlying algorithms become more susceptible to cryptanalytic attack. CA operators MUST apply to Mozilla for inclusion of their next generation root certificate at least 2 years before the Distrust Date above. Thoughts? Ben On Wed, Sep 14, 2022 at 6:11 AM Li-Chun CHEN <lcchen.ci...@gmail.com <mailto:lcchen.ci...@gmail.com> > wrote: Hi, Fillppo, About the details of the Android client compatibility and your comment "why is cross-signing not an option". You could see Hongkong Post CA's case in mdsp as https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/a2vWmLIKZy4 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fg%2Fdev-security-policy%2Fc%2Fa2vWmLIKZy4&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZrxXndeXdR8tYNqns%2BDAh3xs9gCXhbNZZcHqq8UK0q0%3D&reserved=0> and Hongkong Post CA's announcement in https://www.ecert.gov.hk/news/press/95.html <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ecert.gov.hk%2Fnews%2Fpress%2F95.html&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QLgc6PRqYKbcIUCW1Qp1xwscoNpjQblkStDQm7IDDjA%3D&reserved=0> . Please also search "Android Fragmentation" key word in internet. I quoat some information from Hongkong Post CA as below : “Our several major subscribers’ of public services have recently completed research among mobile device users in Hong Kong. It revealed that usage of the old Android devices version 10 or below (not yet pre-loaded with Root CA3) could only drop to below 5% for the Hong Kong mobile users at least after 6 years, taking into account that low-income families would slowly replace their old mobile devices.” Note that " Root CA3 ("Hongkong Post Root CA 3" ) has been included in Mozilla and Microsoft in May 2019, Google in September 2020, and Apple in October 2021. Therefore, subscribers are no longer required to install the cross-certificate to applications such as web servers for being trusted by common web browsers, when the web browser users use any of the following web browsers on supported platforms ("Supported Web Browser"): - Google Chrome and other supported web browsers on Android 11 or above Microsoft Edge and other supported web browsers on Windows 10 or above Apple Safari and other supported web browsers on iOS 15 or above, iPadOS 15 or above, macOS 12 or above. Mozilla Firefox version 68 or above on all supported platforms." "Since 2019, all TLS server certificates have been rolled-over to a new Hongkong Post Root CA3 Certificate ("Root CA3") to replace the old Root CA1 which is due for expiry in May 2023. We have also implemented a cross-certificate signed by the old Root CA1, valid from Aug 2017 to May 2023 in enabling end-users of Hong Kong who are using old version of desktop/mobile devices pre-loaded with the old Root CA1 only to access local websites using TLS server certificates issued under Root CA3. " “A substantial number of Hong Kong residents using Android version 10 or below, not yet pre-loaded with Root CA3. Therefore, we plan to model the previous practice of "Let's Encrypt <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fletsencrypt.org%2F2020%2F12%2F21%2Fextending-android-compatibility.html&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=kYvzvJ8VasAAN3SEE7ga8LoFEXYKblslCkUgr0uC3rQ%3D&reserved=0> " in managing similar expiry of its Root Certificate in 2021 in order to minimize the impact of accessibility of local websites governed under Root CA3 by old Android device users arising from the expiry of Root CA1. “ "In order to minimize the impact of accessibility of local websites using our TLS server certificates by Hong Kong mobile device users to a manageable level, we consider issuing the new cross-certificate signed by Root CA1 extended by a longer transition period of 6 years or more (instead of 3 years to May 2026). Taking into account that during the transition period, the security strength would not be affected along our existing certificate chain of trust. We have re-confirmed with our auditor to ensure our revised plan with no compliance concerns." Note that Hong Kong Post CA's Root CA1 is RSA 2048 with SHA-1. Their new cross-sign certificate RSA 4096 with SHA-256 i:https://crt.sh/?id=7224214828 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D7224214828&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eBUWb1pKtbJnUlrWpaY4RHiNqaqbVB0zfW8%2BnKhBPjE%3D&reserved=0> . Thanks to Mr. Man Ho of Hongkong Post Certification Authority, Certizen . Sincerely Yours, Li-Chun Chen Filippo Valsorda 在 2022年9月8日 星期四上午8:42:03 [UTC+8] 的信中寫道: 2022-09-08 00:11 GMT+02:00 Ben Wilson <bwi...@mozilla.com <mailto:bwi...@mozilla.com> >: Thanks. As noted in your comments, the majority of affected root CAs have indicated that they do not believe that they will have a problem with the proposed deprecation schedule, but I am still considering modifying the wording/timeframes for the four or so CAs who might be affected. For example, one CA operator has since noted that their key is 4096-bit RSA, that they can provide audit documentation of their key generation, and that the transition to another root may be difficult for users of Android and Apple devices. Thank you for the details. Key generation audits are nice, but without ongoing audits from that moment to the present, I believe they don't mitigate the security concerns around what that key might have signed over its lifetime. Could the details of the Android and Apple client compatibility issues be shared on-list, ideally by the affected CAs? It feels like an opportunity for the ecosystem to learn something if nothing else. So, I will take a closer look at these four Root CAs as I continue to look to see how the wording or schedule of the original proposal can be tweaked. Off-hand, here are the Root Certificates from those affected CA operators who I recall have previously expressed concern, one way or another: GlobalSign - https://crt.sh/?id=88 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D88&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oqaG3SdxPrxccU4rSkFf0wuNoJsv4JDJJ0Q9KvhYHMU%3D&reserved=0> DigiCert - https://crt.sh/?id=76 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D76&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HKKs0ZGTrqY0kgmta2FaFCaU682LjuVqpga77N%2FLd7w%3D&reserved=0> Chunghwa Telecom - https://crt.sh/?id=17183 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D17183&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YWcgTEkTgadJMY6jLjMwZt7dafUaGp%2Fen7UKEYbA1Eg%3D&reserved=0> Sectigo - https://crt.sh/?id=331986 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D331986&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=xxgXDlQou0fNsYgAgDKRwFKsoVyKzOYXyRdA6zxkh7c%3D&reserved=0> Others who I believe do not have concerns with the current proposal are: SECOM - https://crt.sh/?id=144 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D144&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NI%2FND0UoK7jVotsztpdhIUVeDgNJmhW%2Fk03awiplnKw%3D&reserved=0> Hong Kong Post - https://crt.sh/?id=4854 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D4854&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FCA%2FB%2BsTrpnXZstj3QL9%2Fz2jX2fwvLJ%2BsMoyy4Um8RI%3D&reserved=0> Entrust - https://crt.sh/?id=55 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D55&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433141475%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aZa7BDljdpbdklvrhKpfds2SODZoZdmB33IYIVD%2BK%2B8%3D&reserved=0> GoDaddy - https://crt.sh/?id=39 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D39&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433297680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=tG88v91nAzZzsMn1VfLUVGWvUBGnlxgLQqC%2F8U4TDVI%3D&reserved=0> and https://crt.sh/?id=27 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D27&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433297680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=SXlwYVisg4Nw1CKj1gNnsqlLWG4B8VQgenzJGzKm4TY%3D&reserved=0> SecureTrust/Viking Cloud - https://crt.sh/?id=95564 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2F%3Fid%3D95564&data=05%7C01%7Croman.fischer%40swisssign.com%7C8a7ebc586c2449b834d208dab146b04e%7C21322582607f404c82d950ddb1eca5c9%7C1%7C0%7C638017214433297680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=zPuvVe9lZMHHoZp34t9zVHyJEMDCuL8KSN2rZrSNQ%2Fs%3D&reserved=0> Ben -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> " group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org <mailto:dev-security-policy+unsubscr...@mozilla.org> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZdguv3J-uBNatmg7csENQWvk%2BHNRrn41xKTzpw2JGWBQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> " group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org <mailto:dev-security-policy+unsubscr...@mozilla.org> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/BYAPR14MB260034616DFEAF039A7988238E4F9%40BYAPR14MB2600.namprd14.prod.outlook.com. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> " group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org <mailto:dev-security-policy+unsubscr...@mozilla.org> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZRAP278MB056259B6D7DAEED5DCE9792BFA4E9%40ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org <mailto:dev-security-policy@mozilla.org> " group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org <mailto:dev-security-policy+unsubscr...@mozilla.org> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYdz4sYKmd5hB0ya6%2BsPFwjRyaBHOsxKUCn4u2boyowow%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org <mailto:dev-security-policy+unsubscr...@mozilla.org> . To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaacp6YQm3bqsPQ5y_zHh2w8GX0-jP-cE_Au0HFvdfSOWg%40mail.gmail.com <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaacp6YQm3bqsPQ5y_zHh2w8GX0-jP-cE_Au0HFvdfSOWg%40mail.gmail.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SEZPR03MB6593C9002B3333C88A95AAEBF0989%40SEZPR03MB6593.apcprd03.prod.outlook.com.
smime.p7s
Description: S/MIME cryptographic signature