Extending Android Device Compatibility for Let's Encrypt Certificates

[jo...--- via dev-security-policy]

We (Let's Encrypt) just announced a new cross-sign from IdenTrust which is a 
bit unusual because it will extend beyond the expiration of the issuing root. 
More details can be found here:

https://letsencrypt.org/2020/12/21/extending-android-compatibility.html

Best,
Josh
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Policy 2.7.1: MRSP Issue #211: Align OCSP requirements in Mozilla's policy with the BRs

[Wayne Thayer via dev-security-policy]

On Thu, Dec 17, 2020 at 10:32 AM Aaron Gable via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> One potential option (5) would be to go even further than (2), and remove
> the OCSP paragraph from the MRSP§6 entirely. Given that MRSP§2.3 says "CA
> operations relating to issuance of certificates capable of being used for
> SSL-enabled servers MUST also conform to the latest version of the [BRs]",
> it seems clear that BR§4.9.10 is already included in its entirety. You
> could update MRSP§2.3 to say "...relating to issuance and revocation..." if
> you wanted to be even more explicit.
>
>
This all makes sense when applied to TLS certificates, but as Ben mentioned
the current language also applies to S/MIME. My instinct would be to either
do nothing to the current MRSP language, or to explicitly have it apply to
S/MIME and reference the BRs for TLS. If there is a desire to have the BR
4.9.10 language apply to S/MIME, I'd suggest we make that very clear.

- Wayne
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy