On 13/05/14 14:48, Peter Bowen wrote:
I would add the old Netscape Step-Up/SGC (2.16.840.1.113730.4.1) and
any EKU (2.5.29.37.0) to the list as well.
The point of the bug I reference is that we'd like to stop caring about
these (in code), because allowing anyEKU means that we include in scope
On 14/05/14 13:54, fhw...@gmail.com wrote:
By my reading of the Microsoft requirements using separate intermediates is
insufficient: they must be root certificates.
Peter, my reading of the Microsoft requirements [1] is that using
separate intermediates is sufficient (although note the EKU
On Monday, 12 May 2014 13:45:16 UTC-6, Jeremy Rowley wrote:
+1. This is especially true in the federal space where some intermediates
are stored offline most of the time. Per Section 4.9.7 of the FBCA CP,
these CAs use a 31-day interval for status information. Bringing the CA
online
Not everyone signs with responders since they add bulk and complexity into
the system.
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Patrick Kobly
Sent: Wednesday, May 14, 2014 11:07 AM
To:
On Wed, May 14, 2014 at 10:06 AM, Patrick Kobly patr...@kobly.com wrote:
Perhaps I'm dense and missing something or perhaps this isn't the right
place to be asking. Why would this necessitate bringing the CA online when
responses can be signed by an Authorized Responder (i.e. cert with EKU
All,
In response to the CA Communication, I have received the following question.
Question: Please clarify Action #5: Do you expect public disclosure of
all subordinate CA certificates, or just those issued to third parties?
Answer:
She's clarified in the discussion thread that it is all SubCAs chained to
the a CAs root certificate that must be disclosed, regardless of who
controls the private key.
Jeremy
-Original Message-
From: dev-security-policy
On Wed, May 14, 2014 at 02:40:12PM -0600, Jeremy Rowley wrote:
She's clarified in the discussion thread that it is all SubCAs chained to
the a CAs root certificate that must be disclosed, regardless of who
controls the private key.
Right, reading the text again it looks like any certificate
8 matches
Mail list logo