Re: [SPAM] Re: EKUs covered in the Mozilla CA Program

On 13/05/14 14:48, Peter Bowen wrote: I would add the old Netscape Step-Up/SGC (2.16.840.1.113730.4.1) and any EKU (2.5.29.37.0) to the list as well. The point of the bug I reference is that we'd like to stop caring about these (in code), because allowing anyEKU means that we include in scope

Re: QuoVadis Request to Include Renewed Roots

On 14/05/14 13:54, fhw...@gmail.com wrote: By my reading of the Microsoft requirements using separate intermediates is insufficient: they must be root certificates. Peter, my reading of the Microsoft requirements [1] is that using separate intermediates is sufficient (although note the EKU

Re: CA Communication - May 12, 2014

On Monday, 12 May 2014 13:45:16 UTC-6, Jeremy Rowley wrote: +1. This is especially true in the federal space where some intermediates are stored offline most of the time. Per Section 4.9.7 of the FBCA CP, these CAs use a 31-day interval for status information. Bringing the CA online

RE: CA Communication - May 12, 2014

Not everyone signs with responders since they add bulk and complexity into the system. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Patrick Kobly Sent: Wednesday, May 14, 2014 11:07 AM To:

Re: CA Communication - May 12, 2014

On Wed, May 14, 2014 at 10:06 AM, Patrick Kobly patr...@kobly.com wrote: Perhaps I'm dense and missing something or perhaps this isn't the right place to be asking. Why would this necessitate bringing the CA online when responses can be signed by an Authorized Responder (i.e. cert with EKU

Question about disclosing subCA certs

All, In response to the CA Communication, I have received the following question. Question: Please clarify Action #5: Do you expect public disclosure of all subordinate CA certificates, or just those issued to third parties? Answer:

RE: Question about disclosing subCA certs

She's clarified in the discussion thread that it is all SubCAs chained to the a CAs root certificate that must be disclosed, regardless of who controls the private key. Jeremy -Original Message- From: dev-security-policy

Re: Question about disclosing subCA certs

On Wed, May 14, 2014 at 02:40:12PM -0600, Jeremy Rowley wrote: She's clarified in the discussion thread that it is all SubCAs chained to the a CAs root certificate that must be disclosed, regardless of who controls the private key. Right, reading the text again it looks like any certificate