Re: Policy Update Proposal -- Specify audit criteria according to trust bit

On 9/22/15 11:37 AM, R Kent James wrote: On 9/21/2015 7:07 PM, Kathleen Wilson wrote: As we did with the discussion about the code signing trust bit, let's list the arguments for and against removing references to the Email trust bit from Mozilla's CA Certificate Policy. The main comment that

Re: Policy Update Proposal -- Specify audit criteria according to trust bit

On Mon, Sep 21, 2015 at 07:07:07PM -0700, Kathleen Wilson wrote: > > First, we need to determine if the Email trust bit should remain part of > Mozilla's CA Certificate Policy. I'm really concerned about this. S/MIME and PGP are the only (popular) ways to do encryption over email. The

Re: Policy Update Proposal -- Remove Email Trust Bit

On 9/21/15 7:07 PM, Kathleen Wilson wrote: In https://wiki.mozilla.org/CA:CertificatePolicyV2.3 The proposal is: (D27) Clarify which audit criteria are required depending on which trust bits are set. In particular, root certs with only the S/MIME trust bit set will have different audit

Re: Policy Update Proposal -- Specify audit criteria according to trust bit

On Tue, Sep 22, 2015 at 4:47 AM, Brian Smith wrote: > Kathleen Wilson wrote: > > > Arguments for removing the Email trust bit: > > - Mozilla's policies regarding Email certificates are not currently > > sufficient. > > - What else? > > > > > * It isn't

Re: Policy Update Proposal -- Remove Email Trust Bit

On 9/22/15 9:29 AM, Kathleen Wilson wrote: First, we need to determine if the Email trust bit should remain part of Mozilla's CA Certificate Policy. To be clear, IF this proposal to remove the Email trust bit from Mozilla's CA Certificate Policy is approved, then it would follow that the

Re: Policy Update Proposal -- Refer to BRs for Name ConstraintsRequirement

On 22/09/15 01:01, Brian Smith wrote: But, if the intermediate CA certificate is allowed to issue SSL certificates, then including the EKU extension with id-kp-serverAuth is just wasting space. Mozilla's software assumes that when the intermediate CA certificate does not have an EKU, then the

Re: Policy Update Proposal -- Refer to BRs forNameConstraintsRequirement

On 22/09/15 10:22, Brian Smith wrote: Rob Stradling wrote: https://aka.ms/rootcert Section 4.A.12, for example, says... "Rollover root certificates, or certificates which are intended to replace previously enrolled but expired certificates, will not be accepted if

Re: Policy Update Proposal -- Specify audit criteria according to trust bit

Kathleen Wilson wrote: > Arguments for removing the Email trust bit: > - Mozilla's policies regarding Email certificates are not currently > sufficient. > - What else? > > * It isn't clear that S/MIME using certificates from publicly-trusted CAs is a model of email security

Re: Policy Update Proposal -- Refer to BRs for NameConstraintsRequirement

On 22/09/15 09:34, Brian Smith wrote: On 22/09/15 01:01, Brian Smith wrote: But, if the intermediate CA certificate is allowed to issue SSL certificates, then including the EKU extension with id-kp-serverAuth is just wasting space. Mozilla's software assumes that when the intermediate CA

Re: Policy Update Proposal -- Refer to BRs for Name ConstraintsRequirement

On Tue, Sep 22, 2015 at 12:51 AM, Rob Stradling wrote: > On 22/09/15 01:01, Brian Smith wrote: > > >> But, if the intermediate CA certificate is allowed to issue SSL >> certificates, then including the EKU extension with id-kp-serverAuth is >> just wasting space.