On 9/22/15 11:37 AM, R Kent James wrote:
On 9/21/2015 7:07 PM, Kathleen Wilson wrote:
As we did with the discussion about the code signing trust bit, let's
list the arguments for and against removing references to the Email
trust bit from Mozilla's CA Certificate Policy.
The main comment that
On Mon, Sep 21, 2015 at 07:07:07PM -0700, Kathleen Wilson wrote:
>
> First, we need to determine if the Email trust bit should remain part of
> Mozilla's CA Certificate Policy.
I'm really concerned about this. S/MIME and PGP are the only
(popular) ways to do encryption over email. The
On 9/21/15 7:07 PM, Kathleen Wilson wrote:
In https://wiki.mozilla.org/CA:CertificatePolicyV2.3
The proposal is:
(D27) Clarify which audit criteria are required depending on which trust
bits are set. In particular, root certs with only the S/MIME trust bit
set will have different audit
On Tue, Sep 22, 2015 at 4:47 AM, Brian Smith wrote:
> Kathleen Wilson wrote:
>
> > Arguments for removing the Email trust bit:
> > - Mozilla's policies regarding Email certificates are not currently
> > sufficient.
> > - What else?
> >
> >
> * It isn't
On 9/22/15 9:29 AM, Kathleen Wilson wrote:
First, we need to determine if the Email trust bit should remain part of
Mozilla's CA Certificate Policy.
To be clear, IF this proposal to remove the Email trust bit from
Mozilla's CA Certificate Policy is approved, then it would follow that
the
On 22/09/15 01:01, Brian Smith wrote:
But, if the intermediate CA certificate is allowed to issue SSL
certificates, then including the EKU extension with id-kp-serverAuth is
just wasting space. Mozilla's software assumes that when the intermediate
CA certificate does not have an EKU, then the
On 22/09/15 10:22, Brian Smith wrote:
Rob Stradling wrote:
https://aka.ms/rootcert Section 4.A.12, for example, says...
"Rollover root certificates, or certificates which are intended to
replace previously enrolled but expired certificates, will not be accepted
if
Kathleen Wilson wrote:
> Arguments for removing the Email trust bit:
> - Mozilla's policies regarding Email certificates are not currently
> sufficient.
> - What else?
>
>
* It isn't clear that S/MIME using certificates from publicly-trusted CAs
is a model of email security
On 22/09/15 09:34, Brian Smith wrote:
On 22/09/15 01:01, Brian Smith wrote:
But, if the intermediate CA certificate is allowed to issue SSL
certificates, then including the EKU extension with id-kp-serverAuth is
just wasting space. Mozilla's software assumes that when the intermediate
CA
On Tue, Sep 22, 2015 at 12:51 AM, Rob Stradling
wrote:
> On 22/09/15 01:01, Brian Smith wrote:
>
>
>> But, if the intermediate CA certificate is allowed to issue SSL
>> certificates, then including the EKU extension with id-kp-serverAuth is
>> just wasting space.
10 matches
Mail list logo