Re: Undisclosed CA certificates

Hi Peter, Here is the wiki reference that states which Intermediate CAs should be included in salesforce: https://wiki.mozilla.org/CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F I think Kathleen has captured all cases and the instructions are clear.

Re: Undisclosed CA certificates

Here is a Google Spreadsheet without the subordinates that have EKU restrictions. I didn't match to SalesForce, so most of these are probably already in there. https://docs.google.com/spreadsheets/d/14lO33nW-tTN86Vq_urmI6IAIWRPZgd1KKfzvrLk5TZQ/edit?usp=sharing On Wed, Apr 27, 2016 at 6:11 PM,

Re: Undisclosed CA certificates

On Wed, Apr 27, 2016 at 7:36 PM, Richard Barnes wrote: > On Wed, Apr 27, 2016 at 8:41 PM, Peter Bowen wrote: >> >> As far as I can tell, SalesForce does not have a way to show multiple >> certificates for one CA. So it is entirely possible to have all CAs

Re: Undisclosed CA certificates

On Wed, Apr 27, 2016 at 8:41 PM, Peter Bowen wrote: > As far as I can tell, SalesForce does not have a way to show multiple > certificates for one CA. So it is entirely possible to have all CAs > disclosed but not have all CA certificates disclosed. (Some of the > edges in

Undisclosed CA certificates

Dear CAs, As you guys are working toward the June 30 deadline for disclosing intermediate certificates in SalesForce, I thought I would share some notes on the undisclosed certificates that we're seeing, so that you can make sure you get them all uploaded. Zakir Durumeric from UMich/Censys.io

Japan GPKI Root Renewal Request

This request by the Government of Japan, Ministry of Internal Affairs and Communications, is to include the GPKI 'ApplicationCA2 Root' certificate and enable the Websites trust bit. This new root certificate has been created in order to comply with the Baseline Requirements, and will eventually

Re: What is the Mozilla Firefox policy concerning SHA-1 Client authentication certificates?

Well, now you've made me go and try it. I couldn't get OpenSSL to use RSAwithMD2, but it works fine with MD5: openssl req -x509 -out client-cert.pem -new -newkey rsa:512 -md5 -nodes -keyout client-priv.pem openssl pkcs12 -export -in client-cert.pem -inkey client-priv.pem -out client.p12 #

Re: What is the Mozilla Firefox policy concerning SHA-1 Client authentication certificates?

It does to a certain extent. If I have a certificate that uses a 512-bit RSA key and is signed using RSAwithMD2, will Mozilla even attempt to use that certificate for client authentication? On Wed, Apr 27, 2016 at 10:54 AM, Richard Barnes wrote: > For client certificates,

Re: What is the Mozilla Firefox policy concerning SHA-1 Client authentication certificates?

For client certificates, it doesn't really matter what Mozilla thinks -- it matters what the website thinks when you present the client cert. On Wed, Apr 27, 2016 at 7:48 AM, wrote: > Hi ! I read " >

What is the Mozilla Firefox policy concerning SHA-1 Client authentication certificates?

Hi ! I read "https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/; article but my question is what about Client authentication certificates that are issued using SHA-1 like Qualified Certificates issued to clients in order to make client authenticated SSL

Re: ComSign Root Renewal Request

On Friday, April 8, 2016 at 12:58:41 AM UTC+3, Kathleen Wilson wrote: > The status of this discussion is that we are waiting for the CA to provide > the following: > > 1) Updated/restructured CPS (both in Hebrew and translated into English). > > 2) Full BR Audit statement. > > 3) An