On Wed, Jun 22, 2016 at 6:11 PM, Kurt Roeckx wrote:
> On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote:
> > I think there are two things getting conflated here:
> >
> > 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
> >
> > 2) Disclosure of
On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote:
> I think there are two things getting conflated here:
>
> 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
>
> 2) Disclosure of CA certificates signed by CAs that are the subject of #1
>
> Imagine the
I think there are two things getting conflated here:
1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
2) Disclosure of CA certificates signed by CAs that are the subject of #1
Imagine the following heirarchy:
Univercert Root CA (in trust store) --(CA Cert A)-->
I think the vision is that in the long run, OneCRL would be based on
the Salesforce data.
Sent from my iPhone. Please excuse brevity.
> On Jun 22, 2016, at 16:56, Jeremy Rowley wrote:
>
> That's why Mozilla has a policy to disclose all such CAs through OneCRL.
>
That's why Mozilla has a policy to disclose all such CAs through OneCRL.
Seems like unnecessary information to disclose the CA as part of OneCRL and
as part of the Salesforce program.
-Original Message-
From: dev-security-policy
On Wed, Jun 22, 2016 at 11:19 AM, Ryan Sleevi wrote:
> On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote:
>> It seems to me that requiring the registration of these subordinate CAs
>> bloats the Salesforce database unnecessarily.
>
> We've historically
On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote:
> It seems to me that requiring the registration of these subordinate CAs
> bloats the Salesforce database unnecessarily.
We've historically been at a chronic lack of data, rather than a
chronic glut. I think we should
CAs are running OCSP responders up to the root tier. Once a CA is
terminated in a standards-compliant and densely interoperable way from
participating in a trusted discovery path to an embedded root, it should no
longer be in the scope of business of root trust store owners.
On Wed, Jun 22,
On Tue, Jun 21, 2016 at 12:10 PM, Peter Bowen wrote:
> On Tue, Jun 21, 2016 at 8:26 AM, Rob Stradling
> wrote:
> > Revocation of a "parent intermediate" does not exempt "child
> intermediates"
> > from the disclosure requirement, AFAICT. So I think
It seems to me that requiring the registration of these subordinate CAs bloats
the Salesforce database unnecessarily.
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On
Behalf Of Rob Stradling
Sent: Wednesday, June
On 21/06/16 17:56, Nick Lamb wrote:
On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote:
If all paths from a trusted root to a given intermediate are revoked
or expired, then I don't think it "directly or transitively chain[s]
to a certificate included in Mozilla’s CA Certificate
11 matches
Mail list logo