Re: Policy 2.4 Proposal: Use language of capability throughout

On 08/12/16 13:06, Brian Smith wrote: > In particular, I suggest replacing "unable to issue server or email > certificates" with "unable to issue *trusted* server or email > certificates" or similar. I think I would prefer not to make that tie, because the obvious question is "trusted in which

Re: Policy 2.4 Proposal: Require all OCSP responses to have a nextUpdate field

On 08/12/16 12:46, Brian Smith wrote: > Are you intending to override the BR laxness for maximum OCSP lifetime > for intermedaites, or just match the BR requirements? The wider context of this section includes an "For end-entity certificates:". So the wording as proposed matches the BRs in terms

Re: Policy 2.4 Proposal: Require open licensing of CPs and CPSes

On 08/12/16 15:33, Jonathan Rudenberg wrote: > I think this is reasonable. Does it make sense to add CC0 to the list > as well? This would provide an even more permissive license option > than CC-BY. Yes, that makes sense. Gerv ___ dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

在 2016年12月6日星期二 UTC+8上午6:50:04，Percy写道： > lslqtz, > How did you obtain this certificate from WoSign? Through the public website > or some other means? I get this certificate through the dealer's website, but the dealer and WoSign API are not doing the verification, the final manual audit also

Re: Taiwan GRCA Root Renewal Request

Bonsoir, Le mardi 6 décembre 2016 09:31:48 UTC+1, Wen-Cheng Wang a écrit : > Hi Jacob, > > I think you get confused by My colleague Li-Chun's email because he mentioned > a lot about using self-issued certificates for key-rollover, AIA certificate > chaining support, and the bug of Microsoft

Re: Policy 2.4 Proposal: Require open licensing of CPs and CPSes

On 09/12/2016 00:48, David E. Ross wrote: On 12/8/2016 1:41 PM, Jakob Bohm wrote [in part]: It is in particular noted that these things are a lot less than what any of the regular CC licenses permit. For example, Mozilla has no reason to require that other CA operators be permitted to reuse

Re: Can we require id-kp-serverAuth now?

On 08/12/2016 23:15, Brian Smith wrote: Gervase Markham wrote: On 05/12/16 12:43, Brian Smith wrote: However, I do think that if a CA certificate is name constrained to not allow any dNSName or iPAddress names, and/or it EKU that doesn't contain id-kp-serverAuth, then it

Re: Policy 2.4 Proposal: Require open licensing of CPs and CPSes

在 2016年12月9日星期五 UTC+8上午5:42:29，Jakob Bohm写道： > On 08/12/2016 21:48, Gervase Markham wrote: > > Require CAs to publish their CPs and CPSes under one of the following > > Creative Commons licenses: CC-BY, CC-BY-SA or CC-BY-ND. > > > > This is so that there is no legal impediment to their proper

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

在 2016年12月9日星期五 UTC+8上午4:19:31，Gervase Markham写道： > On 05/12/16 13:41, Richard Wang wrote: > > We checked our system, this order is from one of the reseller. We > > have many resellers that used the API, we noticed all resellers to > > close the free SSL, but they need some time to update the