Re: Compliance with 7.1.4.2.1 (internal names revocation)

Thanks for finding this, Nick. We're in the process of revoking the cert you found, and searching for any others. We'll get back to you when we're done. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

RE: Compliance with 7.1.4.2.1 (internal names revocation)

Hi Nick, I expect that our auditors would have noticed and reported if we had not tried to comply with 7.1.4.2.1. Our next WebTrust audit starts shortly and I anticipate that the criteria used will be "WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network

RE: Update on transition of the Verizon roots and issuance of SHA1 certificates

I'll go through those in the next day or so and fix the CPS and audit settings. Ben Wilson, JD, CISA, CISSP DigiCert VP Compliance -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On Behalf Of Rob Stradling Sent:

RE: Update on transition of the Verizon roots and issuance of SHA1 certificates

It probably should not be same as parent. Ben will update it. -Original Message- From: Rob Stradling [mailto:rob.stradl...@comodo.com] Sent: Monday, January 9, 2017 10:02 AM To: Jeremy Rowley ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Update

Re: Update on transition of the Verizon roots and issuance of SHA1 certificates

On 09/01/17 16:35, Jeremy Rowley wrote: Hi Rob - thanks for following up. The Belgium root was granted an extension by the browsers until January 15th to complete the audit and January 31st to submit the audit report. We are still told they are hosted by Verizon and, considering the audit

RE: Update on transition of the Verizon roots and issuance of SHA1 certificates

Not many websites, but all of the Belgium ID cards would end up being revoked. Although Belgium is only issuing client certs, the issuing CA is not technically constrained, meaning a BR, Network security, and standard WebTrust audit is required. We are currently waiting for the results of the

Re: Update on transition of the Verizon roots and issuance of SHA1 certificates

On 2017-01-09 17:28, Rob Stradling wrote: On 03/11/16 19:34, Jeremy Rowley wrote: Hi Jeremy. 7. The Belgium government is our biggest challenge in migrating Verizon customers. With over 20 issuing CAs, Belgium has the largest outstanding non-compliant infrastructure. The operators have

Re: Compliance with 7.1.4.2.1 (internal names revocation)

On Monday, 9 January 2017 14:05:25 UTC, Robin Alden wrote: > Nick, > Thanks for the heads-up. > We agree that the certificates you found should have been revoked. Thank you Robin for investigating this, for your explanation of what happened and for the sensible response of CT logging and

RE: Update on transition of the Verizon roots and issuance of SHA1 certificates

Hi Rob - thanks for following up. The Belgium root was granted an extension by the browsers until January 15th to complete the audit and January 31st to submit the audit report. We are still told they are hosted by Verizon and, considering the audit progress, I have no reason to doubt this.

Re: Update on transition of the Verizon roots and issuance of SHA1 certificates

On 03/11/16 19:34, Jeremy Rowley wrote: Hi Jeremy. 7. The Belgium government is our biggest challenge in migrating Verizon customers. With over 20 issuing CAs, Belgium has the largest outstanding non-compliant infrastructure. The operators have also claimed that revoking their

RE: Compliance with 7.1.4.2.1 (internal names revocation)

Nick, Thanks for the heads-up. We agree that the certificates you found should have been revoked. We revoked a body of certificates on 1st October 2016 in accordance with 7.1.4.2.1. Regrettably a mistake was made when we created the list of certificates to be revoked. As a word of