Re: Symantec: Next Steps

On 08/03/2017 06:27, Ryan Sleevi wrote: On Tue, Mar 7, 2017 at 11:23 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: I saw nothing in Gervs posting suggesting that banning all kinds of RA/DTP relationships was the intended effect. But would you also

Re: Symantec: Next Steps

On Tue, Mar 7, 2017 at 9:27 PM, Ryan Sleevi via dev-security-policy wrote: > On Tue, Mar 7, 2017 at 11:23 PM, Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: ]> >> For example, an RA whose sole involvement is to receive a

Re: Symantec: Next Steps

On Tue, Mar 7, 2017 at 11:23 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I saw nothing in Gervs posting suggesting that banning all kinds of > RA/DTP relationships was the intended effect. But would you also acknowledge that your originally stated

Re: Symantec: Next Steps

On 08/03/2017 04:21, Ryan Sleevi wrote: On Tue, Mar 7, 2017 at 8:08 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: I contradicted you in saying that RAs (or DTP as you now want to call them) were not supposed to be banned by the policy change. DTPs

Re: Google Trust Services roots

Im trying to keep score here but am having difficulties. Can someone confirm if the following statements are correct:- Google has acquired 2 root certificates from GMO GlobalSign but not the ‎company itself. GMO GlobalSign will continue to own other roots and will use only those other roots

Re: Symantec: Next Steps

On Tue, Mar 7, 2017 at 8:08 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I contradicted you in saying that RAs (or DTP as you now want to call > them) were not supposed to be banned by the policy change. > DTPs are the terms from the Baseline

Re: Symantec: Next Steps

On 08/03/2017 01:40, Ryan Sleevi wrote: On Tue, Mar 7, 2017 at 6:26 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 07/03/2017 21:37, Ryan Sleevi wrote: To make it simpler, wouldn't be a Policy Proposal be to prohibit Delegated Third Parties from

Re: Symantec: Next Steps

On Tue, Mar 7, 2017 at 6:26 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 07/03/2017 21:37, Ryan Sleevi wrote: >> >> To make it simpler, wouldn't be a Policy Proposal be to prohibit Delegated >> Third Parties from participating in the issuance

Re: Include Renewed Kamu SM root certificate

On Tue, Mar 7, 2017 at 6:01 PM, Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > 1) Domain Validation Methods > For the CA, I recommend reviewing section 3.2.2.4 of version 1.4.1 of the > CA/Browser Forum’s Baseline Requirements, because many of the

Re: Symantec: Next Steps

On 07/03/2017 21:37, Ryan Sleevi wrote: On Tue, Mar 7, 2017 at 6:37 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Policy Proposal 1: require all CAs to arrange it so that certs validated by an RA are issued from one or more intermediates dedicated

Re: Include Renewed Kamu SM root certificate

Thank you Andrew and Ryan for your feedback on this request to include the "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" root certificate, and enable the Websites trust bit. Note that the new SHA-256 root certificate will replace the SHA1 “TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı -

Re: Symantec: Next Steps

On Tue, Mar 7, 2017 at 6:37 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Policy Proposal 1: require all CAs to arrange it so that certs validated > by an RA are issued from one or more intermediates dedicated solely to > that RA, with such

Re: Google Trust Services roots

On 07/03/2017 18:29, Ryan Hurst wrote: pzb: I appreciate you finally sending responses. I hope you appreciate that they are clearly not adequate, in my opinion. Please see the comments inline. Again, sorry for the delay in responding, I will be more prompt moving forward. pzb: This

Re: Include Renewed Kamu SM root certificate

On Tue, Mar 7, 2017 at 9:14 AM, tuubaonder--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > This section states "WHOIS records pertinent to domain name specified in > the certificate application shall be verified via 'www.nic.tr'". It would > be useful to have more

Re: Google Trust Services roots

> pzb: I appreciate you finally sending responses. I hope you appreciate > that they are clearly not adequate, in my opinion. Please see the > comments inline. Again, sorry for the delay in responding, I will be more prompt moving forward. > pzb: This does not resolve the concern. The BRs

Re: Include Renewed Kamu SM root certificate

Hi Andrew and Kathleen, Thanks Andrew for reviewing our CPS document. We have updated the CPS document by the direction of your indications. Also you can find our replies below: 1.2 Document Name and Identification Document version number is 3, but the front page and headers say version 1.

Re: Mozilla Root Store Policy 2.4.1

On Tue, Mar 7, 2017 at 5:09 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > 1.1 Scope > > Item 2: > > Bullet 1: This would allow the anyEKU to be considered 'out of > scope'. > > Is that intentional? (notwithstanding Section 5.3.1) > >