Re: Suspicious test.com Cert Issued By GlobalSign

2017-03-24 Thread Nick Lamb via dev-security-policy
On Friday, 24 March 2017 10:11:36 UTC, Gervase Markham wrote: > I spoke about this with Doug at the CAB Forum meeting. The system which > collects the data is not integrated with the system to which the domains > are added. The validation specialist concerned, contrary to policy > ("it's just a

Re: Symantec: Next Steps

2017-03-24 Thread Jakob Bohm via dev-security-policy
On 24/03/2017 21:03, Jakob Bohm wrote: On 24/03/2017 19:08, Ryan Sleevi wrote: On Fri, Mar 24, 2017 at 1:30 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Examples discussed in the past year in this group include the Taiwan GRCA roots and several of the

Re: Symantec: Next Steps

2017-03-24 Thread Jakob Bohm via dev-security-policy
On 24/03/2017 19:08, Ryan Sleevi wrote: On Fri, Mar 24, 2017 at 1:30 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Examples discussed in the past year in this group include the Taiwan GRCA roots and several of the SubCAs hosted by Verizon prior to the

Re: Symantec: Next Steps

2017-03-24 Thread Ryan Sleevi via dev-security-policy
On Fri, Mar 24, 2017 at 1:30 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Examples discussed in the past year in this group include the Taiwan > GRCA roots and several of the SubCAs hosted by Verizon prior to the > DigiCert transition. Apologies for

Re: Symantec: Next Steps

2017-03-24 Thread Jakob Bohm via dev-security-policy
On 24/03/2017 17:12, Peter Bowen wrote: On Fri, Mar 24, 2017 at 9:06 AM, Ryan Sleevi via dev-security-policy wrote: (Wearing an individual hat) On Fri, Mar 24, 2017 at 10:35 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org>

Re: Symantec: Next Steps

2017-03-24 Thread Peter Bowen via dev-security-policy
On Fri, Mar 24, 2017 at 9:06 AM, Ryan Sleevi via dev-security-policy wrote: > (Wearing an individual hat) > > On Fri, Mar 24, 2017 at 10:35 AM, Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: >> >> One common scenario

Re: Symantec: Next Steps

2017-03-24 Thread Ryan Sleevi via dev-security-policy
(Wearing an individual hat) On Fri, Mar 24, 2017 at 10:35 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > One common scenario that a new wording should allow is a "fully > outsourced CA", where all the technical activities, including CA > private key

Re: Next CA Communication

2017-03-24 Thread Kathleen Wilson via dev-security-policy
On Friday, March 24, 2017 at 3:11:17 AM UTC-7, Gervase Markham wrote: > On 23/03/17 23:07, Kathleen Wilson wrote: > > Second paragraph of Action 1 now says: ~~ Note that version 1.4.2 of > > the BRs does not contain all 10 of these methods, but it does contain > > section 3.2.2.4.11, "Other

Re: Symantec: Next Steps

2017-03-24 Thread Jakob Bohm via dev-security-policy
On 24/03/2017 10:56, Gervase Markham wrote: On 07/03/17 11:37, Gervase Markham wrote: Here are some proposals for policy change. Please do comment on these or suggest others. I can report that at the CAB Forum face-to-face in Raleigh, NC, USA this week, there was broad consensus to draw up a

Re: Google action related to Symantec

2017-03-24 Thread Gervase Markham via dev-security-policy
On 23/03/17 16:09, Ryan Sleevi wrote: > You can participate in this discussion at > https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs Participants who want to discuss Google's action should, of course, visit the Blink forum above as Ryan has requested. However, the

Re: Suspicious test.com Cert Issued By GlobalSign

2017-03-24 Thread Gervase Markham via dev-security-policy
On 17/03/17 16:28, douglas.beat...@gmail.com wrote: >> If the addition is so gated, what did the employee in this case do? Did >> they upload bogus data? > > No bogus data was uploaded. I spoke about this with Doug at the CAB Forum meeting. The system which collects the data is not integrated

Re: Notice of Intent to Deprecate and Remove: Trust in Symantec-issued Certificates

2017-03-24 Thread Gervase Markham via dev-security-policy
On 23/03/17 19:54, Jakob Bohm wrote: > The above message (and one by Symantec) were posted to the > mozilla.dev.security.policy newsgroup prior to becoming aware of > Google's decision to move the discussion to its own private mailing > list and procedures. I would encourage everyone concerned to

Re: Symantec: Next Steps

2017-03-24 Thread Gervase Markham via dev-security-policy
On 07/03/17 11:37, Gervase Markham wrote: > Here are some proposals for policy change. Please do comment on these or > suggest others. I can report that at the CAB Forum face-to-face in Raleigh, NC, USA this week, there was broad consensus to draw up a ballot which prevents CAs from (to summarise

Re: Next CA Communication

2017-03-24 Thread Gervase Markham via dev-security-policy
On 23/03/17 23:07, Kathleen Wilson wrote: > Second paragraph of Action 1 now says: ~~ Note that version 1.4.2 of > the BRs does not contain all 10 of these methods, but it does contain > section 3.2.2.4.11, "Other Methods", so the subsections of version > 3.2.2.4 that are marked "Reserved" in

Re: Safely testing TLS in dev & test environments

2017-03-24 Thread Jakob Bohm via dev-security-policy
On 24/03/2017 05:54, Walter Goulet wrote: On Thursday, March 23, 2017 at 8:13:38 PM UTC-5, Jakob Bohm wrote: On 23/03/2017 22:59, Walter Goulet wrote: Hi all, This is not directly related to Mozilla policy, CA issues or really any of the normal discussions that I typically see in the group.