I don't know if it was mentioned elsewhere but Symantec had an MOA with the
Federal PKI which required cross-certificates. If Symantec revoked it, the MOA
would also have been violated which would have severed the trust with the
Federal PKI and Symantec customers.
To the particular IdenTrust CA
Because the certificate improperly included Symantec's BR-compliance OID. If
the cert wasn't a BR-covered certificate but included the BR compliance OID,
then the cert was still mis-issued and should be disclosed.
Jeremy
-Original Message-
From: dev-security-policy
[mailto:dev-security-p
On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote:
> On 13/04/17 14:23, Doug Beattie wrote:
> > In 3.2 the term Technically Constrained is not defined to be any
> > different than the BRs (or perhaps even less restrictive).
>
> You mean 2.3, right?
Yes, 2.3.
> I would say I
On Thu, Apr 13, 2017 at 10:48 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> > Section 3.1.2.1 specifies that any CA capable of issuing secure email
> > certificates must have a "WebTrust for CAs" audit (or corresponding
> > ETSI audit). This is a
On 12/04/17 21:39, uri...@gmail.com wrote:
> Is there an expectation of a resolution of some sort to this matter?
> Also, their most recent audit is apparently overdue (perhaps related to the
> SHA-1 mis-issuance?)
>
> https://groups.google.com/d/msg/mozilla.dev.security.policy/IjgFwzGI_H0/-689uF
On 13/04/17 14:23, Doug Beattie wrote:
> In 3.2 the term Technically Constrained is not defined to be any
> different than the BRs (or perhaps even less restrictive).
You mean 2.3, right?
I would say Inclusion section, bullet 9 gives the definition of
technically constrained. For email certs, bec
Thanks Gerv. :-)
On 13/04/17 14:46, Gervase Markham via dev-security-policy wrote:
Hi Rob,
You either have a great memory or good search-fu; well done for digging
this out!
On 12/04/17 22:14, Rob Stradling wrote:
Gerv, FYI what you're proposing here
(https://github.com/mozilla/pkipolicy/issu
On 13/04/17 14:50, Gervase Markham wrote:
On 12/04/17 21:21, Rob Stradling wrote:
Mozilla also requires CAs to disclose intermediate cert revocations to
CCADB. Should there be a corresponding time limit in the policy
regarding how soon after revocation this disclosure must occur?
There is:
"
On 12/04/17 21:21, Rob Stradling wrote:
> Mozilla also requires CAs to disclose intermediate cert revocations to
> CCADB. Should there be a corresponding time limit in the policy
> regarding how soon after revocation this disclosure must occur?
There is:
"If a non-exempt intermediate certificate
Symantec's bug opens with the words:
"At the end of 2013, Symantec issued a cert to one of its customers that
did not comply with several provisions of the CA/Browser Forum Baseline
Requirements."[0]
So Symantec, at least, thought that this cert fell under the BRs. If
their case was that it did n
Hi Rob,
You either have a great memory or good search-fu; well done for digging
this out!
On 12/04/17 22:14, Rob Stradling wrote:
> Gerv, FYI what you're proposing here
> (https://github.com/mozilla/pkipolicy/issues/69) was slated to appear in
> v2.1 of the policy, but it was vetoed by Symantec.
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of Gervase
> Markham via dev-security-policy
> Sent: Wednesday, April 12, 2017 4:45 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> >
On 03/04/17 13:11, Gervase Markham wrote:
> Hi Steve and Rick,
Q9) Can you please tell us which audit covers the following two
intermediate CAs, which are subordinates of or cross-certified by
VeriSign Universal Root Certification Authority?
VeriSign Class 3 SSP Intermediate CA - G2
(https://cr
13 matches
Mail list logo
