On Fri, Apr 21, 2017 at 02:12:51AM -0700, Nick Lamb via dev-security-policy
wrote:
> On Thursday, 20 April 2017 14:03:36 UTC+1, Gervase Markham wrote:
> > I propose this section be removed from the document.
>
> I am not so sure the section ought to be removed. Wildcard DV is
> potentially
On Fri, Apr 21, 2017 at 04:09:57AM -0700, Nick Lamb via dev-security-policy
wrote:
> Of the ballot 169 methods, 3.2.2.4.7 is most obviously appropriate for
> verifying that the applicant controls the entire domain and thus
> *.example.com, whereas say 3.2.2.4.6 proves only that the applicant
>
> might be able to capture freeform text (perhaps unattributed) as to why
Sure, below is a summary in my own words of why CAs are asking for an
extension. Note that the April 2017 survey has many more action items than
previous CA Communications, so I think it is reasonable that CAs might need
That sounds reasonable.
I think it'd be useful to consider, in granting this extension, if you
might be able to capture freeform text (perhaps unattributed) as to why
these CAs need more time. This might help improve the process in the future
without running the risk of coordinated non-answering
All,
I've been receiving requests from CAs for an extension to when they need to
respond to the April 2017 CA Communication.
https://wiki.mozilla.org/CA:Communications#April_2017
"To respond to this survey, login to the Common CA Database (CCADB), click on
the 'CA Communications (Page)' tab,
On Tuesday, 18 April 2017 18:33:29 UTC+1, Jakob Bohm wrote:
> I believe the point was to check the prospective contents of the
> TBSCertificate *before* CT logging (noting that Ryan Sleevi has been
> violently insisting that failing to do that shall be punished as
> harshly as actual misissuance)
On Thu, Apr 20, 2017 at 8:04 PM, Steve Medin via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> > -Original Message-
> > On 03/04/17 13:11, Gervase Markham wrote:
> > > Hi Steve and Rick,
> >
> > Q9) Can you please tell us which audit covers the following two
>
I strongly support removing any ambiguity about CAs not being required to
police certificate issuance, and agree on the unuseful level of
subjectivity that would be present in any attempt to enforce this clause.
-- Eric
On Thu, Apr 20, 2017 at 7:11 PM, Matt Palmer via dev-security-policy <
On Thursday, March 16, 2017 at 11:00:51 AM UTC, Gervase Markham wrote:
> Hi Blake,
>
> On 02/03/17 16:26, blake morgan wrote:
> > We have engaged with our external auditors in relation to this and the
> > previous certificate that was reported. Once that activity has concluded we
> > will be
On Fri, Apr 21, 2017 at 6:16 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I've updated the Issues list:
> https://wiki.mozilla.org/CA:Symantec_Issues
> with the latest information. 3 issues have been marked as STRUCK due to
> lack of evidence of
On Friday, 21 April 2017 11:02:01 UTC+1, Gervase Markham wrote:
> This is all a bit inchoate :-) Can you give me any idea at all of what
> such a policy would look like? Requiring OV is not an option IMO.
Yes, it's inchoate, if I had a fully filled out policy in mind here I'd be
proposing that
On Fri, Apr 21, 2017 at 11:16:56AM +0100, Gervase Markham via
dev-security-policy wrote:
> Minor:
> Issue B: Issuance of 1024-bit Certificate Expiring After Deadline
I'm still concerned that they don't seem to have an idea of what
software they're all (still) running, and they didn't reply to
The deadline for Symantec to submit comments passed yesterday; they
chose to issue a large PDF[0] of responses just before the deadline,
leaving no time for further discussion and clarification. That's their
right, of course, but it may leave some places where we have to make
assumptions.
I've
On 21/04/17 10:12, Nick Lamb wrote:
> I'm not so uncomfortable with it that I want Mozilla to try to get it
> stopped, but I think signalling some residual discomfort here is
> worthwhile until somebody has thought through a good policy, and
> preferably at least got the big CAs to go along with
On Thu, Apr 20, 2017 at 4:02 PM, Gervase Markham via
dev-security-policy wrote:
> I don't believe the issuance of wildcard DV certs is problematic in
> practice. Mozilla is of the view that ubiquitous SSL is the highest
> priority for the Web PKI, and
On Thursday, 20 April 2017 14:03:36 UTC+1, Gervase Markham wrote:
> I propose this section be removed from the document.
I am not so sure the section ought to be removed. Wildcard DV is potentially
problematic. Historically we have seen problems that wouldn't have happened or
would be much
Major +1. Removing this language is consonant with Mozilla objectives, with
Web PKI trends, and with the health of the open web.
-- Eric
On Thu, Apr 20, 2017 at 9:02 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> There is an entry on Mozilla's
17 matches
Mail list logo