Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

On Fri, Apr 21, 2017 at 02:12:51AM -0700, Nick Lamb via dev-security-policy wrote: > On Thursday, 20 April 2017 14:03:36 UTC+1, Gervase Markham wrote: > > I propose this section be removed from the document. > > I am not so sure the section ought to be removed. Wildcard DV is > potentially

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

On Fri, Apr 21, 2017 at 04:09:57AM -0700, Nick Lamb via dev-security-policy wrote: > Of the ballot 169 methods, 3.2.2.4.7 is most obviously appropriate for > verifying that the applicant controls the entire domain and thus > *.example.com, whereas say 3.2.2.4.6 proves only that the applicant >

Re: Extend deadline for April 2017 CA Communication?

> might be able to capture freeform text (perhaps unattributed) as to why Sure, below is a summary in my own words of why CAs are asking for an extension. Note that the April 2017 survey has many more action items than previous CA Communications, so I think it is reasonable that CAs might need

Re: Extend deadline for April 2017 CA Communication?

That sounds reasonable. I think it'd be useful to consider, in granting this extension, if you might be able to capture freeform text (perhaps unattributed) as to why these CAs need more time. This might help improve the process in the future without running the risk of coordinated non-answering

Extend deadline for April 2017 CA Communication?

All, I've been receiving requests from CAs for an extension to when they need to respond to the April 2017 CA Communication. https://wiki.mozilla.org/CA:Communications#April_2017 "To respond to this survey, login to the Common CA Database (CCADB), click on the 'CA Communications (Page)' tab,

Re: Certificate issues

On Tuesday, 18 April 2017 18:33:29 UTC+1, Jakob Bohm wrote: > I believe the point was to check the prospective contents of the > TBSCertificate *before* CT logging (noting that Ryan Sleevi has been > violently insisting that failing to do that shall be punished as > harshly as actual misissuance)

Re: [EXT] Re: Questions for Symantec

On Thu, Apr 20, 2017 at 8:04 PM, Steve Medin via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > -Original Message- > > On 03/04/17 13:11, Gervase Markham wrote: > > > Hi Steve and Rick, > > > > Q9) Can you please tell us which audit covers the following two >

Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

I strongly support removing any ambiguity about CAs not being required to police certificate issuance, and agree on the unuseful level of subjectivity that would be present in any attempt to enforce this clause. -- Eric On Thu, Apr 20, 2017 at 7:11 PM, Matt Palmer via dev-security-policy <

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

On Thursday, March 16, 2017 at 11:00:51 AM UTC, Gervase Markham wrote: > Hi Blake, > > On 02/03/17 16:26, blake morgan wrote: > > We have engaged with our external auditors in relation to this and the > > previous certificate that was reported. Once that activity has concluded we > > will be

Re: Symantec Conclusions and Next Steps

On Fri, Apr 21, 2017 at 6:16 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I've updated the Issues list: > https://wiki.mozilla.org/CA:Symantec_Issues > with the latest information. 3 issues have been marked as STRUCK due to > lack of evidence of

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

On Friday, 21 April 2017 11:02:01 UTC+1, Gervase Markham wrote: > This is all a bit inchoate :-) Can you give me any idea at all of what > such a policy would look like? Requiring OV is not an option IMO. Yes, it's inchoate, if I had a fully filled out policy in mind here I'd be proposing that

Re: Symantec Conclusions and Next Steps

On Fri, Apr 21, 2017 at 11:16:56AM +0100, Gervase Markham via dev-security-policy wrote: > Minor: > Issue B: Issuance of 1024-bit Certificate Expiring After Deadline I'm still concerned that they don't seem to have an idea of what software they're all (still) running, and they didn't reply to

Symantec Conclusions and Next Steps

The deadline for Symantec to submit comments passed yesterday; they chose to issue a large PDF[0] of responses just before the deadline, leaving no time for further discussion and clarification. That's their right, of course, but it may leave some places where we have to make assumptions. I've

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

On 21/04/17 10:12, Nick Lamb wrote: > I'm not so uncomfortable with it that I want Mozilla to try to get it > stopped, but I think signalling some residual discomfort here is > worthwhile until somebody has thought through a good policy, and > preferably at least got the big CAs to go along with

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

On Thu, Apr 20, 2017 at 4:02 PM, Gervase Markham via dev-security-policy wrote: > I don't believe the issuance of wildcard DV certs is problematic in > practice. Mozilla is of the view that ubiquitous SSL is the highest > priority for the Web PKI, and

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

On Thursday, 20 April 2017 14:03:36 UTC+1, Gervase Markham wrote: > I propose this section be removed from the document. I am not so sure the section ought to be removed. Wildcard DV is potentially problematic. Historically we have seen problems that wouldn't have happened or would be much

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

Major +1. Removing this language is consonant with Mozilla objectives, with Web PKI trends, and with the health of the open web. -- Eric On Thu, Apr 20, 2017 at 9:02 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > There is an entry on Mozilla's