Re: DigiCert-Symantec Announcement

On Thu, Sep 21, 2017 at 7:17 PM, Ryan Sleevi via dev-security-policy wrote: > I think we can divide the discussion into two parts, similar to the > previous mail: How to effectively transition Symantec customers with > minimum disruption, whether acting as

Re: DigiCert-Symantec Announcement

Jeremy, Thanks for attaching the diagrams - this is very useful in helping visualize out the graph! Special thanks for detailing out the validation flow DigiCert both practices and plans to practice - this level of transparency goes a long way to helping assess and understand both risks and

Re: PROCERT decision

On Thursday, September 21, 2017 at 11:23:28 AM UTC-5, Gervase Markham wrote: > The CA Certificates module owner and peers have come to a decision > regarding our investigations into the activities of the CA "PROCERT". > > A large number of issues were raised regarding the operations and >

Re: CAs not compliant with CAA CP/CPS requirement

On Thursday, September 21, 2017 at 10:13:56 AM UTC+1, Rob Stradling wrote: > Our CPS has now been updated. Will you be ensuring that CAs like Gandi who are chaining back to your roots also update their CPS? Regards Rich. ___ dev-security-policy

Re: PROCERT issues

On 21/09/2017 23:08, alejandrovolcan--- via dev-security-policy wrote: > Dear Gerv, I have attached a document that gives us a greater > response to each of the points, as well as Mr. Oscar Lovera sent you > an email with the same information > >

Re: PROCERT issues

El lunes, 18 de septiembre de 2017, 8:27:18 (UTC-5), Gervase Markham escribió: > On 11/09/17 12:03, Gervase Markham wrote: > > Thank you for this initial response. It is, however, far less detailed > > than we would like to see. > > I have not had any further updates from PROCERT. I have tried

PROCERT decision

The CA Certificates module owner and peers have come to a decision regarding our investigations into the activities of the CA "PROCERT". A large number of issues were raised regarding the operations and practices of this CA: https://wiki.mozilla.org/CA:PROCERT_Issues Considering them, it seems

Re: Public trust of VISA's CA

I can confirm that as of this moment the VISA OCSP responders are still responding GOOD for non-existent certificates. VISA was originally contacted by me on August 29 so it has now been over 21 days since initial report. -Paul On September 21, 2017 at 9:32:12 PM, Gervase Markham via

Incident Report format

It seems like the list of topics to cover on the Responding to a Misissuance page: https://wiki.mozilla.org/CA/Responding_To_A_Misissuance#Incident_Report has become a de facto template for incident reports. We've now had quite a few CAs use this outline to respond to issues. If people (CAs or

Re: Public trust of VISA's CA

Additionally, 13 days ago it was reported to VISA that their OCSP responder was misconfigured to return "good" responses for non-existent certificates: https://bugzilla.mozilla.org/show_bug.cgi?id=1398261 As far as I can see, this is the case for their end-entity certificates, not just some roots

Re: CAs not compliant with CAA CP/CPS requirement

On 08/09/17 20:24, Andrew Ayer via dev-security-policy wrote: The BRs state: "Effective as of 8 September 2017, section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state the CA's policy or practice on