Re: DigiCert-Symantec Announcement

2017-09-22 Thread Peter Bowen via dev-security-policy
On Fri, Sep 22, 2017 at 6:22 AM, Nick Lamb via dev-security-policy wrote: > On Friday, 22 September 2017 05:01:03 UTC+1, Peter Bowen wrote: >> I realize this is somewhat more complex than what you, Ryan, or Jeremy >> proposed, but it the only way I see root

Re: CAs not compliant with CAA CP/CPS requirement

2017-09-22 Thread Richard Moore via dev-security-policy
On 22 September 2017 at 17:22, Rob Stradling wrote: > On 22/09/17 17:07, Richard Moore via dev-security-policy wrote: > >> I see, the one I saw in the wild was issued from the intermediate below >> and >> linked to the Gandi document however it was from 2014. That said,

Re: CAs not compliant with CAA CP/CPS requirement

2017-09-22 Thread Rob Stradling via dev-security-policy
On 22/09/17 17:07, Richard Moore via dev-security-policy wrote: I see, the one I saw in the wild was issued from the intermediate below and linked to the Gandi document however it was from 2014. That said, I don't see the intermediate in crt.sh though that could just be me failing to use the

Re: CAs not compliant with CAA CP/CPS requirement

2017-09-22 Thread Richard Moore via dev-security-policy
I see, the one I saw in the wild was issued from the intermediate below and linked to the Gandi document however it was from 2014. That said, I don't see the intermediate in crt.sh though that could just be me failing to use the site properly! Cheers Rich. Certificate: Data:

Re: CAs not compliant with CAA CP/CPS requirement

2017-09-22 Thread Rob Stradling via dev-security-policy
On 21/09/17 22:56, richmoore44--- via dev-security-policy wrote: On Thursday, September 21, 2017 at 10:13:56 AM UTC+1, Rob Stradling wrote: Our CPS has now been updated. Will you be ensuring that CAs like Gandi who are chaining back to your roots also update their CPS? Gandi are a managed

Re: DigiCert-Symantec Announcement

2017-09-22 Thread Nick Lamb via dev-security-policy
On Friday, 22 September 2017 05:01:03 UTC+1, Peter Bowen wrote: > I realize this is somewhat more complex than what you, Ryan, or Jeremy > proposed, but it the only way I see root pins working across both > "old" and "new" trust stores. I would suggest that a better way to spend the remaining

Re: [saag] Fwd: New Version Notification for draft-belyavskiy-certificate-limitation-policy-04.txt

2017-09-22 Thread Nikos Mavrogiannopoulos via dev-security-policy
On Wed, Sep 20, 2017 at 3:21 PM, Dmitry Belyavsky wrote: > Dear Nikos > > On Wed, Sep 13, 2017 at 9:39 AM, Nikos Mavrogiannopoulos > wrote: >> >> >> 4. How do you handle extensions to this format? >> >> Overall, why not use X.509 extensions to store such