Re: DigiCert-Symantec Announcement

2017-09-28 Thread Patrick Figel via dev-security-policy
On 28.09.17 19:06, Gervase Markham via dev-security-policy wrote: > On 26/09/17 03:17, Ryan Sleevi wrote: >> update in a year, are arguably outside of the scope of ‘reasonable’ use >> cases - the ecosystem itself has shown itself to change on at least that >> frequency. > > Is "1 year" not a

Re: DigiCert-Symantec Announcement

2017-09-28 Thread Quirin Scheitle via dev-security-policy
Hi Gerv, > On 28. Sep 2017, at 19:06, Gervase Markham via dev-security-policy > wrote: > > Is "1 year" not a relatively common (for some value of "common") setting > for HPKP timeouts for sites which think they have now mastered HPKP? We did a

Re: CAA reporting support and tests?

2017-09-28 Thread Gervase Markham via dev-security-policy
On 26/09/17 00:03, Andrew wrote: > is that the reports should only be sent in a situation where a > certificate _would_ have been issued if not for the CAA records. I'd say that's right. I'd think that by far the more common use case would be internal policy enforcement at a company rather than

Re: DigiCert-Symantec Announcement

2017-09-28 Thread Gervase Markham via dev-security-policy
On 26/09/17 03:17, Ryan Sleevi wrote: > update in a year, are arguably outside of the scope of ‘reasonable’ use > cases - the ecosystem itself has shown itself to change on at least that > frequency. Is "1 year" not a relatively common (for some value of "common") setting for HPKP timeouts for

Re: PROCERT decision

2017-09-28 Thread Gervase Markham via dev-security-policy
On 22/09/17 00:33, Andrew wrote:> Will there be any sort of deprecation period for PROCERT certificates > as with StartCom/Wosign & Symantec? Or is PROCERT small enough that > you believe it's feasible to just immediately distrust them without > any significant negative impact on the overall web

Re: Old roots to new roots best practice?

2017-09-28 Thread Gervase Markham via dev-security-policy
On 20/09/17 03:49, userwithuid wrote: >> I agree, Gerv's remarks are a bit confusing with respect to the concern. Ryan is polite. :-) > Wrt to the StartCom bulletpoint, I guess this was a mistake on Mozilla's part > then and should probably be acknowledged as such, @Gerv. Yes, I acknowledge

Re: DigiCert mis-issuance report: rekeyed certificates

2017-09-28 Thread Gervase Markham via dev-security-policy
This is https://bugzilla.mozilla.org/show_bug.cgi?id=1401407 . Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: PROCERT issues

2017-09-28 Thread Gervase Markham via dev-security-policy
On 27/09/17 18:54, Matthew Hardeman wrote: > In the case of StartCom, I can not help but feel that they are being > held to an especially high standard (higher than other prior adds to > the program) in this new PKI because of who they are -- despite the > fact that management and day-to-day

Re: Incident Report format

2017-09-28 Thread Gervase Markham via dev-security-policy
On 22/09/17 00:12, Ryan Sleevi wrote: > Based on the number of reports reviewed recently, I suspect we've got > opportunities for improvement, but I'm not quite sure yet what the concrete > suggestions on that should look like. A few thoughts below: Here's a set of changes which attempt to