Re: Francisco Partners acquires Comodo certificate authority business

The timing and content of any announcement is undoubtedly complicated, caused, in no small part, by legitimate needs for confidentiality against the goals of transparency. I have every reason to trust in the good

Re: Francisco Partners acquires Comodo certificate authority business

mw--- via dev-security-policy writes: >So they sell multiple roots over to a company that is "the leader in Deep >Packet Inspection (DPI) and we've got a lot going on in that space" and >enable them to issue trusted certificates and mitm all encrypted

RE: Statement on DigiCert’s Proposed Purchase of Symantec

A couple of points of clarification (as it seems to have stirred some questions) 1. Migration to the DigiCert issuing and validation process only applies to certs intended for browser use, meaning the infrastructure may issue code signing, email, etc certs post Dec 1. These certs will be

Incident Report : GlobalSign certificates with ROCA Fingerprint

Re-posting the message below, because it appears that this message did not get propagated to groups.google.com. I have filed a bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1412993 - mozilla.dev.security.policy posts not getting propagated to Google Groups -Original Message-

Re: ETSI Audits Almost Always FAIL to list audit period

On 10/31/17 2:57 PM, Dimitris Zacharopoulos wrote: [NS]: If all ETSI reports delivered to Root Programs had clear indication regarding the “audit period” and the type of the audit (i.e. full), probably this discussion would not be raised at all? Correct. For example, in all our

Re: ETSI Audits Almost Always FAIL to list audit period

On Tue, Oct 31, 2017 at 5:29 PM, Dimitris Zacharopoulos via dev-security-policy wrote: > > I don't believe your statement is supported by the evidence - which is why >> I'm pushing you to provide precise references. Consider from the >> perspective as a

Re: Francisco Partners acquires Comodo certificate authority business

You didn't really leave room for productive discussion between your options, did you? :) As you can see from https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md#8-ca-operational-changes , notification is required for certain changes - but that notification goes to a Mozilla mail

Re: Francisco Partners acquires Comodo certificate authority business

Both articles are long on names, short on dates. I don't fault the authors for that but it is troubling that better information wasn't made available to them.When can we expect a proper announcement in this

Re: ETSI Audits Almost Always FAIL to list audit period

Thank you, Dimitris, for sharing input from your auditor. > Long story short, as an accredited CAB, we _definitely_ must check > historical data over the period since previous audit. This requirement > is clearly included in Section 7.9 of ETSI EN 319 403 >

Re: Francisco Partners acquires Comodo certificate authority business

Another article about this is http://www.securityweek.com/francisco-partners-acquires-comodo-ca . Notably, I'm not seeing anything in the official news announcements pages for either Francisco Partners or Comodo.  Is this an attempt at another StartCom (silent ownership transfer), or is it a

Re: Bugzilla/wiki integration broken

On Monday, October 30, 2017 at 5:17:38 PM UTC-7, Kathleen Wilson wrote: > On Saturday, October 28, 2017 at 5:07:51 PM UTC-7, Kathleen Wilson wrote: > > All, > > > > Mozilla's Bugzilla system was updated a couple of days ago, and now the > > Bugzilla/wiki integration is not working very well. So

Re: ETSI Audits Almost Always FAIL to list audit period

On 31/10/2017 11:21 πμ, Dimitris Zacharopoulos via dev-security-policy wrote: It is not the first time this issue is brought up. While I have a very firm opinion that ETSI auditors under the ISO 17065 (focused on the quality of products/services) and ETSI EN 319 403 definitely check

Francisco Partners acquires Comodo certificate authority business

http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: ETSI Audits Almost Always FAIL to list audit period

On Tue, Oct 31, 2017 at 8:34 AM, Dimitris Zacharopoulos via dev-security-policy wrote: > > Do you believe that the requirements stated in the policy are unclear? That >> is, as Kathleen mentioned, the Mozilla policy states all the information >> that must be

Re: ETSI Audits Almost Always FAIL to list audit period

On 31/10/2017 1:37 μμ, Ryan Sleevi via dev-security-policy wrote: On Tue, Oct 31, 2017 at 5:21 AM Dimitris Zacharopoulos via dev-security-policy wrote: It is not the first time this issue is brought up. While I have a very firm opinion that ETSI auditors

Re: ETSI Audits Almost Always FAIL to list audit period

On Tue, Oct 31, 2017 at 5:21 AM Dimitris Zacharopoulos via dev-security-policy wrote: > > It is not the first time this issue is brought up. While I have a very > firm opinion that ETSI auditors under the ISO 17065 (focused on the > quality of

Re: ETSI audits not listing audit periods

Hi Arno, On 31/10/17 08:46, Arno Fiedler wrote: > there is a problem with the auditor qualification and the national > accreditation of some auditing bodies. Can you help us understand what about the discussion so far leads you to that conclusion? It seems to me that the problem being raised is

Re: ETSI audits not listing audit periods

Hello Kathleen, there is a problem with the auditor qualification and the national accreditation of some auditing bodies. We´ll ask ACABc to suggest a solution to take care about proper education of "qualified" auditors and "good practise" audit statements as suggested by Mozilla, maybe we