The timing and content of any announcement is undoubtedly complicated, caused, in no small part, by legitimate needs for confidentiality against the goals of transparency. I have every reason to trust in the good
mw--- via dev-security-policy writes:
>So they sell multiple roots over to a company that is "the leader in Deep
>Packet Inspection (DPI) and we've got a lot going on in that space" and
>enable them to issue trusted certificates and mitm all encrypted
A couple of points of clarification (as it seems to have stirred some questions)
1. Migration to the DigiCert issuing and validation process only applies to
certs intended for browser use, meaning the infrastructure may issue code
signing, email, etc certs post Dec 1. These certs will be
Re-posting the message below, because it appears that this message did
not get propagated to groups.google.com.
I have filed a bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1412993 -
mozilla.dev.security.policy posts not getting propagated to Google Groups
-Original Message-
On 10/31/17 2:57 PM, Dimitris Zacharopoulos wrote:
[NS]: If all ETSI reports delivered to Root Programs had clear
indication regarding the “audit period” and the type of the audit (i.e.
full), probably this discussion would not be raised at all?
Correct.
For example, in all our
On Tue, Oct 31, 2017 at 5:29 PM, Dimitris Zacharopoulos via
dev-security-policy wrote:
>
> I don't believe your statement is supported by the evidence - which is why
>> I'm pushing you to provide precise references. Consider from the
>> perspective as a
You didn't really leave room for productive discussion between your
options, did you? :)
As you can see from
https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md#8-ca-operational-changes
, notification is required for certain changes - but that notification goes
to a Mozilla mail
Both articles are long on names, short on dates. I don't fault the authors for that but it is troubling that better information wasn't made available to them.When can we expect a proper announcement in this
Thank you, Dimitris, for sharing input from your auditor.
> Long story short, as an accredited CAB, we _definitely_ must check
> historical data over the period since previous audit. This requirement
> is clearly included in Section 7.9 of ETSI EN 319 403
>
Another article about this is
http://www.securityweek.com/francisco-partners-acquires-comodo-ca .
Notably, I'm not seeing anything in the official news announcements
pages for either Francisco Partners or Comodo. Is this an attempt at
another StartCom (silent ownership transfer), or is it a
On Monday, October 30, 2017 at 5:17:38 PM UTC-7, Kathleen Wilson wrote:
> On Saturday, October 28, 2017 at 5:07:51 PM UTC-7, Kathleen Wilson wrote:
> > All,
> >
> > Mozilla's Bugzilla system was updated a couple of days ago, and now the
> > Bugzilla/wiki integration is not working very well. So
On 31/10/2017 11:21 πμ, Dimitris Zacharopoulos via dev-security-policy
wrote:
It is not the first time this issue is brought up. While I have a very
firm opinion that ETSI auditors under the ISO 17065 (focused on the
quality of products/services) and ETSI EN 319 403 definitely check
http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On Tue, Oct 31, 2017 at 8:34 AM, Dimitris Zacharopoulos via
dev-security-policy wrote:
>
> Do you believe that the requirements stated in the policy are unclear? That
>> is, as Kathleen mentioned, the Mozilla policy states all the information
>> that must be
On 31/10/2017 1:37 μμ, Ryan Sleevi via dev-security-policy wrote:
On Tue, Oct 31, 2017 at 5:21 AM Dimitris Zacharopoulos via
dev-security-policy wrote:
It is not the first time this issue is brought up. While I have a very
firm opinion that ETSI auditors
On Tue, Oct 31, 2017 at 5:21 AM Dimitris Zacharopoulos via
dev-security-policy wrote:
>
> It is not the first time this issue is brought up. While I have a very
> firm opinion that ETSI auditors under the ISO 17065 (focused on the
> quality of
Hi Arno,
On 31/10/17 08:46, Arno Fiedler wrote:
> there is a problem with the auditor qualification and the national
> accreditation of some auditing bodies.
Can you help us understand what about the discussion so far leads you to
that conclusion? It seems to me that the problem being raised is
Hello Kathleen,
there is a problem with the auditor qualification and the national
accreditation of some auditing bodies.
We´ll ask ACABc to suggest a solution to take care about proper education of
"qualified" auditors and "good practise" audit statements as suggested by
Mozilla, maybe we
18 matches
Mail list logo