RE: Misissuance/non-compliance remediation timelines

The idea of a grading system being used to judge CAs compliance will be a total disaster. We should instead be focusing our efforts on more transparency. James -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jb=0.me...@lists.mozilla.org] On Behalf Of

Re: ccadb.org

On 1/30/18 6:19 AM, Gervase Markham wrote: On 30/01/18 00:48, James Burton wrote: I was doing research on the ccadb.org site and was surprised to find that the site is running only in HTTP and is not using HTTPS. Now, I understand that GitHub pages don't support HTTPS for custom domains but you

RE: Misissuance/non-compliance remediation timelines

Alex, Most CAs probably wouldn’t aim for an A. I don’t think doing this would be a game changer. However there are some CAs that would. And I think that would be a positive thing, and lead to more innovation in best practices that could become mandatory for everyone over time. And

Re: ComSign Root Renewal Request

Hi Wyane, resopnding to your notes: Section 4.9 states that in any case that Comsign is notified about a misissuance (no matter if it was notified by a subscriber or in any other way) Comsign shall revoke the certificate. It is true that we didn’t update the version number and we have

RE: Misissuance/non-compliance remediation timelines

That’s pretty much exactly not what I said. From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Tuesday, February 6, 2018 10:38 PM To: Tim Hollebeek Cc: Paul Kehrer ; mozilla-dev-security-pol...@lists.mozilla.org; r...@sleevi.com Subject: