Re: ComSign Root Renewal Request

2018-02-12 Thread Wayne Thayer via dev-security-policy
Hi Yair, On Mon, Feb 12, 2018 at 11:50 AM, YairE via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Wayne, > Please realize our situation versus the Israeli market. We are the major > certificate authority and we comply with every piece of local regulation, > we are

Re: Japan GPKI Root Renewal Request

2018-02-12 Thread Wayne Thayer via dev-security-policy
All of my questions regarding the CP/CPS and audits have been answered to my satisfaction. I am left with two concerns: 1. This root was signed on 12-March 2013. The first end-entity certificate that I'm aware of was signed later in 2013. Mozilla began requiring BR audits in 2014, but the first

Re: ComSign Root Renewal Request

2018-02-12 Thread Ryan Sleevi via dev-security-policy
I hope you can understand that trust is not just based on the state of the world 'today', but based on everything that key has ever done and every bit of infrastructure that key has run on. We know that key has been run on deficient infrastructure, with deficient software, and done deficient

Re: ComSign Root Renewal Request

2018-02-12 Thread YairE via dev-security-policy
Dear Ryan, with all due respect and we do respect you, back in 2016 all the issues you mentioned were about the CPS and were corrected. It took us a lot to create the documentation you've asked for. There was no mentioning of any kind about our CA software or anything about the root itself. We

Re: ComSign Root Renewal Request

2018-02-12 Thread Ryan Sleevi via dev-security-policy
On Mon, Feb 12, 2018 at 1:50 PM, YairE via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Wayne, > Please realize our situation versus the Israeli market. We are the major > certificate authority and we comply with every piece of local regulation, > we are also members

Re: ComSign Root Renewal Request

2018-02-12 Thread YairE via dev-security-policy
Hi Wayne, Please realize our situation versus the Israeli market. We are the major certificate authority and we comply with every piece of local regulation, we are also members of international forums and trying to establish a CA in the UK with a new "international" root (Comsign

Re: Mozilla’s Plan for Symantec Roots

2018-02-12 Thread Ryan Sleevi via dev-security-policy
On Mon, Feb 12, 2018 at 11:36 AM, Kai Engert wrote: > On 09.02.2018 22:20, Ryan Sleevi wrote: > > As a small clarification - while Chrome has included the certificates, > > as noted in the readme, the whitelist is based on SPKI. This was > > intentional, to avoid situations of

Re: DRAFT January 2018 CA Communication

2018-02-12 Thread Wayne Thayer via dev-security-policy
Friday was the deadline for responding to this survey. Responses are now published at https://wiki.mozilla.org/CA/Communications#January_2018_Responses I would like to thank everyone who took the time to respond, and especially those who provided detailed answers to Action 2 regarding methods 1

Re: Mozilla’s Plan for Symantec Roots

2018-02-12 Thread Piotr Kucharski via dev-security-policy
On Mon, Feb 12, 2018 at 5:36 PM, Kai Engert wrote: > > For example, if you note, there are two Google certificates, but they > > share the same SPKI and Subject Name - which is why the Chromium > > whitelist only has one certificate listed, as it extracts the SPKI from > > that

Re: Mozilla’s Plan for Symantec Roots

2018-02-12 Thread Kai Engert via dev-security-policy
On 09.02.2018 22:20, Ryan Sleevi wrote: > As a small clarification - while Chrome has included the certificates, > as noted in the readme, the whitelist is based on SPKI. This was > intentional, to avoid situations of interoperability issues. Hi Ryan, IIUC, the current implementation in Firefox