Re: Public trust of VISA's CA

2018-02-13 Thread Paul Kehrer via dev-security-policy
On February 14, 2018 at 4:17:16 AM, Wayne Thayer via dev-security-policy ( dev-security-policy@lists.mozilla.org) wrote: > The most recent BR audit report for the Visa eCommerce Root contains 3 qualifications: http://enroll.visaca.com/WTBR%20eComm.pdf Does Mozilla have any guidelines or official

Re: Japan GPKI Root Renewal Request

2018-02-13 Thread Ryan Sleevi via dev-security-policy
On Mon, Feb 12, 2018 at 6:31 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > All of my questions regarding the CP/CPS and audits have been answered to > my satisfaction. I am left with two concerns: > > 1. This root was signed on 12-March 2013. The first

Re: Public trust of VISA's CA

2018-02-13 Thread Jonathan Rudenberg via dev-security-policy
> On Feb 13, 2018, at 19:16, Wayne Thayer via dev-security-policy > wrote: > > On Tue, Feb 13, 2018 at 10:49 AM, Jonathan Rudenberg > wrote: > >> >>> On Sep 19, 2017, at 11:12, Gervase Markham via dev-security-policy < >>

Re: Public trust of VISA's CA

2018-02-13 Thread Wayne Thayer via dev-security-policy
On Tue, Feb 13, 2018 at 10:49 AM, Jonathan Rudenberg wrote: > > > On Sep 19, 2017, at 11:12, Gervase Markham via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > In the light of this, I believe it is reasonable to discuss the question > > of

RE: Mozilla’s Plan for Symantec Roots

2018-02-13 Thread Tim Hollebeek via dev-security-policy
> OK. I'm researching what approach should be used for the Fedora Linux > distribution, where a single CA trust list (based on Mozilla's CA trust > list) is used for the whole system, including Firefox, and other > applications that > use other certificate validation logic, like the ones built

Re: Mozilla’s Plan for Symantec Roots

2018-02-13 Thread Ryan Sleevi via dev-security-policy
On Tue, Feb 13, 2018 at 4:40 PM, Kai Engert via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > For the second distrust phase in Autumn 2018, assume that all Symantec > customers (excluding the managed CAs that are covered by the whitelisted > subCA SPKIs) have been fully

Re: Mozilla’s Plan for Symantec Roots

2018-02-13 Thread Kai Engert via dev-security-policy
On 13.02.2018 18:10, Ryan Sleevi wrote: > > On Tue, Feb 13, 2018 at 11:30 AM, Kai Engert > wrote: > > A couple more comments below: > > On 12.02.2018 19:13, Ryan Sleevi wrote: > > > > You're asking about non-browser environments that cannot >

Re: Public trust of VISA's CA

2018-02-13 Thread Jonathan Rudenberg via dev-security-policy
> On Sep 19, 2017, at 11:12, Gervase Markham via dev-security-policy > wrote: > > In the light of this, I believe it is reasonable to discuss the question > of whether Visa's PKI (and, specifically, the VISA eCommerce Root, > https://crt.sh/?id=896972 ,

Re: Mozilla’s Plan for Symantec Roots

2018-02-13 Thread Ryan Sleevi via dev-security-policy
On Tue, Feb 13, 2018 at 11:30 AM, Kai Engert wrote: > Hello Ryan, > > thanks a lot for your very helpfull response! > > A couple more comments below: > > On 12.02.2018 19:13, Ryan Sleevi wrote: > > A separate question which would be good to clarified: What about > >

Re: Mozilla’s Plan for Symantec Roots

2018-02-13 Thread Kai Engert via dev-security-policy
Hello Ryan, thanks a lot for your very helpfull response! A couple more comments below: On 12.02.2018 19:13, Ryan Sleevi wrote: > A separate question which would be good to clarified: What about > environments, which want to distrust all old Symantec roots in October > 2018, but