Re: ComSign Root Renewal Request

2018-02-14 Thread zshetach--- via dev-security-policy
Dear Ryan You accuse our root status by saying:"We know that key has been run on deficient infrastructure, with deficient software, and done deficient things..." As a matter of a fact the ROOT resides on a FIPS140-2 L3 HSM and kept all it life time in an offline status (in a robust SAFE) and was

Re: Public trust of VISA's CA

2018-02-14 Thread Wayne Thayer via dev-security-policy
On Wed, Feb 14, 2018 at 10:47 AM, Tim Smith via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wednesday, February 14, 2018 at 8:43:19 AM UTC-8, Wayne Thayer wrote: > > In this particular case, my conclusion is that the existing Mozilla > > process is working. We have

Re: Public trust of VISA's CA

2018-02-14 Thread Tim Smith via dev-security-policy
On Wednesday, February 14, 2018 at 8:43:19 AM UTC-8, Wayne Thayer wrote: > In this particular case, my conclusion is that the existing Mozilla > process is working. We have documented a number of issues that when > considered in aggregate warrant an investigation. Hi Wayne, Forgive me if I'm

Re: Public trust of VISA's CA

2018-02-14 Thread westmail24--- via dev-security-policy
It seems to me that some CA's hold unanswered Mozilla's questions because they know that it will not cause any serious consequences. I mean removing a root certificates from Mozilla Root Store. However, this point of view here seems to have already been voiced.

Re: ComSign Root Renewal Request

2018-02-14 Thread Ryan Sleevi via dev-security-policy
On Wed, Feb 14, 2018 at 10:29 AM, YairE via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > We take your recommendation and we consider generating a brand new root > with a new key pair that will run only on the new CA software – whilst > providing all the audits and needed

Re: Public trust of VISA's CA

2018-02-14 Thread Wayne Thayer via dev-security-policy
On Tue, Feb 13, 2018 at 11:26 PM, Paul Kehrer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On February 14, 2018 at 4:17:16 AM, Wayne Thayer via dev-security-policy ( > dev-security-policy@lists.mozilla.org) wrote: > > > The most recent BR audit report for the Visa

Re: ComSign Root Renewal Request

2018-02-14 Thread Ryan Sleevi via dev-security-policy
On Wed, Feb 14, 2018 at 10:27 AM, YairE via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Dear Ryan > > We need to refer to the points you have raised regarding the ROOT KEY – we > must stress that the ROOT KEY and the ROOT CA are two different and > separate entities. >

Re: ComSign Root Renewal Request

2018-02-14 Thread YairE via dev-security-policy
Dear Wayne We do understand the issues raised and instead of addressing each one separately we would give a shorter answer: We do agree that mistakes were made with this rootCA and we understand your hesitation. We also believe that our current CPS state is well and that we made a lot of

Re: ComSign Root Renewal Request

2018-02-14 Thread YairE via dev-security-policy
Dear Ryan We need to refer to the points you have raised regarding the ROOT KEY – we must stress that the ROOT KEY and the ROOT CA are two different and separate entities. Whilst the ROOT CA does have some history the ROOT KEY was never (and shouldn’t be) in question. “I hope you can