Thanks Ryan. It's not entirely obvious, but I understand your logic and it
makes sense. If anyone disagrees, please speak up. Meanwhile, I've opened a
misissuance bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1498463
- Wayne
On Thu, Oct 11, 2018 at 3:39 PM Ryan Sleevi wrote:
>
>
> On Fri,
I believe that may be misunderstanding the concern.
Once these certificates expire, there's not a good way to check whether or
not they were revoked, because such revocation information may be culled
after certificate expiration.
Similarly, if one is looking to verify the claims about revocation
On Thu, Oct 11, 2018 at 11:19:18PM +, please please via dev-security-policy
wrote:
> I was under the impression that CAs were allowed to remove CRL entries and
> OCSP support for expired certificates for some reason. Good to know!
CT logs are not CRLs or OCSP responders, nor do they track
Based on the input into this discussion so far, I propose to add the
following section to the Required part of this wiki page:
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices
We can consider adding text about this directly to Mozilla's Root Store
Policy later. (I'll file the
I was under the impression that CAs were allowed to remove CRL entries and OCSP
support for expired certificates for some reason. Good to know!
On a slightly-unrelated note, you might also want to poke Comodo CA about
https://bugzilla.mozilla.org/show_bug.cgi?id=1461391
Thanks again!
Visiting the www.emsign.com homepage brings up a list of proposed products.
Currently, in the "Types of Certificate" table halfway down the page is the
following:
Wildcard SSL - OV
Wildcard SSL - EV
UCC Wildcard SSL - DV
UCC Wildcard SSL - OV
UCC Wildcard SSL - EV
That's not a good sign at
On Fri, Oct 12, 2018 at 2:32 AM Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Thank you for this report Fotis.
>
> On Thu, Oct 11, 2018 at 6:13 AM Fotis Loukos via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Summary
> >
On Thu, Oct 11, 2018 at 02:36:18PM -0700, Wayne Thayer via dev-security-policy
wrote:
> Nick - I expect an emSign representative to respond to all of your
> questions, but their information request indicates that they have been
> operating the Indian Government Root for more than 10 years and
On Thu, Oct 11, 2018 at 01:06:46PM -0700, Wayne Thayer via dev-security-policy
wrote:
> * The CPS allows “external issuing CAs” but does not clearly state that the
> requirements of BR section 1.3.2 will be met. emSign made the following
> comment in response to this concern: “In the CP/CPS,
Nick - I expect an emSign representative to respond to all of your
questions, but their information request indicates that they have been
operating the Indian Government Root for more than 10 years and have issued
over 35 million certificates:
On Thu, 11 Oct 2018 13:06:46 -0700
Wayne Thayer via dev-security-policy
wrote:
> This request is for inclusion of these four emSign roots operated by
> eMudhra in bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1442337
I would like to read more about eMudhra / emSign.
I have never heard of
This request is for inclusion of these four emSign roots operated by
eMudhra in bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1442337
* BR Self Assessment is here:
https://bug1442337.bmoattachments.org/attachment.cgi?id=8955225
* Summary of Information Gathered and Verified:
I just poked Comodo in the bug -
https://bugzilla.mozilla.org/show_bug.cgi?id=1492006
CT Logs are designed such that certificates cannot be removed from them.
The evidence will not disappear once the certificates expire.
On Wed, Oct 10, 2018 at 5:26 PM please please
wrote:
> Any update behind
Thank you for this report Fotis.
On Thu, Oct 11, 2018 at 6:13 AM Fotis Loukos via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Summary
> ---
>
> A number of Qualified Web Authentication Certificates have been issued
> with incorrect qcStatements encoding. A small
I think "Not applicable" would be superior to "No stipulation", when
appropriate.
"3.2.2.5. No IP address certificates are issued under this CPS." is even
clearer.
I haven't looked into the implications of this, but perhaps it would be worth
considering not allowing "No stipulation" in CPSs
Summary
---
A number of Qualified Web Authentication Certificates have been issued
with incorrect qcStatements encoding. A small survey displays that all
certificates issued by a specific SubCA are affected by this issue
(https://crt.sh/?CN=%25=1481). The CA has been notified about
this, but
Good morning,
Government of Spain-Fábrica Nacional de Moneda y Timbre (FNMT) publication in
m.d.s.p forum of the incident report uploaded to bugzilla in response to bug
reported by Wayne Thayer, https://bugzilla.mozilla.org/show_bug.cgi?id=1495507,
Government of Spain FNMT: OU exceeds 64
17 matches
Mail list logo