Yes – we will do so. We’ve encouraged all customers to not generate key pairs
for TLS certs on behalf of third parties in the past. A reminder would be
useful.
From: Wayne Thayer
Sent: Thursday, January 10, 2019 1:18 PM
To: Jeremy Rowley
Cc: Alex Gaynor ; Buschart, Rufus
; Alex Cohn ; Hanno B
Thanks Jeremy. The fact that CertCenter is just a reseller and not an RA
was not obvious to me. To your point, building an insecure website on top
of a CA's API does not strike me as something that we should be terribly
worried about.
I would encourage DigiCert to ask CertCenter to discontinue the
On 10/01/2019 19:00, Jeremy Rowley wrote:
> A couple of thoughts:
> 1) CertCenter is not a CA or RA. They have a custom named ICA that is hosted
> and operated by DigiCert. All validation, issuance, and linting is performed
> by DigiCert prior to issuance.
> 2) Lots of cert customers have insecur
A couple of thoughts:
1) CertCenter is not a CA or RA. They have a custom named ICA that is hosted
and operated by DigiCert. All validation, issuance, and linting is performed by
DigiCert prior to issuance.
2) Lots of cert customers have insecure websites. This indicates CAs should
scan website
On 10/01/2019 15:38, Jason wrote:
I would say that the problem here would be that a child certificate can't use a
higher cryptography level than the issuer, this is agains good practices and,
AFAIK, agains the Webtrust audit criteria.
Jason
Note that the only one of all these certificates th
Checking this again I see that I'm probably wrong about Webtrust... Looking at
4.1.3-b:
4.1.3
CA key generation generates keys that:
a) use a key generation algorithm as disclosed within the CA’s CP and/or CPS;
b) have a key length that is appropriate for the algorithm and for the validity
perio
Jason - where did you see this requirement?
-Original Message-
From: dev-security-policy On
Behalf Of Jason via dev-security-policy
Sent: Thursday, January 10, 2019 9:38 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: P-521 Certificates
I would say that the problem here
I would say that the problem here would be that a child certificate can't use a
higher cryptography level than the issuer, this is agains good practices and,
AFAIK, agains the Webtrust audit criteria.
Jason
___
dev-security-policy mailing list
dev-secur
The Mozilla policy does not prohibit backdating, except when it's used to
evade time-based policy controls.
Backdating certs by a few hours is a relatively common practice to minimize
breakages for consumers with busted clocks.
Alex
On Thu, Jan 10, 2019 at 4:43 AM Buschart, Rufus via dev-securit
The certificate [1] seems also to be 'back-dated' by about 18 hours. What is
Mozillas opinion about this in the light of
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdating_the_notBefore_Date
?
> It appears AlwaysOnSSL is not completely disabled - if we trust CT as a
>
10 matches
Mail list logo
