On Monday, May 13, 2019 at 10:25:18 AM UTC-7, Wayne Thayer wrote:
> The BRs forbid delegation of domain and IP address validation to third
> parties. However, the BRs don't forbid delegation of email address
> validation nor do they apply to S/MIME certificates.
>
> Delegation of email address
Thanks for reporting this Alex.
I have created the following bugs to track these issues:
Sectigo: https://bugzilla.mozilla.org/show_bug.cgi?id=1551362
DigiCert: https://bugzilla.mozilla.org/show_bug.cgi?id=1551363
SwissSign: https://bugzilla.mozilla.org/show_bug.cgi?id=1551364
Government of
On Mon, May 13, 2019 at 2:09 PM Pedro Fuentes via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Piggybacking to Ryan's message and putting into my mundane words, I'd say
> that is reasonable to say that a CA must not delegate the validation of
> what is after the @ in the
On Mon, May 13, 2019 at 02:35:51PM -0700, fchassery--- via dev-security-policy
wrote:
> Issue A found its source in the good relationships between Franck and
> Iñigo, who both are no more in charge;
Is the only change to address Issue A the removal of Franck from a position
of leadership within
On Mon, May 13, 2019 at 7:06 AM Pedro Fuentes via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi Wayne,
> inserting my comments below.
> Best,
> Pedro
>
> El viernes, 10 de mayo de 2019, 23:54:40 (UTC+2), Wayne Thayer escribió:
> > I have drafted the change as proposed,
On Mon, May 13, 2019 at 01:35:09AM -0700, Mike Kushner via dev-security-policy
wrote:
> On Monday, May 13, 2019 at 1:39:32 AM UTC+2, Matt Palmer wrote:
> > On Sat, May 11, 2019 at 08:37:53AM -0700, Han Yuwei via dev-security-policy
> > wrote:
> > > This raised a question:
> > > How can CA prove
Le samedi 11 mai 2019 11:16:30 UTC+2, okaphone@gmail.com a écrit :
> On Friday, 10 May 2019 19:00:11 UTC+2, Wayne Thayer wrote:
>
> ...
>
> > I share the concern that option #2 sends a confusing message. As Jonathan
> > stated, why should we distrust a CA for all but the most important
Piggybacking to Ryan's message and putting into my mundane words, I'd say that
is reasonable to say that a CA must not delegate the validation of what is
after the @ in the email address, but I think it's totally admissible to let
the domain owner (and typically email service provider) to
Hello Wayne:
The current wording in section 2.2 "Validation Practices" of the Mozilla Root
Store Policy says:
2. For a certificate capable of being used for digitally signing or encrypting
email messages, the CA takes reasonable measures to verify that the entity
submitting the request
On Mon, May 13, 2019 at 1:25 PM Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> The BRs forbid delegation of domain and IP address validation to third
> parties. However, the BRs don't forbid delegation of email address
> validation nor do they apply to
The BRs forbid delegation of domain and IP address validation to third
parties. However, the BRs don't forbid delegation of email address
validation nor do they apply to S/MIME certificates.
Delegation of email address validation is already addressed by Mozilla's
Forbidden Practices [1] state:
Hi Wayne,
inserting my comments below.
Best,
Pedro
El viernes, 10 de mayo de 2019, 23:54:40 (UTC+2), Wayne Thayer escribió:
> I have drafted the change as proposed, moving the exact "Required Practice"
> language into section 3.3 of the policy:
>
On Monday, May 13, 2019 at 1:39:32 AM UTC+2, Matt Palmer wrote:
> On Sat, May 11, 2019 at 08:37:53AM -0700, Han Yuwei via dev-security-policy
> wrote:
> > This raised a question:
> > How can CA prove they have done CAA checks or not at the time of issue?
>
> They can't, just as they can't
Hi Alex,
Thank you for reporting this issue. The certificates will be revoked in
accordance with BR 4.9.1.1. We will provide an incident report after the
internal investigation is finished.
Kind regards,
Arnold
___
dev-security-policy mailing list
14 matches
Mail list logo