Re: Certificates with subject stateOrProvinceName "Some-State"

2019-05-14 Thread timo.schmitt.ch--- via dev-security-policy
As reported earlier this is the link to bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1551364 Thank you Timo (SwissSign) ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security

Re: Policy 2.7 Proposal: Clarify Revocation Requirements for S/MIME Certificates

2019-05-14 Thread Kathleen Wilson via dev-security-policy
On 5/10/19 5:46 PM, Wayne Thayer wrote: I've attempted to update section 6 to incorporate revocation requirements for S/MIME certificates: https://github.com/mozilla/pkipolicy/commit/15ad5b9180903b92b8f638c219740c0fb6ba0637 Note: since much of this language is copied directly from the BRs, if w

Re: Trusted Recursive Resolver Policy in India

2019-05-14 Thread Wayne Thayer via dev-security-policy
On Sun, May 12, 2019 at 9:59 AM Nemo via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi, > > I've been running a public DNSCrypt resolver[0] for the last 2 years, > and would like to start a DoH resolver as well. I went through the > DoH-Resolver-Policy page[1] and have s

Re: Policy 2.7 Proposal: CA Certificate Binding to Policy Documents

2019-05-14 Thread Wayne Thayer via dev-security-policy
I've gone ahead and made this change in the 2.7 branch: https://github.com/mozilla/pkipolicy/commit/3a70cf31cf81f5e00b62f958fe8a3b59c7cb0f34 I'll consider this issue resolved unless further comments are received. - Wayne On Mon, May 13, 2019 at 11:41 PM Pedro Fuentes via dev-security-policy < de

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

2019-05-14 Thread Wayne Thayer via dev-security-policy
On Mon, May 13, 2019 at 9:13 PM Ryan Hurst via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Though it seems the thread has largely expressed my concerns I do want to > chime in and stress that I believe that it is important that this text gets > clarified. > > Does repla

Re: Policy 2.7 Proposal: Clarify Revocation Requirements for S/MIME Certificates

2019-05-14 Thread Wayne Thayer via dev-security-policy
On Tue, May 14, 2019 at 11:21 AM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 5/10/19 5:46 PM, Wayne Thayer wrote: > > I've attempted to update section 6 to incorporate revocation requirements > > for S/MIME certificates: > > > > > https://github.com

Re: Policy 2.7 Proposal: Forbid Delegation of Email Validation for S/MIME Certificates

2019-05-14 Thread Ryan Hurst via dev-security-policy
> Does replacing the existing "require practice" language by adding the > following sentence to the Root Store Policy achieve the clarity you're > seeking and avoid the problems you've pointed out? > > "CAs MUST NOT delegate validation of the domain name part of an email > address to a 3rd party."

Re: Certinomis Issues

2019-05-14 Thread Andrew Ayer via dev-security-policy
I would like to highlight the many examples of Certinomis' poor incident response. Sometimes Certinomis ignores problems entirely - for example, in , a misissued certificate is still unrevoked and unacknowledged three months after being repo