I think that's perfectly clear but I wanted to double check in case "perfectly
clear" was me misreading it. One thing that does come up a lot is whether a CA
has to revoke a pre-certificate if the certificate doesn't actually issue. I
think this has been adequately answered on the bug lists but
Having received no further comments, I have recommended approval of this
request in bug 1448093.
- Wayne
On Thu, Sep 5, 2019 at 5:16 PM Wayne Thayer wrote:
> Microsoft will use the CAB Forum OID 2.23.140.1.1 for EV.
>
> Unless a CA has an existing EV policy OID associated with root(s) in our
>
Correct. That's what I intended to convey with the last sentence:
This means, for example, that the requirements for OCSP for end-entity
> certificates apply even when a CA has issued a precertificate without
> issuing a corresponding certificate.
>
Do you have any suggestions for how I can
Hey Wayne - I take it that this "Mozilla recognizes a precertificate as proof
that a corresponding certificate has been issued" means a CA issuing a precert
without the final cert must respond "good" unless the pre-cert is revoked?
Responding unknown means the CA wouldn't know that they issued
Mozilla has, to-date, not published policies related to Certificate
Transparency, but this is a case where a clarification would be helpful. I
propose adding the following language to our "Required Practices" wiki page
[1]:
The current implementation of Certificate Transparency does not provide
Thanks Jeremy,
This is great. I filed https://github.com/mozilla/pkipolicy/issues/188
because this seems like something that can be reused and perhaps even
required by policy.
On Wed, Sep 11, 2019 at 5:59 PM Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
Hi Everyone,
One of my goals at DigiCert is provide greater transparency. One of the ideas
I’ve kicked around is community-drive EV or EV transparency. To start that
off, I thought I’d share the sources we use verification of the jurisdiction of
incorporation/registration here. This list is
Is this list the right place to discuss the TRR policy?
If so, could the wiki page on the policy be updated to point to it?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Copypaste fail, apologies. Correct bug is:
https://bugzilla.mozilla.org/show_bug.cgi?id=1579509
On Wednesday, September 11, 2019 at 11:30:57 AM UTC-5, Christopher Kemmerer
wrote:
> We have been monitoring the discussions on the m.d.s.p. mailing list
> and, after the announcements of
We have been monitoring the discussions on the m.d.s.p. mailing list
and, after the announcements of GlobalSign and Let's Encrypt, found that
our OCSP responder is affected by the same issue.
In particular, whenever a precertificate is generated, but CT submission
fails, EJBCA will fail to
10 matches
Mail list logo
