Re: Policy 2.7 Proposal:Extend Section 8 to Encompass Subordinate CAs

Adding to Jeremy's post, I believe we need to also define a normative requirement to mark an unconstrained Intermediate CA Certificate not operated by the entity that controls the Root Key. Section 7.1.6.3 of the Baseline Requirements requires an explicit policy identifier for these subCAs. The

Re: Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

On Thu, Oct 03, 2019 at 05:36:50PM -0700, Ronald Crane via dev-security-policy wrote: > > On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote: > > [snip] > > > I guess I wasn't specific enough. I am looking for a good study that > > > supports the proposition that the Internet

Re: [FORGED] Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote: [snip] I guess I wasn't specific enough. I am looking for a good study that supports the proposition that the Internet community has (1) made a concerted effort to ensure that there is only one authentic domain per entity (or, at

RE: Policy 2.7 Proposal:Extend Section 8 to Encompass Subordinate CAs

Hey Wayne, I think there might be confusion on how the notification is supposed to happen. Is notification through CCADB sufficient? We've uploaded all of the Sub CAs to CCADB including the technically constrained ICAs. Each one that is hosted/operated by itself is marked that way using the

Re: [FORGED] Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

On Thu, Oct 3, 2019 at 3:45 PM Ronald Crane via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 10/2/2019 9:44 PM, Peter Gutmann via dev-security-policy wrote: > > Ronald Crane via dev-security-policy < > dev-security-policy@lists.mozilla.org> writes: > > > >> Please cite

Re: Policy 2.7 Proposal:Extend Section 8 to Encompass Subordinate CAs

I'd like to revisit this topic because I see it as a significant change and am surprised that it didn't generate any discussion. Taking a step back, a change [1] to notification requirements was made last year to require CAs that are signing unconstrained subordinate CAs (including cross-certs)

Re: [FORGED] Re: [FORGED] Re: Website owner survey data on identity, browser UIs, and the EV UI

On 10/2/2019 9:44 PM, Peter Gutmann via dev-security-policy wrote: Ronald Crane via dev-security-policy writes: Please cite the best study you know about on this topic (BTW, I am *not* snidely implying that there isn't one). Sure, gimme a day or two since I'm away at the moment.

Re: DigiCert OCSP services returns 1 byte

I've gone ahead and moved [4] to the "Recommended Practices" section. The ballot to modify the BRs is now in the formal discussion period leading up to a vote [5]. I'll be resolving the existing compliance bugs on this issue as INVALID. I'd like to thank the CAs that proactively submitted