Re: When to accept/require revised audits for missing cert fingerprints

I have updated the "Acceptable remediation" section of https://wiki.mozilla.org/CA/Audit_Letter_Validation#Intermediate_Certificates as follows. I will greatly appreciate your review and input on this. ~~ Acceptable remediation: Remediation may include one of the following when a non-technicall

Re: When to accept/require revised audits for missing cert fingerprints

On Fri, Feb 7, 2020 at 12:27 PM Dimitris Zacharopoulos via dev-security-policy wrote: > Finally, I don't think auditor professional ethics have anything to do > with this discussion. Both audit schemes allow for reports to be updated > otherwise we wouldn't even have this option on the table. Cha

Re: When to accept/require revised audits for missing cert fingerprints

For what it's worth, I think that there should be two distinct cases: a) Self-signed Certificates that have the same SPKI and name, but only one was ever requested to be included as a Trust Anchor in the Mozilla Root Program, b) Variations of Issuing CA Certificates that have the same SPKI an

Re: When to accept/require revised audits for missing cert fingerprints

On Fri, Feb 7, 2020 at 11:00 AM Wayne Thayer wrote: > I'd like to see Mozilla require an incident report from CAs that can't or > won't follow the existing guidance (by either supplying a revised audit > statement, revoking the certificate, or adding it to OneCRL). A number of > CAs have resolved

Re: When to accept/require revised audits for missing cert fingerprints

On Thu, Feb 6, 2020 at 5:44 PM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: My recommendation is that, for audit periods ending within the next 30 or > so days (meaning, effectively, for reports provided over the next 4 months, > given the three month windo

Re: Which fields containing email addresses need to be validated?

On Fri, Feb 7, 2020 at 7:55 AM douglas.beattie--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, February 6, 2020 at 6:05:20 PM UTC-5, Ryan Sleevi wrote: > > (Replying from the correct e-mail) > > > > On Thu, Feb 6, 2020 at 3:55 PM Doug Beattie via dev-secur

Re: Which fields containing email addresses need to be validated?

On Thursday, February 6, 2020 at 6:05:20 PM UTC-5, Ryan Sleevi wrote: > (Replying from the correct e-mail) > > On Thu, Feb 6, 2020 at 3:55 PM Doug Beattie via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > We should clarify the Mozilla policy to more clearly define li