On Friday, May 19, 2017 at 8:42:40 AM UTC-7, Gervase Markham wrote:
>
> I have passed that document to Kathleen, and I hope she will be
> endorsing this general direction soon, at which point it will no longer
> be a draft.
>
> Assuming she does, this will effectively turn into a 3-way
On Thursday, May 18, 2017 at 10:08:32 AM UTC-7, Kathleen Wilson wrote:
> All,
>
> Below is the draft email that I plan to send later today, after we have final
> confirmation from Salesforce regarding these proposed changes.
>
We received confirmation from Salesforce that these changes to the
All,
Below is the draft email that I plan to send later today, after we have final
confirmation from Salesforce regarding these proposed changes.
I will appreciate your feedback on this.
Thanks,
Kathleen
Subject: Common CA Database (CCADB) changes May 19-21, 2017
Dear Certification
Forwarded Message
Subject: Summary of May 2017 Audit Reminder Emails
Date: Tue, 16 May 2017 19:00:29 + (GMT)
Mozilla: Audit Reminder
Root Certificates:
Autoridad de Certificacion Firmaprofesional CIF A62634068
Standard Audit:
Here are the changes we are requesting to be made on Friday, May 19, at 1pm PDT.
1) https://mozillacacommunity.force.com/
will be changed to
https://ccadb.force.com/
(This is the CA login page, and the domain CAs see when they are logged into
the CCADB)
2)
On Tuesday, May 9, 2017 at 10:03:53 AM UTC-7, Kurt Roeckx wrote:
>
> Do we somewhere have the official templates being used to send
> reminders of the audit requirements?
Unofficial templates:
https://wiki.mozilla.org/CA:Email_templates
The official templates are in Salesforce, but currently
On Wednesday, May 3, 2017 at 1:21:29 PM UTC-7, Nick Lamb wrote:
> If you believe there are, or are likely to be, CAs trying to fill out the
> survey a bit late, it may make sense to wait for that before triggering this
> change, so as to avoid the (it seems almost inevitable) response that they
All,
Gerv is leading the effort to clean up Mozilla's Root Store related wiki pages.
The contents of https://wiki.mozilla.org/CA:Overview have been moved to
https://wiki.mozilla.org/CA and cleaned up.
The previous contents of https://wiki.mozilla.org/CA have been moved to
All,
I think it is time for us to change the domains that we are using for the CCADB
as follows.
Change the links for...
1) CAs to login to the CCADB
from
https://mozillacacommunity.force.com/
to
https://ccadb.force.com/
2) all published reports
from
All,
As many of you know, Aaron Wu has been doing the Information Verification[1]
for root inclusion/update requests, has helped me organize the CA Program
Bugzilla Bugs[2], and continues to expand in his role in helping with Mozilla's
CA Certificates Module[3].
I have asked Aaron to begin
The Bugzilla Product/Components for CA Program bugs have been changed.
All of the CA Program bugs are now in the NSS Product group in Bugzilla.
The NSS Product group in Bugzilla now has the following Components:
Build
CA Certificate Mis-Issuance
CA Certificate Root Program
CA Certificates Code
All,
The responses to Mozilla's April 2017 CA Communication are being published here:
https://wiki.mozilla.org/CA:Communications#April_2017_Responses
Reminder:
I have postponed the response deadline to May 5, and I made a note of that here:
https://wiki.mozilla.org/CA:Communications#April_2017
All,
This is just for informational purposes...
I have filed Bug #1359112 to update the Bugzilla Product/Components for the CA
Program Bugs.
The bugs asks:
~~
Current Product: NSS
Current Component Name: CA Certificates
change to
Product: NSS
Component Name: CA Certificate Code
Current
On Saturday, April 22, 2017 at 5:25:35 AM UTC-7, wangs...@gmail.com wrote:
> We have a question about completing the BR self assessment,
> is it necessary that all the BRs requirements appear in
> relevant sections of the CP/CPS?
It is OK if the information is in different sections in the
I added a note about the extension to May 5 to
https://wiki.mozilla.org/CA:Communications#April_2017
Cheers,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
> might be able to capture freeform text (perhaps unattributed) as to why
Sure, below is a summary in my own words of why CAs are asking for an
extension. Note that the April 2017 survey has many more action items than
previous CA Communications, so I think it is reasonable that CAs might need
All,
I've been receiving requests from CAs for an extension to when they need to
respond to the April 2017 CA Communication.
https://wiki.mozilla.org/CA:Communications#April_2017
"To respond to this survey, login to the Common CA Database (CCADB), click on
the 'CA Communications (Page)' tab,
All,
The Common CA Database has been updated with the new CCADB logos.
This means that when you go to login to the CA Community, at
https://mozillacacommunity.force.com
you will see the full "Common CA Database" logo.
(before it just had the old "mozilla" logo).
And when you are logged into
On Tuesday, April 4, 2017 at 10:38:28 AM UTC-7, Kathleen Wilson wrote:
>
> The email has been sent, and the survey is open.
>
Published a security blog about it:
https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/
Cheers,
Kathleen
On Monday, April 3, 2017 at 2:21:14 PM UTC-7, Kathleen Wilson wrote:
> All,
>
> I'm getting ready to send the April 2017 CA Communication email.
>
> I updated the wiki page to have the survey introduction text, and a
> (read-only) link to the full survey:
>
On Monday, April 3, 2017 at 10:13:22 AM UTC-7, Kathleen Wilson wrote:
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
> still shows version 2.4.
It's been updated to version 2.4.1.
Thanks,
Kathleen
___
I updated https://wiki.mozilla.org/CA:BRs-Self-Assessment to add a section
called 'Annual BR Self Assessment', which states:
"CAs with included root certificates that have the Websites trust bit set must
do an annual self-assessment of their compliance with the BRs, and must update
their CP
On Saturday, April 1, 2017 at 3:59:28 AM UTC-7, Gervase Markham wrote:
> On 31/03/17 22:20, Kathleen Wilson wrote:
> > Please let me know asap if you see any problems, typos, etc. in this
> > version.
>
> Now that policy 2.4.1 has been published, we should update Action 3 to
> say the following
I have moved the draft of the April 2017 CA Communication to production, so the
link has changed to:
https://mozillacaprogram.secure.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a05o03WrzBC
It is also available here:
On Thursday, March 30, 2017 at 10:35:37 AM UTC-7, Kathleen Wilson wrote:
> Within the next few days, we plan to start sending automated email reminders
> to CAs about their intermediate cert records in the Common CA Database that
> are missing audit or CP/CPS information.
>
> The email template
All,
Within the next few days, we plan to start sending automated email reminders to
CAs about their intermediate cert records in the Common CA Database that are
missing audit or CP/CPS information.
The email template is here:
On Wednesday, March 29, 2017 at 2:00:05 PM UTC-7, Jeremy Rowley wrote:
> ...
> An extension on this could be to have CAs annually file an updated mapping
> with their WebTrust audit. That way it's a reminder that the CA needs to
> notify Mozilla of changes in their process and keeps the CAs
All,
As mentioned in the GDCA discussion[1], I would like to add a step to Mozilla's
CA Inclusion/Update Request Process[2] in which the CA performs a
self-assessment about their compliance with the CA/Browser Forum's Baseline
Requirements.
A draft of this new step is here:
All,
This request is to include the "GDCA TrustAUTH R5 ROOT" certificate, turn on
the Websites trust bit, and enabled EV treatment.
In order to help get this discussion moving again, I asked GDCA to provide a
side-by-side comparison of the latest version of the BRs with their CP/CPS
On Friday, March 24, 2017 at 3:11:17 AM UTC-7, Gervase Markham wrote:
> On 23/03/17 23:07, Kathleen Wilson wrote:
> > Second paragraph of Action 1 now says: ~~ Note that version 1.4.2 of
> > the BRs does not contain all 10 of these methods, but it does contain
> > section 3.2.2.4.11, "Other
On Tuesday, March 21, 2017 at 11:34:30 AM UTC-7, Gervase Markham wrote:
> On 21/03/17 10:16, Gervase Markham wrote:
> > On 17/03/17 11:30, Gervase Markham wrote:
> >> The URL for the draft of the next CA Communication is here:
> >>
On Tuesday, March 21, 2017 at 7:17:26 AM UTC-7, Gervase Markham wrote:
> On 17/03/17 11:30, Gervase Markham wrote:
> > The URL for the draft of the next CA Communication is here:
> >
On Tuesday, March 21, 2017 at 5:51:29 AM UTC-7, Kurt Roeckx wrote:
> On 2017-03-21 12:51, Jakob Bohm wrote:
> > On 21/03/2017 10:09, Kurt Roeckx wrote:
> >> Action 6 says:
I've updated action #6, but it still might not be clear.
Here's the new draft:
ACTION 6: QUALIFIED AUDIT STATEMENTS
When
Here's a summary of the audit reminder email that was sent today.
Note that the email now tells CAs to provide their annual updates via the
Common CA Database, as follows.
"Please provide your annual updates via the Common CA Database (CCADB), as
described here:
On Monday, March 20, 2017 at 2:43:22 PM UTC-7, Gervase Markham wrote:
> On 20/03/17 15:33, Kathleen Wilson wrote:
> >> * Action 7: some of the BR Compliance bugs relate to CAs which are no
> >> longer trusted, like StartCom. If StartCom does become a trusted CA
> >> again, it will be with new
On Monday, March 20, 2017 at 1:37:32 PM UTC-7, Jeremy Rowley wrote:
> Something like: "Does your CA have any third-party Registration Authority
> (RA)s program that the CA relies on to perform the domain validation
> required under Section 3.2.2.4 of the Baseline Requirements."
Updated
On Monday, March 20, 2017 at 10:59:41 AM UTC-7, Peter Bowen wrote:
> On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via
> > [JR] This should be limited to SSL certs IMO. With client certs, you're
> > going
> > to get a lot more RAs that likely function under the standard or legal
> > framework
On Friday, March 17, 2017 at 9:17:07 AM UTC-7, Peter Bowen wrote:
> I would replace this with:
>
> + Distinguished name and SHA-256 hash of the SubjectPublicKeyInfo of
> each certificate issuer covered by the audit scope
> + Clear indication of which in-scope certificate issuers are Root CAs
>
On Wednesday, March 15, 2017 at 9:56:25 AM UTC-7, Kathleen Wilson wrote:
> Thanks to those of you who have reviewed and commented on this request from
> the Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM), to include
> the "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" root
All,
My apologies for taking so long to get back to this discussion about the
Government of Taiwan's (GRCA's) request to include their Government Root
Certification Authority root certificate, and turn on the Websites and Email
trust bits.
Note that GRCA has suggested that this root be
Thanks to those of you who have reviewed and commented on this request from the
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM), to include the
"TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" root certificate, and enable
the Websites trust bit.
I believe that all of the questions
Thank you to those of you who have reviewed this request, and to those of you
who have participated in this discussion.
I am now closing this discussion, and I will update the bug to recommend
approval of this request from D-TRUST to include the D-TRUST Root CA 3 2013
root certificate and
Thank you Andrew and Ryan for your feedback on this request to include the
"TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" root certificate, and enable
the Websites trust bit.
Note that the new SHA-256 root certificate will replace the SHA1 “TÜBİTAK UEKAE
Kök Sertifika Hizmet Sağlayıcısı -
On Wednesday, December 21, 2016 at 11:03:18 AM UTC-8, Kathleen Wilson wrote:
> This request from D-TRUST is to included the ‘D-TRUST Root CA 3 2013’ root
> certificate and enable the Email trust bit.
>
> D-TRUST GmbH is a subsidiary of Bundesdruckerei GmbH and is fully owned by
> the German
Forwarded Message
Subject: Summary of February 2017 Audit Reminder Emails
Date: Tue, 21 Feb 2017 20:00:51 + (GMT)
Mozilla: Audit Reminder
Root Certificates:
ISRG Root X1
Standard Audit: https://cert.webtrust.org/SealFile?seal=1987=pdf
Audit Statement Date: 2015-12-15
BR
301 - 345 of 345 matches
Mail list logo