RE: CA generated keys

Loosen the interpretation of escrow from a box surrounded by KRAs, KROs, and access controls with a rolling LTSK and escrow could describe what many white glove and CDN tier hosting operations do. The CDN has written consent, but the end customer never touches the TLS cert. > -Original

RE: [EXT] Re: DigiCert-Symantec Announcement

We are not making any changes at this time. > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Adrian R. via dev-security-policy > Sent: Friday, September 01, 2017 4:09 AM > To:

Re: Symantec Update on SubCA Proposal

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Devon O'Brien via dev-security-policy > Sent: Wednesday, August 09, 2017 12:24 PM > To: mozilla-dev-security-pol...@lists.mozilla.org >

RE: [EXT] Symantec Update on SubCA Proposal

) It is our longstanding policy not to comment on rumors or market speculation. From: Alex Gaynor [mailto:agay...@mozilla.com] Sent: Wednesday, July 19, 2017 10:25 AM To: Steve Medin <steve_me...@symantec.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: [EXT] Symantec

RE: [EXT] Symantec Update on SubCA Proposal

...@konklone.com] Sent: Wednesday, July 19, 2017 3:43 PM To: Steve Medin <steve_me...@symantec.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: [EXT] Symantec Update on SubCA Proposal On Wed, Jul 19, 2017 at 11:31 AM, Steve Medin via dev-security-policy <dev-securi

RE: [EXT] Symantec Update on SubCA Proposal

illa.org > Subject: Re: [EXT] Symantec Update on SubCA Proposal > > On 7/19/2017 8:31 AM, Steve Medin wrote: > >> -Original Message- > >> From: dev-security-policy [mailto:dev-security-policy- > >> bounces+steve_medin=symantec@lists.mozilla.org] On Behal

RE: [EXT] Symantec Update on SubCA Proposal

.org > Subject: Re: [EXT] Symantec Update on SubCA Proposal > > On 19/07/2017 17:31, Steve Medin wrote: > >> -Original Message- > >> From: dev-security-policy [mailto:dev-security-policy- > >> bounces+steve_medin=symantec@lists.mozilla.org] On Behal

RE: [EXT] Symantec Update on SubCA Proposal

ternative date proposed > below: > > On 18/07/2017 21:37, Steve Medin wrote: > > Correction: Summary item #3 should read: > > > > 3. May 1, 2018 > > a. Single date of distrust of certificates issued prior to 6/1/2016. > (changed from August 31,2017 for certific

RE: [EXT] Symantec Update on SubCA Proposal

age- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Steve Medin via dev-security-policy > Sent: Tuesday, July 18, 2017 2:23 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: [EXT] Sym

Symantec Update on SubCA Proposal

*Progress Update on SubCA RFP, Partner Selection, and Execution* Since June 1, Symantec has worked in earnest to operationalize the SubCA proposal outlined by Google and Mozilla and discussed in community forums. The core of this proposal is to transfer the authentication and issuance of

RE: [EXT] Mozilla requirements of Symantec

> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Wednesday, June 07, 2017 2:51 PM > To: Steve Medin <steve_me...@symantec.com>; mozilla-dev-security- > pol...@lists.mozilla.org > Cc: Kathleen Wilson <kwil...@mozilla.com> > Su

RE: [EXT] Symantec response to Google proposal

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Friday, June 02, 2017 10:54 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: [EXT] Google Plan for Symantec posted

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Friday, May 19, 2017 11:42 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: [EXT] Re: Draft further questions for Symantec

Body__s > > gives me a 404 error. > > > On Monday, May 15, 2017 at 11:09:41 AM UTC-4, Steve Medin wrote: > > Gerv, > > > > Our response to the recent questions is posted at: > > https://bugzilla.mozilla.org/attachment.cgi?id=8867735 > > > > K

RE: [EXT] Symantec: Draft Proposal

://helpx.adobe.com/acrobat/kb/approved-trust-list2/_jcr_content/main-pars/download-section/download-1/file.res/aatl_technical_requirements_v14.pdf From: Alex Gaynor [mailto:agay...@mozilla.com] Sent: Friday, May 05, 2017 10:18 AM To: Steve Medin <steve_me...@symantec.com> Cc: Gervase Markham <g...@mo

RE: [EXT] Re: Symantec Conclusions and Next Steps

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Ryan > Sleevi via dev-security-policy > Sent: Tuesday, April 25, 2017 6:50 PM > To: Ryan Sleevi > Cc:

RE: [EXT] Re: Draft further questions for Symantec

Gerv, Our response to the recent questions is posted at: https://bugzilla.mozilla.org/attachment.cgi?id=8867735 Kind regards, Steve > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of

RE: [EXT] Symantec: Draft Proposal

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Monday, May 01, 2017 10:16 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: [EXT] Re: Symantec: Draft Proposal

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > wizard--- via dev-security-policy > Sent: Tuesday, May 02, 2017 7:10 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: [EXT]

RE: [EXT] Symantec: Draft Proposal

Gerv- Thank you for the thoughtful analysis. We are reviewing and intend to respond to your latest proposal shortly. > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via

RE: Symantec Conclusions and Next Steps

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Friday, April 21, 2017 6:17 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

RE: [EXT] Re: Questions for Symantec

> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Tuesday, April 11, 2017 6:42 AM > To: Steve Medin <steve_me...@symantec.com>; Rick Andrews > <rick_andr...@symantec.com>; mozilla-dev-security- > pol...@lists.mozilla.org

RE: [EXT] Re: Questions for Symantec

illa.org > Subject: [EXT] Re: Questions for Symantec > > On 03/04/17 13:11, Gervase Markham wrote: > > Hi Steve and Rick, > > Q8) The accountant's letters for the 2015-2016 audits are dated February 28th > 2017. The audits were supplied to Mozilla, and published, on the 1s

RE: [EXT] Re: Questions for Symantec

> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Thursday, April 13, 2017 9:13 AM > To: Steve Medin <steve_me...@symantec.com>; Rick Andrews > <rick_andr...@symantec.com>; mozilla-dev-security- > pol...@lists.mozilla.org

RE: [EXT] Re: Questions for Symantec

. > -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Thursday, April 13, 2017 9:13 AM > To: Steve Medin <steve_me...@symantec.com>; Rick Andrews > <rick_andr...@symantec.com>; mozilla-dev-security- > pol...@lists.mozilla.org > Subject:

Symantec Response X

Issue X: Incomplete RA Program Remediation (February - March 2017) The only Symantec RAs capable of authorizing and issuing publicly trusted SSL/TLS certificates are: CrossCert, Certisign, Certsuperior and Certisur. Symantec continues to maintain a partner program for non-TLS certificates.

Symantec Response T

Issue T: RA Program Misissuances (January 2010 - January 2017) Program Background: Symantec has operated an RA program designed to deliver a superior customer experience in global markets where language skills, understanding of local business requirements, and physical local presence are

Symantec Response V

rocess to terminate the agreements with both partners. One partner has ceased issuance of new certificates and the other will stop as of September 30, 2016. In both cases, Symantec will permit continued use of the subordinate CAs solely for the purpose of signing CRLs through November 30, 201

Symantec Response R

Issue R: Insecure Issuance API (2013 or earlier - November 2016) In April 2015, security consultant Chris Byrne responsibly disclosed two potential vulnerabilities related to our Quick Invite feature, which enables a reseller to invite pre-selected customers to enroll for certificates, via

Symantec Response P

Issue P: UniCredit Sub CA Failing To Follow BRs (April - October 2016) We are committed to keeping our customers, partners and ecosystem informed and taking action when necessary. We recognize that there are issues we are accountable for, such as our March 2016 CA Communication response

Symantec Response Q

Issue Q: Symantec Audit Issues 2016 (December 2015 - November 2016) In our 2014-2015 audits, certain issues were identified that we promptly took action on, including addressing the test certificate incident. We continued these efforts until the Point in Time audit was conducted. We split the

Symantec Response L

Issue L: Cross-Signing the US Federal Bridge (February 2011 - July 2016) Symantec, as well as VeriSign, has participated in the FPKI since 2006, and we take our responsibility as a participant of this program very seriously. When Symantec began participating in FPKI, FPKI rules required two-way

Symantec Response N

Issue N: Premature Manual Signing Using SHA-1 (July 2016) This matter represents the first time any CA attempted to follow the exception process which was developed over the course of weeks, beginning at the Bilbao CABF face-to-face meeting in May 2016, and with the input of our partners.

Symantec Response E

Issue E: Domain Validation Vulnerability (October 2015) With respect to Issue E, Symantec has no additional comments regarding the perspective outlined in the summary. Please see

Symantec Response H

Issue H: SHA-1 Issuance After Deadline (January 2016) With respect to Issue H, Symantec has no additional comments regarding the perspective outlined in the summary. Please see https://cabforum.org/pipermail/public/2016-January/006519.html for further detail on Symantec's previous commentary

Symantec Response B

Issue B: 1024-bit Certificate Issued Directly From Root (Dec 2013 - Jan 2014) The customer in question informed us of an issue in December 2013 that threatened to seriously disrupt their primary business, and they sought our assistance. The customer's non-browser implementation required a

RE: [FORGED] Criticism of Mozilla Re: Google Trust Services roots

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Peter > Gutmann via dev-security-policy > Sent: Friday, March 10, 2017 4:15 AM > To: Gervase Markham ; Peter Kurrasch >

RE: Symantec: Next Steps

In the case of CrossCert, where we have evidence of failure to properly document their work, we are NOT relying on their previous work and have begun fully revalidating all active certificates. In the cases of the other 3 RAs, our focus is reviewing all of the work previously done to verify

RE: Misissued/Suspicious Symantec Certificates

[mailto:r...@sleevi.com] Sent: Wednesday, February 22, 2017 11:33 PM To: Steve Medin <steve_me...@symantec.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org; r...@sleevi.com; Gervase Markham <g...@mozilla.org> Subject: Re: Misissued/Suspicious Symantec Certificates Hi Steve, Tha

RE: Misissued/Suspicious Symantec Certificates

gt; Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org; Steve Medin <steve_me...@symantec.com> Subject: Re: Misissued/Suspicious Symantec Certificates Hi Steve, Two more question to add to the list which is already pending: In [1], in response to qu

RE: Intermediates Supporting Many EE Certs

.org > Subject: Re: Intermediates Supporting Many EE Certs > > On Tuesday, 14 February 2017 13:47:51 UTC, Steve Medin wrote: > > - PKCS#7 chains are indeed not a requirement, but see point 1. It’s > probably no coincidence that IIS supports it given awareness of the dema

RE: Intermediates Supporting Many EE Certs

. You’re dug in. From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Monday, February 13, 2017 6:45 PM To: Steve Medin <steve_me...@symantec.com> Cc: r...@sleevi.com; Patrick Figel <patrick@figel.email>; mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham <g...@mozilla.o

RE: Intermediates Supporting Many EE Certs

.org > Subject: Re: Intermediates Supporting Many EE Certs > > On Monday, 13 February 2017 22:40:45 UTC, Steve Medin wrote: > > With de facto use of AIA, there is no issuer installation on the server that > could be improper. Proper is defined at the moment, either by cache

RE: Intermediates Supporting Many EE Certs

rmediates Supporting Many EE Certs > > On 13/02/2017 18:25, Ryan Sleevi via dev-security-policy wrote: > > On Mon, Feb 13, 2017 at 8:17 AM, Steve Medin via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> Getting all user

RE: Intermediates Supporting Many EE Certs

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Monday, February 13, 2017 7:23 AM > To: mozilla-dev-security-pol...@lists.mozilla.org >

RE: Misissued/Suspicious Symantec Certificates

A response is now available in Bugzilla 1334377 and directly at: https://bugzilla.mozilla.org/attachment.cgi?id=8836487 > -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Thursday, February 09, 2017 4:56 AM > To: Steve Medin <steve_me...@symante

RE: Misissued/Suspicious Symantec Certificates

our response. Kind regards, Steven Medin PKI Policy Manager, Symantec Corporation From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Monday, January 30, 2017 12:36 PM To: Ryan Sleevi <r...@sleevi.com> Cc: Steve Medin <steve_me...@symantec.com>; Andrew Ayer <a...@andrewayer.nam

RE: Misissued/Suspicious Symantec Certificates

Symantec's auditors, KPMG, completed a scan of CrossCert certificates to detect potential mis-issuance. On Thursday, January 26, 2017 at 4:08pm PST, KPMG provided a report that listed 12 problem certificates that were not in Andrew Ayer's report. We began an investigation into that certificate

RE: Misissued/Suspicious Symantec Certificates

On Behalf Of Steve > Medin > Sent: Saturday, January 21, 2017 9:35 AM > To: Andrew Ayer <a...@andrewayer.name>; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: RE: Misissued/Suspicious Symantec Certificates > > The listed Symantec certificates were issued by one of

RE: Misissued/Suspicious Symantec Certificates

The listed Symantec certificates were issued by one of our WebTrust audited partners. We have reduced this partner's privileges to restrict further issuance while we review this matter. We revoked all reported certificates which were still valid that had not previously been revoked within the 24

RE: Compliance with 7.1.4.2.1 (internal names revocation)

Symantec has an additional disclosure regarding internal name certificates valid after October 1. First, we disclose 3 certificates that remained valid after October 1 but expired prior to our previous report. Second, we disclose 3 certificates that were revoked as a result of our analysis but not

RE: Misissued/Suspicious Symantec Certificates

Andrew, thank you for your efforts to report this issue. We are investigating and will report our resolution, cause analysis, and corrective actions once complete. Kind regards, Steven Medin PKI Policy Manager, Symantec Corporation > -Original Message- > From: dev-security-policy

RE: Compromised certificate that the owner didn't wish to revoke (signed by GeoTrust)

-policy-bounces+steve_medin=symantec.com@lists.mozilla.o rg] On Behalf Of Steve Medin Sent: Tuesday, September 06, 2016 7:27 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham <g...@mozilla.org>; Kyle Hamilton <aerow...@gma

RE: Compromised certificate that the owner didn't wish to revoke (signed by GeoTrust)

We have become aware of this certificate and its key compromise, thank you for this information. We are contacting the owner to understand impact to the deployed devices, but with clear intent to revoke. We will provide updates while we make progress. Kind regards, Steven Medin PKI Policy

Re: Comodo Legal Phishing attack against ISRG?

According to Josh, Comodo have filed for abandonment of their three related applications: https://letsencrypt.org/2016/06/23/defending-our-brand.html On Sun, Jun 26, 2016 at 2:15 PM wrote: > Hello, > > The following screenshot is from Comodo's forums. Either their

Re: Intermediate certificate disclosure deadline in 2 weeks

CAs are running OCSP responders up to the root tier. Once a CA is terminated in a standards-compliant and densely interoperable way from participating in a trusted discovery path to an embedded root, it should no longer be in the scope of business of root trust store owners. On Wed, Jun 22,

Re: SHA-1 S/MIME certificates

Using the same language I would, because browser is too narrow a definition of the public trust network, root store policy is a term that some would call browser policy. The reference is to any organization that explicitly trusts a collection of roots and sets policies to retain that trust. It

Re: Proposed limited exception to SHA-1 issuance

ash that changed hands in a business day, I can state that no financial services company of this scale will expose their network to an untested certificate chain. Four days are not enough time to test alternate chains or certificate designs. Kind regards, St

Re: Proposed limited exception to SHA-1 issuance

and oversights that come from haste and could lead to PII exposure. I suggest we shift from prevention to duration, the lifespan of the SHA-1 certificates to be deployed in this case. Kind regards, Steve On Wed, Feb 24, 2016 at 6:24 AM Rob Stradling <rob.stradl...@comodo.com> wrote: > On 24

Re: Proposed limited exception to SHA-1 issuance

quotes in front of the customer. Here's the cost to create and manage your own dedicated multitier PKI. Here's the cost to leverage our existing infra. Many customers chose to live within the existing public trust PKI as a simple financial situation. Kind regards, Steve On Tue, Feb 23, 2016, 6:42 PM

Re: [E] New requirement: certlint testing

regards, Steve Medin On Tue, Feb 16, 2016 at 10:03 AM Jakob Bohm <jb-mozi...@wisemo.com> wrote: > A few clarifications: > > On 15/02/2016 16:06, Peter Bowen wrote: > > I actually agree with Steve, but for a slightly different reason. The > known attacks all required having

Re: New requirement: certlint testing

to prevent smothering us. Kind regards, Steve On Sun, Feb 14, 2016 at 1:48 PM Jakob Bohm <jb-mozi...@wisemo.com> wrote: > On 12/02/2016 12:03, Medin, Steven wrote: > > There's no requestor control of validityNotBefore for an offline CA > signing > > event, and certainly none

Re: More SHA-1 certs

Are CAs really not monitoring issuance of certs by their sub-CAs for simple violations like this? Does this not violate a Mozilla or CAB Forum policy? Should it? On Mon, Feb 1, 2016 at 1:41 PM, Jeremy Rowley wrote: > Same with DigiCert. This is a sub CA issued by

RE: Clarify that a ccTLD is not acceptable in permittedSubtrees

at all denotes implicit permission of all ccTLDs. Thanks. Steve From: dev-security-policy [mailto:dev-security-policy-bounces+steve.roylance=globalsign@lists.mozilla.org] On Behalf Of Adriano Santoni Sent: 12 November 2015 07:29 To: dev-security-policy@lists.mozilla.org

RE: Clarify that a ccTLD is not acceptable in permittedSubtrees

Clarify that a ccTLD is not acceptable in permittedSubtrees > > On 2015-11-11 19:46, Steve Roylance wrote: > > Hypothetically, a government organization wishing to issue S/MIME > > certificates to citizens on a range of ccTLD based domains could be > > technically constrain

RE: Clarify that a ccTLD is not acceptable in permittedSubtrees

rtificates MUST only include e-mail addresses or mailboxes that the issuing CA has confirmed (via technical and/or business controls) that the subordinate CA is authorized to use. Thanks for any advice... Steve > -Original Message- > From: dev-security-policy [mailto:dev-security-p

Re: Clarify that a ccTLD is not acceptable in permittedSubtrees

Hi Kathleen. Apologies, as I should have sent my previous request concerning hypothetical S/MIME ccTLD usage in response to this post. My main concern was not to cover S/MIME and SSL Server Certificates with a single rule. I hope that came across clearly. Thanks. Steve Sent from my

RE: CA Community in Salesforce

Hi Kathleen, GlobalSign would be happy to step forward as an early adopter. Steve > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve.roylance=globalsign@lists.mozilla.org] On Behalf Of > Kathleen Wilson > Sent: 05 Nove

RE: Updating Mozilla's CA Certificate Policy

to the bug to qualify this. Apologies for the confusion. Steve > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve.roylance=globalsign@lists.mozilla.org] On Behalf Of Brian > Smith > Sent: 24 August 2015 18:12 > To: Gervase Mar

RE: Certificate with space in CommonName found on deutschepost.de

capabilities does not make sense inside a TLS certificate. Steve -Original Message- From: dev-security-policy [mailto:dev-security-policy- bounces+steve.roylance=globalsign@lists.mozilla.org] On Behalf Of Erwann Abalea Sent: 12 April 2015 17:19 To: mozilla-dev-security-pol

RE: TurkTrust Root Renewal Request

Thanks Peter. Yes my bad.. https://cabforum.org/current-work/code-signing-working-group/ has the questions e-mail at the bottom of the page. Steve -Original Message- From: dev-security-policy [mailto:dev-security-policy- bounces+steve.roylance=globalsign@lists.mozilla.org

RE: TurkTrust Root Renewal Request

. The other reason is that Root Stores generally place a limit on the number of Roots which can be entered so CA's need to be able to maximize their usage, especially where we are today with ongoing transitions in cryptography standards and key sizes. I hope that helps. Steve -Original

Re: Updating Peers of Mozilla's CA Certificates and CA Certificate Policy modules

+1 On Thu, Feb 5, 2015 at 12:58 PM, Kathleen Wilson kwil...@mozilla.com wrote: According to https://wiki.mozilla.org/Modules: A module is a discrete unit of code or activity. An owner is the person in charge of a module or sub-module. A peer is a person whom the owner has appointed to help

RE: GlobalSign Request to Include ECC Roots

. Wishing you all a nice weekend. Steve -Original Message- From: dev-security-policy [mailto:dev-security-policy- bounces+steve.roylance=globalsign@lists.mozilla.org] On Behalf Of Kathleen Wilson Sent: 09 September 2014 23:43 To: mozilla-dev-security-pol...@lists.mozilla.org Subject

RE: GlobalSign Request to Include ECC Roots

improve our public documents. Steve -Original Message- From: Steve Roylance [mailto:steve.royla...@globalsign.com] Sent: 22 August 2014 06:45 To: Kathleen Wilson Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: GlobalSign Request to Include ECC Roots Hi Kathleen. I'm

Re: Audits of CA conformance to the BRs

Kathleen, Would it make sense to poll auditors with this wording change? The are some on the CABForum mailing list (Wayne could verify) as I suspect it would be more beneficial for auditors themselves to see, agree and above all acknowledge the intent behind the stance you are taking?

Re: GlobalSign Request to Include ECC Roots

Hi Kathleen. I'm on vacation next week. The changes that make clarifications to our processes, particularly around domain verification and EV, have been submitted for approval. I hope to have a new version ready by the week of Sept 1st. Steve Sent from my iPhone On 21 Aug 2014, at 23

Re: CP/CPS only referencing BRs or EVG

Thanks for highlighting. We'll update and come back to the Mozilla team when approved by our policy authority members. I shall try to ensure we look at why we missed this instruction too. Steve Sent from my iPhone On 14 Aug 2014, at 00:57, Kathleen Wilson kwil...@mozilla.com wrote

RE: GlobalSign Request to Include ECC Roots

. Does that answer your concern? Note that I'm in our Singapore office today and flying back tomorrow so additional responses will be delayed until Friday UK time if I didn't address your concern. Kind Regards Steve -Original Message- From: dev-security-policy [mailto:dev-security-policy

RE: GlobalSign Request to Include ECC Roots

for taking the time to read our CPS in detail to be able to ask questions. We always appreciate feedback. Kind Regards   Steve Roylance Head of Strategy Business Development -Original Message- From: dev-security-policy [mailto:dev-security-policy- bounces+steve.roylance=globalsign

Clarification of disclosure - Only those Issuing or all?

? Thanks for some clarification on this point so I can go back to the team Steve smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org

RE: Seeking guidance on proceeding with KISA root inclusion request

inclusion etc so these need to be flowed down and monitored as per the amendments to the BR guidelines in ballot 105 last July. Steve -Original Message- From: dev-security-policy [mailto:dev-security-policy- bounces+steve.roylance=globalsign@lists.mozilla.org] On Behalf Of Eddy Nigg