> On Tue, Dec 18, 2018 at 8:19 AM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> > On 10/12/2018 18:09, Ryan Sleevi wrote:
> > > On Mon, Dec 10, 2018 at 6:16 AM Buschart, Rufus via
> > > dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> >
On Tue, Dec 18, 2018 at 3:47 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> Removing the "underscore mandatory" and "specific name X_Y mandatory"
> rules
> from deployed systems without introducing security holes takes more than
> the
> 1 month they have
On 18/12/2018 18:15, Ryan Sleevi wrote:
> On Tue, Dec 18, 2018 at 8:19 AM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> On 10/12/2018 18:09, Ryan Sleevi wrote:
>>> On Mon, Dec 10, 2018 at 6:16 AM Buschart, Rufus via dev-security-policy <
>>> dev-security
On Tue, Dec 18, 2018 at 8:19 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 10/12/2018 18:09, Ryan Sleevi wrote:
> > On Mon, Dec 10, 2018 at 6:16 AM Buschart, Rufus via dev-security-policy <
> > dev-security-policy@lists.mozilla.org> wrote:
> >
> >> Hell
On 10/12/2018 18:09, Ryan Sleevi wrote:
> On Mon, Dec 10, 2018 at 6:16 AM Buschart, Rufus via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Hello!
>>
>> It would be helpful, if the CA/B or Mozilla could publish a document on
>> its web pages to which we can redirect ou
On Sat, Dec 8, 2018 at 12:50 PM pilgrim2223--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> thanks for the suggestions.
>
> We are exploring the OCSP and CRL checks. It has potential.
>
> Have you determined if these applications perform revocations checks, or
if those
On Mon, Dec 10, 2018 at 6:16 AM Buschart, Rufus via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hello!
>
> It would be helpful, if the CA/B or Mozilla could publish a document on
> its web pages to which we can redirect our customers, if they have
> technical questions ab
trag von rahat3858--- via dev-security-policy
> Gesendet: Montag, 10. Dezember 2018 01:45
> An: mozilla-dev-security-pol...@lists.mozilla.org
> Betreff: Re: CA Communication: Underscores in dNSNames
>
> On Monday, November 12, 2018 at 3:19:17 PM UTC-8, Wayne Thayer wrote:
> >
On Monday, November 12, 2018 at 3:19:17 PM UTC-8, Wayne Thayer wrote:
> As you may be aware, the CA/Browser Forum recently passed ballot SC12 [1]
> creating a sunset period for TLS certificates containing an underscore
> ("_") character in the SAN. This practice was widespread until a year ago
> wh
thanks for the suggestions.
We are exploring the OCSP and CRL checks. It has potential.
As to getting certs from a different root, that wouldn't help us. We have no
Technical reason to keep underscored certs and are happy to get rid of them, it
is simply the effort required and the timeline gi
On Sat, Dec 8, 2018 at 5:01 AM Richard Moore via dev-security-policy
wrote:
>
> > the scope of the main project if ~120 certs across a similar number of
> > vendors. One of the home grown applications also hardcode the name of the
> > certificate into the application and will require not only ce
> the scope of the main project if ~120 certs across a similar number of
> vendors. One of the home grown applications also hardcode the name of the
> certificate into the application and will require not only certificate update
> in coordination with the vendors but code changes on 120 certs in
On Fri, Dec 07, 2018 at 08:13:24AM -0800, pilgrim2223--- via
dev-security-policy wrote:
> As a retail organization we are in a moratorium till 1/2/2019 this happens
> every year. So nothing is being done that may jeopardize selling of
> widgets!
Choosing to not do something is, itself, doing som
r 7, 2018 8:26:42 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: CA Communication: Underscores in dNSNames
>
> Thank you very much for your response!
>
> So at the end of the day I will not get any relief from the browsers, and
> will need to get an exception from my C
On Fri, Dec 7, 2018 at 4:35 PM Jeremy Rowley
wrote:
> I only ask because telling people to go back to the CA and work something
> out isn’t a great answer when the retort is that the CA will be distrusted
> if they don’t. Either the customer doesn’t replace all their certs and they
> are made non
Communication: Underscores in dNSNames
On Fri, Dec 7, 2018 at 2:00 PM Jeremy Rowley via dev-security-policy
mailto:dev-security-policy@lists.mozilla.org> > wrote:
This isn't a CA-issue because the risk associated with non-compliance isn't
defined yet.
https://www.mozilla
That’s not well defined as there are various grades below that. Is the plan to
remove any CA that doesn’t comply with this requirement?
From: Ryan Sleevi
Sent: Friday, December 7, 2018 2:26 PM
To: Jeremy Rowley
Cc: mozilla-dev-security-policy
Subject: Re: CA Communication: Underscores in
On Fri, Dec 7, 2018 at 2:00 PM Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> This isn't a CA-issue because the risk associated with non-compliance isn't
> defined yet.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
: Friday, December 7, 2018 8:39 AM
To: mozilla-dev-security-pol...@lists.mozilla.org; pilgrim2...@gmail.com
Subject: Re: CA Communication: Underscores in dNSNames
Personally, i think you should continue the discussion here. Although you
can bring it up to whichever ca you use, the reality is that
: Friday, December 7, 2018 8:26:42 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: CA Communication: Underscores in dNSNames
Thank you very much for your response!
So at the end of the day I will not get any relief from the browsers, and will
need to get an exception from my CA
Thank you very much for your response!
So at the end of the day I will not get any relief from the browsers, and will
need to get an exception from my CA?
When I asked the CA they told me to take it here. Feels like the CA is where
I'm going to have to focus!
Thanks again for your time!
On Thu, Dec 6, 2018 at 10:36 PM pilgrim2223--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I need some clarification on something here
>
> 1) Why are legacy certs not being allowed to expire, and instead we are
> being forced to replace in a very short window? We stop
I need some clarification on something here
1) Why are legacy certs not being allowed to expire, and instead we are being
forced to replace in a very short window? We stopped issuing certs with
underscores as soon as our CA told us to (probably mid-September) but that
still puts me at having hu
Wayne, many thanks for drawing the attention of the CAs to this matter.
Sectigo (formerly Comodo CA) stopped issuing certificates with
underscores in dNSNames soon after CABForum ballot 202 failed. A search
of our CA database this week found 251 certificates that are in scope
for the BRs, expi
half of Bruce via dev-security-policy <
> dev-security-policy@lists.mozilla.org>
> Sent: Wednesday, November 14, 2018 5:37:20 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: CA Communication: Underscores in dNSNames
>
> Hi Wayne, I wanted to get some cla
be revoked.
From: dev-security-policy on
behalf of Bruce via dev-security-policy
Sent: Wednesday, November 14, 2018 5:37:20 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: CA Communication: Underscores in dNSNames
Hi Wayne, I wanted to get some clarification.
For example, let&
Hi Wayne, I wanted to get some clarification.
For example, let's say that a Subscriber has a 1 year certificate which expires
on 30 January 2019. On 15 January 2019, the remaining validity period is less
than 30 days; as such, I interpret that the certificate does not have to be
revoked.
On th
On Wed, Nov 14, 2018 at 9:47 AM Vincent Lynch wrote:
> Was looking for some quick clarification on interpretation of this bit:
>
> *"All certificates containing an underscore character in any dNSName entry
> and having a validity period of more than 30 days MUST be revoked prior to
> January 15,
Was looking for some quick clarification on interpretation of this bit:
*"All certificates containing an underscore character in any dNSName entry
and having a validity period of more than 30 days MUST be revoked prior to
January 15, 2019."*
This language refers to the TOTAL validity period of th
It was pointed out that the email I sent to CAs stated that the effective
date of the ballot (once it completed the IPR review period) will be
December 10, **2019**. The year is obviously wrong and contradicts the rest
of the message. The correct effective date is December 10, **2018**. All of
the
On Mon, Nov 12, 2018 at 6:18 PM Man Ho via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> When the ballot said "... would result in a valid domain label", does it
> mean that "... would result in a valid domain name of the applicant,
> that has passed the same level of domai
When the ballot said "... would result in a valid domain label", does it
mean that "... would result in a valid domain name of the applicant,
that has passed the same level of domain authorization (DV, OV, EV) check?
Secondly, is it necessary for CAs to state their practice of handling
undersco
As you may be aware, the CA/Browser Forum recently passed ballot SC12 [1]
creating a sunset period for TLS certificates containing an underscore
("_") character in the SAN. This practice was widespread until a year ago
when it was pointed out that underscore characters are not permitted in
dNSName
33 matches
Mail list logo
