Re: CAs not compliant with CAA CP/CPS requirement

On 22 September 2017 at 17:22, Rob Stradling wrote: > On 22/09/17 17:07, Richard Moore via dev-security-policy wrote: > >> I see, the one I saw in the wild was issued from the intermediate below >> and >> linked to the Gandi document however it was from 2014. That said,

Re: CAs not compliant with CAA CP/CPS requirement

On 22/09/17 17:07, Richard Moore via dev-security-policy wrote: I see, the one I saw in the wild was issued from the intermediate below and linked to the Gandi document however it was from 2014. That said, I don't see the intermediate in crt.sh though that could just be me failing to use the

Re: CAs not compliant with CAA CP/CPS requirement

I see, the one I saw in the wild was issued from the intermediate below and linked to the Gandi document however it was from 2014. That said, I don't see the intermediate in crt.sh though that could just be me failing to use the site properly! Cheers Rich. Certificate: Data:

Re: CAs not compliant with CAA CP/CPS requirement

On 21/09/17 22:56, richmoore44--- via dev-security-policy wrote: On Thursday, September 21, 2017 at 10:13:56 AM UTC+1, Rob Stradling wrote: Our CPS has now been updated. Will you be ensuring that CAs like Gandi who are chaining back to your roots also update their CPS? Gandi are a managed

Re: CAs not compliant with CAA CP/CPS requirement

On Thursday, September 21, 2017 at 10:13:56 AM UTC+1, Rob Stradling wrote: > Our CPS has now been updated. Will you be ensuring that CAs like Gandi who are chaining back to your roots also update their CPS? Regards Rich. ___ dev-security-policy

Re: CAs not compliant with CAA CP/CPS requirement

On 08/09/17 20:24, Andrew Ayer via dev-security-policy wrote: The BRs state: "Effective as of 8 September 2017, section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state the CA's policy or practice on

Re: CAs not compliant with CAA CP/CPS requirement

On 15/09/17 09:38, richmoor...@gmail.com wrote: > I suspect many smaller CAs are non-compliant too, for example gandi's CPS > hasn't changed since 2009 according to its changelog. > > https://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf Thank you for bringing this to

Re: CAs not compliant with CAA CP/CPS requirement

I suspect many smaller CAs are non-compliant too, for example gandi's CPS hasn't changed since 2009 according to its changelog. https://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf Cheers Rich. ___ dev-security-policy

Re: CAs not compliant with CAA CP/CPS requirement

On Friday, September 8, 2017 at 3:25:20 PM UTC-4, Andrew Ayer wrote: > The BRs state: > > "Effective as of 8 September 2017, section 4.2 of a CA's Certificate > Policy and/or Certification Practice Statement (section 4.1 for CAs > still conforming to RFC 2527) SHALL state the CA's policy or

Re: CAs not compliant with CAA CP/CPS requirement

On Friday, September 8, 2017 at 3:25:20 PM UTC-4, Andrew Ayer wrote: > The BRs state: > > "Effective as of 8 September 2017, section 4.2 of a CA's Certificate > Policy and/or Certification Practice Statement (section 4.1 for CAs > still conforming to RFC 2527) SHALL state the CA's policy or

Re: CAs not compliant with CAA CP/CPS requirement

El viernes, 8 de septiembre de 2017, 21:25:20 (UTC+2), Andrew Ayer escribió: > The BRs state: > > "Effective as of 8 September 2017, section 4.2 of a CA's Certificate > Policy and/or Certification Practice Statement (section 4.1 for CAs > still conforming to RFC 2527) SHALL state the CA's policy

Re: CAs not compliant with CAA CP/CPS requirement

Let me pull the data and share it with you. For some reason we saw a few sub domains right before the 8th. We added *.digicerts.com at the last minute until we had time to figure out why. I suspect it's being caused by documentation or a partner telling the customers the wrong thing. Once we

Re: CAs not compliant with CAA CP/CPS requirement

Hi Ben and Jeremy, On 09/09/17 01:25, Ben Wilson wrote: > Those are typos. See section 4.2.1 of our CPS posted here: > https://www.digicert.com/wp-content/uploads/2017/09/DigiCert_CPS_v412.pdf This reads: "The Certification Authority CAA identifying domains for CAs within DigiCert’s

Re: CAs not compliant with CAA CP/CPS requirement

Am Freitag, 8. September 2017 21:25:20 UTC+2 schrieb Andrew Ayer: > The BRs state: > > "Effective as of 8 September 2017, section 4.2 of a CA's Certificate > Policy and/or Certification Practice Statement (section 4.1 for CAs > still conforming to RFC 2527) SHALL state the CA's policy or practice

Re: CAs not compliant with CAA CP/CPS requirement

I would have checked Sept 9th as Sept 8th at midnight would be the last possible moment when the CPS could be updated and still be compliant. > On Sep 9, 2017, at 3:33 PM, Andrew Ayer via dev-security-policy > wrote: > > On Fri, 8 Sep 2017 15:22:52 -0700

Re: CAs not compliant with CAA CP/CPS requirement

On Fri, 8 Sep 2017 15:22:52 -0700 (PDT) Andy Warner via dev-security-policy wrote: > Google Trust Services published updated CP & CPS versions earlier > today covering CAA checking. I'd suggest checking all CAs again > tomorrow. Given the range of timezones

Re: CAs not compliant with CAA CP/CPS requirement

mozilla-dev-security-pol...@lists.mozilla.org > Subject: CAs not compliant with CAA CP/CPS requirement > > The BRs state: > > "Effective as of 8 September 2017, section 4.2 of a CA's Certificate Policy > and/or Certification Practice Statement (section 4.1 for CAs s

Re: CAs not compliant with CAA CP/CPS requirement

Google Trust Services published updated CP & CPS versions earlier today covering CAA checking. I'd suggest checking all CAs again tomorrow. Given the range of timezones CA operational staffs operate across, some may not have had a chance to publish their updates yet. In terms of the 'rush' I

RE: CAs not compliant with CAA CP/CPS requirement

Responding from my personal account but I can confirm that Google Trust Services does check CAA and our policy was updated earlier today to reflect that. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

RE: CAs not compliant with CAA CP/CPS requirement

-security-policy Sent: Friday, September 8, 2017 4:08 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Andrew Ayer <a...@andrewayer.name> Subject: CAs not compliant with CAA CP/CPS requirement Is there a typo here? Dig

CAs not compliant with CAA CP/CPS requirement

y.rowley=digicert.com@lists.mozilla > .org] On Behalf Of Andrew Ayer via dev-security-policy > Sent: Friday, September 8, 2017 1:25 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: CAs not compliant with CAA CP/CPS requirement > > The BRs state: > > "Effec

RE: CAs not compliant with CAA CP/CPS requirement

@lists.mozilla .org] On Behalf Of Andrew Ayer via dev-security-policy Sent: Friday, September 8, 2017 1:25 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: CAs not compliant with CAA CP/CPS requirement The BRs state: "Effective as of 8 September 2017, section 4.2 of a CA's Certificate P

Re: CAs not compliant with CAA CP/CPS requirement

On Fri, Sep 8, 2017 at 12:24 PM, Andrew Ayer via dev-security-policy wrote: > The BRs state: > > "Effective as of 8 September 2017, section 4.2 of a CA's Certificate > Policy and/or Certification Practice Statement (section 4.1 for CAs > still conforming to

Re: CAs not compliant with CAA CP/CPS requirement

Hey Andrew, we are checking CAA records at time of issuance. The CPS update should publish today. > On Sep 8, 2017, at 1:25 PM, Andrew Ayer via dev-security-policy > wrote: > > The BRs state: > > "Effective as of 8 September 2017, section 4.2 of a CA's