On February 9, 2018 at 1:24:12 AM, Wayne Thayer (wtha...@mozilla.com) wrote:
On Tue, Feb 6, 2018 at 6:03 PM, Paul Kehrer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> So, how long is too long?
>
This is the crux of the issue for me. If a CA (that really should have
On Tue, Feb 6, 2018 at 6:03 PM, Paul Kehrer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> So, how long is too long?
>
This is the crux of the issue for me. If a CA (that really should have
stopped responding 'good' for unknown certs back in 2013) needs to select,
On 07/02/18 15:14, Alex Gaynor wrote:
> That said, given the issues Paul highlighted in his original mail (which I
> wholeheartedly concur with), it seems the place to focus is the folks who
> are getting Ds right now. Therefore I think the essential part of your
> email is your agreement that CAs
Of
Tim Hollebeek via dev-security-policy
Sent: 07 February 2018 16:11
To: Alex Gaynor <agay...@mozilla.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Paul Kehrer
<paul.l.keh...@gmail.com>
Subject: RE: Misissuance/non-compliance remediation timelines
Alex,
Most CAs probably
leb...@digicert.com>
Cc: Paul Kehrer <paul.l.keh...@gmail.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Misissuance/non-compliance remediation timelines
Hey Tim,
A piece I think I'm missing is what you see as the incentive for CAs to aim for
an "A" r
Subject: Re: Misissuance/non-compliance remediation timelines
So your view is the “carrot” is getting to use Mozilla’s brand as an
endorsement, and the “stick” being that if you don’t get that endorsement for a
while, you get kicked out?
The assumption is that the branding of “best”
So your view is the “carrot” is getting to use Mozilla’s brand as an
endorsement, and the “stick” being that if you don’t get that endorsement
for a while, you get kicked out?
The assumption is that the branding of “best” is valuable - presumably,
through the indirect benefit of being able to
Absolutely not. I view the competition as being based as the “most best”.
You cannot get an “A” (or even A- or B+) without significantly exceeding the
minimum requirements, or demonstrating behaviors and practices that, while not
required, are behaviors Mozilla wants to encourage.
A bit over 5 months ago I reported a series of OCSP responders that were
violating BRs (section 4.9.10) by returning GOOD on unknown serial numbers.
Since that time the majority of those responder endpoints have been fixed,
but several are still non-compliant; either with little communication or
9 matches
Mail list logo
