El martes, 16 de febrero de 2016, 21:06:23 (UTC+1), Gervase Markham escribió:
>
> There has been no such notification, to my knowledge.
>
> Gerv
Thanks for your feedback. Maybe it was addresed by an individual request,
private or informal way...
In order to shed light on this issue, we have
On 16/02/16 04:05, rafa...@gmail.com wrote:
>>> Maybe a Mozilla's representative at CAB Forum may supply
>>> additional information about it.
>>
>> Or maybe you may, since you're the one arguing for the exception.
>
> You'll agree that if this subject has already been notified and
> discussed (we
In addition to the comments below, note that I conceded that simple
grandfathering based on requirement dates would probably do the job.
On 16/02/2016 17:16, Steve wrote:
As long as TLS handshake performance concerns keep RFC 6961 from de facto (
https://bugzilla.mozilla.org/show_bug.cgi?id=611
ven wrote:
> >>>>> There's no requestor control of validityNotBefore for an offline CA
> >>>> signing
> >>>>> event, and certainly none with an online CA since the Playstation
> attack.
> >>>>> There's limited control of to
riginal Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+steve.medin=verizonbusiness@lists.mozilla.org]
On Behalf Of Jakob Bohm
Sent: Sunday, February 14, 2016 5:08 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: [E] Re: New requirement: certlint testi
M
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: [E] Re: New requirement: certlint testing
On 14/02/2016 21:58, Steve wrote:
While time isn't entropic and in its minutes and seconds there are
more variable bits than the 20 required by policies, the main
influences in a subordination
El lunes, 15 de febrero de 2016, 20:43:35 (UTC+1), Matt Palmer escribió:
> I didn't insinuate it. I stated it outright. If you're trying to argue
> that the BRs say you have to behave in a certain way, but you're not
> actually following *all* the BRs, then that's pretty much a textbook
> defin
On Mon, Feb 15, 2016 at 07:12:05AM -0800, rafa...@gmail.com wrote:
> El domingo, 14 de febrero de 2016, 21:10:57 (UTC+1), Matt Palmer escribió:
> > If so, have you complied with the next paragraph of section 8 of the BRs,
> > which states "The parties involved SHALL notify the CA/Browser Forum of
El domingo, 14 de febrero de 2016, 21:10:57 (UTC+1), Matt Palmer escribió:
> If so, have you complied with the next paragraph of section 8 of the BRs,
> which states "The parties involved SHALL notify the CA/Browser Forum of the
> facts, circumstances, and law(s) involved, so that the CA/Browser F
an more is more
> more more.
>
> Kind regards,
> Steve
>
> -Original Message-
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+steve.medin=verizonbusiness@lists.mozilla.org]
> On Behalf Of Jakob Bohm
> Sent: Sunday, February 14, 2016 5:08 PM
>
riginal Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+steve.medin=verizonbusiness@lists.mozilla.org]
On Behalf Of Jakob Bohm
Sent: Sunday, February 14, 2016 5:08 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: [E] Re: New requirement: certlint testing
On
On 12/02/16 18:21, David Keeler wrote:
On 02/11/2016 08:15 AM, Rob Stradling wrote:
https://cert-checker.allizom.org/ can already accept and "run certlint"
on a user-submitted certificate. Could a "run cablint" button be added
too?
The way it's implemented, "run certlint" actually runs cablin
o: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: New requirement: certlint testing
It remains an important security measure when signing anything requested
from outside, including 3rd party sub-CA certificates, cross certificates
for the roots of other CAs, certificates for more remote parts
r.
> >
> > -Original Message-
> > From: dev-security-policy
> > [mailto:dev-security-policy-bounces+steve.medin
> =verizonbusiness@lists.mo
> > zilla.org] On Behalf Of Jakob Bohm
> > Sent: Thursday, February 11, 2016 1:23 PM
> > To: mozilla-dev-s
On Fri, Feb 12, 2016 at 02:00:26AM -0800, rafa...@gmail.com wrote:
> Regarding this point, how will be addressed the issue about
> AdministrativeID (directoryName) in SAN of electronic offices?
>
> As it has been said, all Spanishs CAs are issuing certs in this way in
> order to comply with all ap
ed at the end entity tier.
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+steve.medin=verizonbusiness@lists.mo
zilla.org] On Behalf Of Jakob Bohm
Sent: Thursday, February 11, 2016 1:23 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: New requ
On 02/11/2016 08:15 AM, Rob Stradling wrote:
> https://cert-checker.allizom.org/ can already accept and "run certlint"
> on a user-submitted certificate. Could a "run cablint" button be added
> too?
The way it's implemented, "run certlint" actually runs cablint, which as
I understand it is a supe
e-
From: dev-security-policy
[mailto:dev-security-policy-bounces+steve.medin=verizonbusiness@lists.mo
zilla.org] On Behalf Of Jakob Bohm
Sent: Thursday, February 11, 2016 1:23 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: New requirement: certlint testing
It remains an i
> That sounds reasonable to me, so I updated the wiki page...
>
> https://wiki.mozilla.org/CA:Information_checklist#Technical_information_about_each_root_certificate
> "" 15. Test!!!
>
> - The CA MUST check that they are not issuing certificates that violate
> any of the CA/Browser Forum Ba
.henriksveen=buypass...@lists.mozilla.org]
On Behalf Of Kurt Roeckx
Sent: 9. februar 2016 17:58
To: Medin, Steven
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson
Subject: Re: New requirement: certlint testing
On Tue, Feb 09, 2016 at 09:31:22AM -0500, Medin, Steven wrote:
How d
On 2/11/16 8:15 AM, Rob Stradling wrote:
I wouldn't mind if "Test 1) Browse to https://crt.sh/"; was made a
suggestion rather than a requirement.
https://cert-checker.allizom.org/ can already accept and "run certlint"
on a user-submitted certificate. Could a "run cablint" button be added
too?
A
-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Kathleen Wilson
Sent: Monday, February 8, 2016 1:18 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: New requirement: certlint testing
All,
We recently added two tests that CAs must
Roeckx
Sent: 9. februar 2016 17:58
To: Medin, Steven
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson
Subject: Re: New requirement: certlint testing
On Tue, Feb 09, 2016 at 09:31:22AM -0500, Medin, Steven wrote:
> How does the diffusion of early toBeSigned entropy create val
al Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Kathleen Wilson
Sent: Monday, February 8, 2016 1:18 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: New requirement: certlint testing
All,
We recently
Regarding the issue of including a directoryName in SAN, that is a requirement
by Spanish laws to issue "Sede Electrónica" certs (Electronic Office of
Goverment sites).
> It may be that Mozilla wants to consider an audit qualification that
> says that including Directory Names is acceptable
Ma
Le mardi 9 février 2016 16:45:29 UTC+1, Peter Bowen a écrit :
> On Tue, Feb 9, 2016 at 6:55 AM, Erwann Abalea wrote:
> > Le lundi 8 février 2016 21:43:19 UTC+1, Kathleen Wilson a écrit :
> >> On 2/8/16 12:22 PM, Kathleen Wilson wrote:
> >>
> >> One topic currently under discussion in Bug #1201423
On Tue, Feb 09, 2016 at 09:31:22AM -0500, Medin, Steven wrote:
> How does the diffusion of early toBeSigned entropy create value for an event
> performed once?
I'm not sure I understand the question. The BR have this 20 bit
of entropy for all certificates. But it's a SHOULD not a MUST.
And I gu
On Tue, Feb 9, 2016 at 6:55 AM, Erwann Abalea wrote:
> Le lundi 8 février 2016 21:43:19 UTC+1, Kathleen Wilson a écrit :
>> On 2/8/16 12:22 PM, Kathleen Wilson wrote:
>>
>> One topic currently under discussion in Bug #1201423 is regarding root
>> certificates with serial number of 0. The error bei
Le lundi 8 février 2016 21:43:19 UTC+1, Kathleen Wilson a écrit :
> On 2/8/16 12:22 PM, Kathleen Wilson wrote:
> > On 2/8/16 12:18 PM, Kathleen Wilson wrote:
> >> All,
> >>
> >> We recently added two tests that CAs must perform and resolve errors for
> >> when they are requesting to enable the Webs
PM
To: Kathleen Wilson
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: New requirement: certlint testing
On Mon, Feb 08, 2016 at 12:42:46PM -0800, Kathleen Wilson wrote:
>
> One topic currently under discussion in Bug #1201423 is regarding root
> certificates with serial
On Monday, February 8, 2016 at 12:43:19 PM UTC-8, Kathleen Wilson wrote:
> One topic currently under discussion in Bug #1201423 is regarding root
> certificates with serial number of 0. The error being returned by
> http://cert-checker.allizom.org/ is "Serial number must be positive".
>
> Argum
On Mon, Feb 08, 2016 at 12:42:46PM -0800, Kathleen Wilson wrote:
> One topic currently under discussion in Bug #1201423 is regarding root
> certificates with serial number of 0. The error being returned by
> http://cert-checker.allizom.org/ is "Serial number must be positive".
>
> Arguments raised
On Mon, Feb 08, 2016 at 03:12:10PM -0800, Kathleen Wilson wrote:
> Error
> - BR certificates with organizationName must include either localityName or
> stateOrProvinceName
This is one of those I check too:
https://www.roeckx.be/certificates/subject_org_no_place.png
The last few months there are
On Mon, Feb 8, 2016 at 3:12 PM, Kathleen Wilson wrote:
> On 2/8/16 2:56 PM, Peter Bowen wrote:
>>
>> On Mon, Feb 8, 2016 at 2:46 PM, Kathleen Wilson
>> wrote:
>>>
>>>
>>> Note that I think there are still some things with the certlint tests
>>> that
>>> need to be ironed out, before filing bugs f
On 2/8/16 2:56 PM, Peter Bowen wrote:
On Mon, Feb 8, 2016 at 2:46 PM, Kathleen Wilson wrote:
Note that I think there are still some things with the certlint tests that
need to be ironed out, before filing bugs for every reported error.
I am unaware of anything that is flagged as Fatal or Err
On Mon, Feb 8, 2016 at 2:46 PM, Kathleen Wilson wrote:
>
> Note that I think there are still some things with the certlint tests that
> need to be ironed out, before filing bugs for every reported error.
I am unaware of anything that is flagged as Fatal or Error on non-CA
certificates that is an
On 2/8/16 2:36 PM, Kurt Roeckx wrote:
On Mon, Feb 08, 2016 at 02:30:05PM -0800, Kathleen Wilson wrote:
Not much you can do about a currently-included root certificate other than
re-issue the root certificate which can cause many other problems.
So I was under the impression that they needed t
On Mon, Feb 08, 2016 at 02:30:05PM -0800, Kathleen Wilson wrote:
>
> Not much you can do about a currently-included root certificate other than
> re-issue the root certificate which can cause many other problems.
So I was under the impression that they needed to check their
currently signed certi
On 2/8/16 1:36 PM, Kurt Roeckx wrote:
On Mon, Feb 08, 2016 at 12:18:12PM -0800, Kathleen Wilson wrote:
All,
We recently added two tests that CAs must perform and resolve errors for
when they are requesting to enable the Websites trust bit for their root
certificate.
Test 1) Browse to https://c
On Mon, Feb 08, 2016 at 12:18:12PM -0800, Kathleen Wilson wrote:
> All,
>
> We recently added two tests that CAs must perform and resolve errors for
> when they are requesting to enable the Websites trust bit for their root
> certificate.
>
> Test 1) Browse to https://crt.sh/ and enter the SHA-1
On Mon, Feb 08, 2016 at 12:42:46PM -0800, Kathleen Wilson wrote:
>
> One topic currently under discussion in Bug #1201423 is regarding root
> certificates with serial number of 0. The error being returned by
> http://cert-checker.allizom.org/ is "Serial number must be positive".
I think a root CA
On 2/8/16 1:07 PM, Peter Bowen wrote:
On Mon, Feb 8, 2016 at 12:18 PM, Kathleen Wilson wrote:
We recently added two tests that CAs must perform and resolve errors for
when they are requesting to enable the Websites trust bit for their root
certificate.
Test 1) Browse to https://crt.sh/ and ent
On Mon, Feb 8, 2016 at 12:18 PM, Kathleen Wilson wrote:
> We recently added two tests that CAs must perform and resolve errors for
> when they are requesting to enable the Websites trust bit for their root
> certificate.
>
> Test 1) Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for the
On 2/8/16 12:22 PM, Kathleen Wilson wrote:
On 2/8/16 12:18 PM, Kathleen Wilson wrote:
All,
We recently added two tests that CAs must perform and resolve errors for
when they are requesting to enable the Websites trust bit for their root
certificate.
Test 1) Browse to https://crt.sh/ and enter
All,
We recently added two tests that CAs must perform and resolve errors for
when they are requesting to enable the Websites trust bit for their root
certificate.
Test 1) Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for
the root certificate. Then click on the 'Search' button. T
On 2/8/16 12:18 PM, Kathleen Wilson wrote:
All,
We recently added two tests that CAs must perform and resolve errors for
when they are requesting to enable the Websites trust bit for their root
certificate.
Test 1) Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for
the root certifica
46 matches
Mail list logo
