Re: DRAFT November 2017 CA Communication

2017-11-16 Thread Kathleen Wilson via dev-security-policy
On 11/16/17 10:04 AM, Kathleen Wilson wrote: On 11/13/17 1:52 PM, Kathleen Wilson wrote: Link to November 2017 CA Communication on wiki page: https://wiki.mozilla.org/CA/Communications#November_2017_CA_Communication Direct link to the survey:

Re: DRAFT November 2017 CA Communication

2017-11-16 Thread Kathleen Wilson via dev-security-policy
On 11/13/17 1:52 PM, Kathleen Wilson wrote: Link to November 2017 CA Communication on wiki page: https://wiki.mozilla.org/CA/Communications#November_2017_CA_Communication Direct link to the survey:

Re: DRAFT November 2017 CA Communication

2017-11-13 Thread Kathleen Wilson via dev-security-policy
All, I have updated the draft of the November 2017 CA Communication as follows: - Postponed the response deadline to December 15. - Removed the CT item (that will be handled separately, later) - Added an action item (#4) about full period-of-time audits with no gaps. (resulted in a slight

Re: DRAFT November 2017 CA Communication

2017-11-01 Thread Kathleen Wilson via dev-security-policy
It has been suggested that I need to communicate to CAs that there will be consequences if their audit statements do not meet Mozilla’s requirements, so how about if I add the following to the November CA Communication? ~~ As stated in Mozilla’s April 2017 CA Communication[1] and Mozilla’s

Re: DRAFT November 2017 CA Communication

2017-10-27 Thread Gervase Markham via dev-security-policy
On 27/10/17 00:23, Kathleen Wilson wrote: > Looking forward to further discussion about which errata should be allowed. Those are the correct two errata. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: DRAFT November 2017 CA Communication

2017-10-26 Thread Kathleen Wilson via dev-security-policy
On Wednesday, October 25, 2017 at 2:05:33 PM UTC-7, Andrew Ayer wrote: > Hi Kathleen, > > I suggest being explicit about which CAA errata Mozilla allows. > > For CNAME, it's erratum 5065. > > For DNAME, it's erratum 5097. > > Link to errata:

RE: DRAFT November 2017 CA Communication

2017-10-26 Thread Tim Hollebeek via dev-security-policy
ilson <kwil...@mozilla.com> Cc: Kathleen Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DRAFT November 2017 CA Communication Hi Kathleen, I suggest being explicit about which CAA errata Mozilla allows. For

Re: DRAFT November 2017 CA Communication

2017-10-25 Thread Andrew Ayer via dev-security-policy
Hi Kathleen, I suggest being explicit about which CAA errata Mozilla allows. For CNAME, it's erratum 5065. For DNAME, it's erratum 5097. Link to errata: https://www.rfc-editor.org/errata_search.php?rfc=6844 We don't want CAs to think they can follow any errata they like, or to come up with

RE: DRAFT November 2017 CA Communication

2017-10-25 Thread Jeremy Rowley via dev-security-policy
Some initial thoughts 1. I'm a bit confused by bullet #2 in the survey. Wasn't it already the Mozilla policy that CAs could only use the blessed 10 methods of validation? I thought this was communicated in the previous letter? 2. On bullet #3, I'm reading the wording to mean either 1) disclosed