Re: Do We Now Require Separate Cross-certificates for SSL and S/MIME?

2018-08-15 Thread Wayne Thayer via dev-security-policy
The updated 2.6.1 version of the Mozilla Root Store policy resulting from this discussion is now published: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ - Wayne On Mon, Aug 6, 2018 at 3:28 PM Wayne Thayer wrote: > Having received no comments on this

Re: Do We Now Require Separate Cross-certificates for SSL and S/MIME?

2018-08-06 Thread Wayne Thayer via dev-security-policy
Having received no comments on this proposal, I plan to go ahead and publish version 2.6.1 of the Mozilla Root Store Policy with the third paragraph of section 5.3 clarified as follows: Intermediate certificates created after January 1, 2019, with the exception of cross-certificates that share a

Re: Do We Now Require Separate Cross-certificates for SSL and S/MIME?

2018-07-18 Thread Wayne Thayer via dev-security-policy
Kathleen pointed out that one of the purposes of this section is to require disclosure of cross-certificates, and my first attempted fix seems to violate that purpose. Here is my second attempt to clarify the language in section 5.3:

Re: Do We Now Require Separate Cross-certificates for SSL and S/MIME?

2018-07-17 Thread Bruce via dev-security-policy
On Monday, July 16, 2018 at 7:25:09 PM UTC-4, Wayne Thayer wrote: > On Fri, Jul 13, 2018 at 3:50 PM Tim Hollebeek via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Yeah, I agree I don’t think it was intended. But now that I am aware of > > the issue, I think the

Re: Do We Now Require Separate Cross-certificates for SSL and S/MIME?

2018-07-16 Thread Wayne Thayer via dev-security-policy
a > > dev-security-policy > > Sent: Friday, July 13, 2018 10:17 AM > > To: mozilla-dev-security-pol...@lists.mozilla.org > > Subject: Re: Do We Now Require Separate Cross-certificates for SSL and > > S/MIME? > > > > Agreed that old cross-certificates will not

RE: Do We Now Require Separate Cross-certificates for SSL and S/MIME?

2018-07-13 Thread Tim Hollebeek via dev-security-policy
zilla.org] On Behalf Of Bruce via > dev-security-policy > Sent: Friday, July 13, 2018 10:17 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Do We Now Require Separate Cross-certificates for SSL and > S/MIME? > > Agreed that old cross-certificates will not be

Re: Do We Now Require Separate Cross-certificates for SSL and S/MIME?

2018-07-13 Thread Bruce via dev-security-policy
t; From: dev-security-policy [mailto:dev-security-policy- > > bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of Bruce via > > dev-security-policy > > Sent: Thursday, July 12, 2018 10:28 AM > > To: mozilla-dev-security-pol...@lists.mozilla.org > > Subject: Re

RE: Do We Now Require Separate Cross-certificates for SSL and S/MIME?

2018-07-13 Thread Tim Hollebeek via dev-security-policy
.hollebeek=digicert@lists.mozilla.org] On Behalf Of Bruce via > dev-security-policy > Sent: Thursday, July 12, 2018 10:28 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Do We Now Require Separate Cross-certificates for SSL and > S/MIME? > > Note the BRs de

Re: Do We Now Require Separate Cross-certificates for SSL and S/MIME?

2018-07-12 Thread Bruce via dev-security-policy
Note the BRs define Cross Certificate as "a certificate that is used to establish a trust relationship between two Root CAs." I think the intent was to technically restrict subordinate CAs or rather CAs which are online and issue end entity certificates. My assumption is that we want to 1) not