Hi Doug,
Kathleen is unavailable this week, so I'll try and answer. (This might
have been better as a new top-level post, though...)
On 11/04/17 21:14, Doug Beattie wrote:
> This is my understanding:
>
> - Under policy 2.3 a CA that is technically
> constrained with EKU set to only secure email
.org
> Subject: Re: Next CA Communication
>
> On Tuesday, April 4, 2017 at 10:38:28 AM UTC-7, Kathleen Wilson wrote:
> >
> > The email has been sent, and the survey is open.
> >
>
>
> Published a security blog about it:
> https://blog.mozilla.org/security/
On Tuesday, April 4, 2017 at 10:38:28 AM UTC-7, Kathleen Wilson wrote:
>
> The email has been sent, and the survey is open.
>
Published a security blog about it:
https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/
Cheers,
Kathleen
On Monday, April 3, 2017 at 2:21:14 PM UTC-7, Kathleen Wilson wrote:
> All,
>
> I'm getting ready to send the April 2017 CA Communication email.
>
> I updated the wiki page to have the survey introduction text, and a
> (read-only) link to the full survey:
>
On Monday, April 3, 2017 at 10:13:22 AM UTC-7, Kathleen Wilson wrote:
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
> still shows version 2.4.
It's been updated to version 2.4.1.
Thanks,
Kathleen
___
On Saturday, April 1, 2017 at 3:59:28 AM UTC-7, Gervase Markham wrote:
> On 31/03/17 22:20, Kathleen Wilson wrote:
> > Please let me know asap if you see any problems, typos, etc. in this
> > version.
>
> Now that policy 2.4.1 has been published, we should update Action 3 to
> say the following
On 31/03/17 22:20, Kathleen Wilson wrote:
> Please let me know asap if you see any problems, typos, etc. in this
> version.
Now that policy 2.4.1 has been published, we should update Action 3 to
say the following at the top:
Versions 2.4 and 2.4.1 of Mozilla's CA Certificate Policy have been
I have moved the draft of the April 2017 CA Communication to production, so the
link has changed to:
https://mozillacaprogram.secure.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a05o03WrzBC
It is also available here:
On 28/03/2017 16:13, Ryan Sleevi wrote:
On Tue, Mar 28, 2017 at 10:00 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
In principle any source of information could change just one minute
later. A domain could be sold, a company could declare bankruptcy, a
On Tue, Mar 28, 2017 at 10:00 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> In principle any source of information could change just one minute
> later. A domain could be sold, a company could declare bankruptcy, a
> personal domain owner could die.
>
On 27/03/2017 11:10, Gervase Markham wrote:
On 17/03/17 15:30, Gervase Markham wrote:
The URL for the draft of the next CA Communication is here:
https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
Note that this is a
On 27/03/17 16:22, Ryan Sleevi wrote:
> Would it be useful to thus also query whether there would be impact in
> Mozilla applications failing to trust such certificates, but otherwise to
> continue permitting their issuance.
That is a good idea. How about:
If you are unable to support a
On Mon, Mar 27, 2017 at 10:18 AM, Ryan Sleevi wrote:
> Gerv,
>
> I'm curious whether you would consider 18 months an appropriate target for
> a deprecation to 1 year certificates. That is, do you believe a transition
> to 1 year certificates requires 24 months or 18 months, or
Gerv,
I'm curious whether you would consider 18 months an appropriate target for
a deprecation to 1 year certificates. That is, do you believe a transition
to 1 year certificates requires 24 months or 18 months, or was it chosen
simply for its appeal as a staggered number (1 year -> 2 year certs,
On 17/03/17 15:30, Gervase Markham wrote:
> The URL for the draft of the next CA Communication is here:
> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
>
> Note that this is a _draft_ - the form parts will not work,
On Friday, March 24, 2017 at 3:11:17 AM UTC-7, Gervase Markham wrote:
> On 23/03/17 23:07, Kathleen Wilson wrote:
> > Second paragraph of Action 1 now says: ~~ Note that version 1.4.2 of
> > the BRs does not contain all 10 of these methods, but it does contain
> > section 3.2.2.4.11, "Other
On 23/03/17 23:07, Kathleen Wilson wrote:
> Second paragraph of Action 1 now says: ~~ Note that version 1.4.2 of
> the BRs does not contain all 10 of these methods, but it does contain
> section 3.2.2.4.11, "Other Methods", so the subsections of version
> 3.2.2.4 that are marked "Reserved" in
On Tuesday, March 21, 2017 at 11:34:30 AM UTC-7, Gervase Markham wrote:
> On 21/03/17 10:16, Gervase Markham wrote:
> > On 17/03/17 11:30, Gervase Markham wrote:
> >> The URL for the draft of the next CA Communication is here:
> >>
On Tuesday, March 21, 2017 at 7:17:26 AM UTC-7, Gervase Markham wrote:
> On 17/03/17 11:30, Gervase Markham wrote:
> > The URL for the draft of the next CA Communication is here:
> >
On Tuesday, March 21, 2017 at 5:51:29 AM UTC-7, Kurt Roeckx wrote:
> On 2017-03-21 12:51, Jakob Bohm wrote:
> > On 21/03/2017 10:09, Kurt Roeckx wrote:
> >> Action 6 says:
I've updated action #6, but it still might not be clear.
Here's the new draft:
ACTION 6: QUALIFIED AUDIT STATEMENTS
When
On 21/03/17 10:16, Gervase Markham wrote:
> On 17/03/17 11:30, Gervase Markham wrote:
>> The URL for the draft of the next CA Communication is here:
>> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
>
> A few more
On 17/03/17 11:30, Gervase Markham wrote:
> The URL for the draft of the next CA Communication is here:
> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
A few more wording tweaks on the current version:
* Action 1
On 2017-03-21 12:51, Jakob Bohm wrote:
On 21/03/2017 10:09, Kurt Roeckx wrote:
On 2017-03-17 16:30, Gervase Markham wrote:
The URL for the draft of the next CA Communication is here:
On 21/03/2017 10:09, Kurt Roeckx wrote:
On 2017-03-17 16:30, Gervase Markham wrote:
The URL for the draft of the next CA Communication is here:
https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
Action 6 says:
However,
On Monday, March 20, 2017 at 2:43:22 PM UTC-7, Gervase Markham wrote:
> On 20/03/17 15:33, Kathleen Wilson wrote:
> >> * Action 7: some of the BR Compliance bugs relate to CAs which are no
> >> longer trusted, like StartCom. If StartCom does become a trusted CA
> >> again, it will be with new
On 20/03/17 13:07, Peter Bowen wrote:
>> E) SHA-1 and S/MIME
>>
>> Does your CA issue SHA-1 S/MIME certificates? If so, please explain your
>> plans for ceasing to do so, and any self-imposed or external deadlines
>> you are planning to meet. Mozilla plans to make policy in this area in
>> the
On 20/03/17 15:33, Kathleen Wilson wrote:
>> * Action 7: some of the BR Compliance bugs relate to CAs which are no
>> longer trusted, like StartCom. If StartCom does become a trusted CA
>> again, it will be with new systems which most likely do not have the
>> same bugs. Should we close the
On Mon, Mar 20, 2017 at 4:52 PM Rob Stradling
wrote:
> On 20/03/17 17:07, Peter Bowen via dev-security-policy wrote:
>
> >> B) Your attention is drawn to the cablint and x509lint tools, which you
> >> may wish to incorporate into your certificate issuance pipeline to
On Monday, March 20, 2017 at 1:37:32 PM UTC-7, Jeremy Rowley wrote:
> Something like: "Does your CA have any third-party Registration Authority
> (RA)s program that the CA relies on to perform the domain validation
> required under Section 3.2.2.4 of the Baseline Requirements."
Updated
-policy
Sent: Monday, March 20, 2017 2:29 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Next CA Communication
On Monday, March 20, 2017 at 10:59:41 AM UTC-7, Peter Bowen wrote:
> On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via
> > [JR] This should be limited to SSL
On Monday, March 20, 2017 at 10:59:41 AM UTC-7, Peter Bowen wrote:
> On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via
> > [JR] This should be limited to SSL certs IMO. With client certs, you're
> > going
> > to get a lot more RAs that likely function under the standard or legal
> > framework
On Friday, March 17, 2017 at 9:17:07 AM UTC-7, Peter Bowen wrote:
> I would replace this with:
>
> + Distinguished name and SHA-256 hash of the SubjectPublicKeyInfo of
> each certificate issuer covered by the audit scope
> + Clear indication of which in-scope certificate issuers are Root CAs
>
On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via
dev-security-policy wrote:
> A) Does your CA have an RA program, whereby non-Affiliates of your company
> perform aspects of certificate validation on your behalf under contract? If
> so, please tell us
On 17/03/17 15:30, Gervase Markham wrote:
> The URL for the draft of the next CA Communication is here:
> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
* Action 1 should say that if in future additional specific
On Fri, Mar 17, 2017 at 8:30 AM, Gervase Markham via
dev-security-policy wrote:
> The URL for the draft of the next CA Communication is here:
>
On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote:
> Are there any other topics that I should include in this upcoming CA
> Communication?
Also, I think that the SHA-1 topic should be brought up again. Some CA folks
will be tired of reading about this, having managed the issue
On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote:
> Are there any other topics that I should include in this upcoming CA
> Communication?
It can be worth following-up on date-in-time commitments from those CAs in
replies to the previous communication this year. Each CA should
37 matches
Mail list logo