Re: Next CA Communication

Hi Doug, Kathleen is unavailable this week, so I'll try and answer. (This might have been better as a new top-level post, though...) On 11/04/17 21:14, Doug Beattie wrote: > This is my understanding: > > - Under policy 2.3 a CA that is technically > constrained with EKU set to only secure email

RE: Next CA Communication

.org > Subject: Re: Next CA Communication > > On Tuesday, April 4, 2017 at 10:38:28 AM UTC-7, Kathleen Wilson wrote: > > > > The email has been sent, and the survey is open. > > > > > Published a security blog about it: > https://blog.mozilla.org/security/

Re: Next CA Communication

On Tuesday, April 4, 2017 at 10:38:28 AM UTC-7, Kathleen Wilson wrote: > > The email has been sent, and the survey is open. > Published a security blog about it: https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/ Cheers, Kathleen

Re: Next CA Communication

On Monday, April 3, 2017 at 2:21:14 PM UTC-7, Kathleen Wilson wrote: > All, > > I'm getting ready to send the April 2017 CA Communication email. > > I updated the wiki page to have the survey introduction text, and a > (read-only) link to the full survey: >

Re: Next CA Communication

On Monday, April 3, 2017 at 10:13:22 AM UTC-7, Kathleen Wilson wrote: > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ > still shows version 2.4. It's been updated to version 2.4.1. Thanks, Kathleen ___

Re: Next CA Communication

On Saturday, April 1, 2017 at 3:59:28 AM UTC-7, Gervase Markham wrote: > On 31/03/17 22:20, Kathleen Wilson wrote: > > Please let me know asap if you see any problems, typos, etc. in this > > version. > > Now that policy 2.4.1 has been published, we should update Action 3 to > say the following

Re: Next CA Communication

On 31/03/17 22:20, Kathleen Wilson wrote: > Please let me know asap if you see any problems, typos, etc. in this > version. Now that policy 2.4.1 has been published, we should update Action 3 to say the following at the top: Versions 2.4 and 2.4.1 of Mozilla's CA Certificate Policy have been

Re: Next CA Communication

I have moved the draft of the April 2017 CA Communication to production, so the link has changed to: https://mozillacaprogram.secure.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a05o03WrzBC It is also available here:

Re: Next CA Communication

On 28/03/2017 16:13, Ryan Sleevi wrote: On Tue, Mar 28, 2017 at 10:00 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: In principle any source of information could change just one minute later. A domain could be sold, a company could declare bankruptcy, a

Re: Next CA Communication

On Tue, Mar 28, 2017 at 10:00 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > In principle any source of information could change just one minute > later. A domain could be sold, a company could declare bankruptcy, a > personal domain owner could die. >

Re: Next CA Communication

On 27/03/2017 11:10, Gervase Markham wrote: On 17/03/17 15:30, Gervase Markham wrote: The URL for the draft of the next CA Communication is here: https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 Note that this is a

Re: Next CA Communication

On 27/03/17 16:22, Ryan Sleevi wrote: > Would it be useful to thus also query whether there would be impact in > Mozilla applications failing to trust such certificates, but otherwise to > continue permitting their issuance. That is a good idea. How about: If you are unable to support a

Re: Next CA Communication

On Mon, Mar 27, 2017 at 10:18 AM, Ryan Sleevi wrote: > Gerv, > > I'm curious whether you would consider 18 months an appropriate target for > a deprecation to 1 year certificates. That is, do you believe a transition > to 1 year certificates requires 24 months or 18 months, or

Re: Next CA Communication

Gerv, I'm curious whether you would consider 18 months an appropriate target for a deprecation to 1 year certificates. That is, do you believe a transition to 1 year certificates requires 24 months or 18 months, or was it chosen simply for its appeal as a staggered number (1 year -> 2 year certs,

Re: Next CA Communication

On 17/03/17 15:30, Gervase Markham wrote: > The URL for the draft of the next CA Communication is here: > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 > > Note that this is a _draft_ - the form parts will not work,

Re: Next CA Communication

On Friday, March 24, 2017 at 3:11:17 AM UTC-7, Gervase Markham wrote: > On 23/03/17 23:07, Kathleen Wilson wrote: > > Second paragraph of Action 1 now says: ~~ Note that version 1.4.2 of > > the BRs does not contain all 10 of these methods, but it does contain > > section 3.2.2.4.11, "Other

Re: Next CA Communication

On 23/03/17 23:07, Kathleen Wilson wrote: > Second paragraph of Action 1 now says: ~~ Note that version 1.4.2 of > the BRs does not contain all 10 of these methods, but it does contain > section 3.2.2.4.11, "Other Methods", so the subsections of version > 3.2.2.4 that are marked "Reserved" in

Re: Next CA Communication

On Tuesday, March 21, 2017 at 11:34:30 AM UTC-7, Gervase Markham wrote: > On 21/03/17 10:16, Gervase Markham wrote: > > On 17/03/17 11:30, Gervase Markham wrote: > >> The URL for the draft of the next CA Communication is here: > >>

Re: Next CA Communication

On Tuesday, March 21, 2017 at 7:17:26 AM UTC-7, Gervase Markham wrote: > On 17/03/17 11:30, Gervase Markham wrote: > > The URL for the draft of the next CA Communication is here: > >

Re: Next CA Communication

On Tuesday, March 21, 2017 at 5:51:29 AM UTC-7, Kurt Roeckx wrote: > On 2017-03-21 12:51, Jakob Bohm wrote: > > On 21/03/2017 10:09, Kurt Roeckx wrote: > >> Action 6 says: I've updated action #6, but it still might not be clear. Here's the new draft: ACTION 6: QUALIFIED AUDIT STATEMENTS When

Re: Next CA Communication

On 21/03/17 10:16, Gervase Markham wrote: > On 17/03/17 11:30, Gervase Markham wrote: >> The URL for the draft of the next CA Communication is here: >> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 > > A few more

Re: Next CA Communication

On 17/03/17 11:30, Gervase Markham wrote: > The URL for the draft of the next CA Communication is here: > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 A few more wording tweaks on the current version: * Action 1

Re: Next CA Communication

On 2017-03-21 12:51, Jakob Bohm wrote: On 21/03/2017 10:09, Kurt Roeckx wrote: On 2017-03-17 16:30, Gervase Markham wrote: The URL for the draft of the next CA Communication is here:

Re: Next CA Communication

On 21/03/2017 10:09, Kurt Roeckx wrote: On 2017-03-17 16:30, Gervase Markham wrote: The URL for the draft of the next CA Communication is here: https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 Action 6 says: However,

Re: Next CA Communication

On Monday, March 20, 2017 at 2:43:22 PM UTC-7, Gervase Markham wrote: > On 20/03/17 15:33, Kathleen Wilson wrote: > >> * Action 7: some of the BR Compliance bugs relate to CAs which are no > >> longer trusted, like StartCom. If StartCom does become a trusted CA > >> again, it will be with new

Re: Next CA Communication

On 20/03/17 13:07, Peter Bowen wrote: >> E) SHA-1 and S/MIME >> >> Does your CA issue SHA-1 S/MIME certificates? If so, please explain your >> plans for ceasing to do so, and any self-imposed or external deadlines >> you are planning to meet. Mozilla plans to make policy in this area in >> the

Re: Next CA Communication

On 20/03/17 15:33, Kathleen Wilson wrote: >> * Action 7: some of the BR Compliance bugs relate to CAs which are no >> longer trusted, like StartCom. If StartCom does become a trusted CA >> again, it will be with new systems which most likely do not have the >> same bugs. Should we close the

Re: Next CA Communication

On Mon, Mar 20, 2017 at 4:52 PM Rob Stradling wrote: > On 20/03/17 17:07, Peter Bowen via dev-security-policy wrote: > > >> B) Your attention is drawn to the cablint and x509lint tools, which you > >> may wish to incorporate into your certificate issuance pipeline to

Re: Next CA Communication

On Monday, March 20, 2017 at 1:37:32 PM UTC-7, Jeremy Rowley wrote: > Something like: "Does your CA have any third-party Registration Authority > (RA)s program that the CA relies on to perform the domain validation > required under Section 3.2.2.4 of the Baseline Requirements." Updated

RE: Next CA Communication

-policy Sent: Monday, March 20, 2017 2:29 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Next CA Communication On Monday, March 20, 2017 at 10:59:41 AM UTC-7, Peter Bowen wrote: > On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via > > [JR] This should be limited to SSL

Re: Next CA Communication

On Monday, March 20, 2017 at 10:59:41 AM UTC-7, Peter Bowen wrote: > On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via > > [JR] This should be limited to SSL certs IMO. With client certs, you're > > going > > to get a lot more RAs that likely function under the standard or legal > > framework

Re: Next CA Communication

On Friday, March 17, 2017 at 9:17:07 AM UTC-7, Peter Bowen wrote: > I would replace this with: > > + Distinguished name and SHA-256 hash of the SubjectPublicKeyInfo of > each certificate issuer covered by the audit scope > + Clear indication of which in-scope certificate issuers are Root CAs >

Re: Next CA Communication

On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via dev-security-policy wrote: > A) Does your CA have an RA program, whereby non-Affiliates of your company > perform aspects of certificate validation on your behalf under contract? If > so, please tell us

Re: Next CA Communication

On 17/03/17 15:30, Gervase Markham wrote: > The URL for the draft of the next CA Communication is here: > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 * Action 1 should say that if in future additional specific

Re: Next CA Communication

On Fri, Mar 17, 2017 at 8:30 AM, Gervase Markham via dev-security-policy wrote: > The URL for the draft of the next CA Communication is here: >

Re: Next CA Communication -- September?

On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote: > Are there any other topics that I should include in this upcoming CA > Communication? Also, I think that the SHA-1 topic should be brought up again. Some CA folks will be tired of reading about this, having managed the issue

Re: Next CA Communication -- September?

On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote: > Are there any other topics that I should include in this upcoming CA > Communication? It can be worth following-up on date-in-time commitments from those CAs in replies to the previous communication this year. Each CA should