Re: Root Store Policy 2.5: Call For Review and Phase-In Periods

On 06/07/17 16:31, Doug Beattie wrote: > Moving to a new CA within 6 months is certain reasonable, but having > enterprise customers also replace all certificates so the CA can be revoked > within 6 months might be a bit short, especially since several of those > months are over the holidays.

RE: Root Store Policy 2.5: Call For Review and Phase-In Periods

Gerv, Moving to a new CA within 6 months is certain reasonable, but having enterprise customers also replace all certificates so the CA can be revoked within 6 months might be a bit short, especially since several of those months are over the holidays. Would you consider an approach were the

Re: Root Store Policy 2.5: Call For Review and Phase-In Periods

On 21/06/17 16:58, Doug Beattie wrote: >> It's worth noting that if we had discovered this situation for SSL - that an >> unconstrained intermediate or uncontrolled power of issuance had been >> given to a company with no audit - we would be requiring the intermediate >> be revoked today, and

Re: Root Store Policy 2.5: Call For Review and Phase-In Periods

On Wed, Jun 21, 2017 at 7:15 AM, Gervase Markham via dev-security-policy wrote: > On 21/06/17 13:13, Doug Beattie wrote: >>> Do they have audits of any sort? >> >> There had not been any audit requirements for EKU technically >> constrained CAs, so no, there

RE: Root Store Policy 2.5: Call For Review and Phase-In Periods

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Wednesday, June 21, 2017 4:16 PM > To: mozilla-dev-security-pol...@lists.mozilla.org >

Re: Root Store Policy 2.5: Call For Review and Phase-In Periods

On 21/06/17 13:13, Doug Beattie wrote: >> Do they have audits of any sort? > > There had not been any audit requirements for EKU technically > constrained CAs, so no, there are no audits. In your view, having an EKU limiting the intermediate to just SSL or to just email makes it a technically

RE: Root Store Policy 2.5: Call For Review and Phase-In Periods

> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Tuesday, June 20, 2017 9:12 PM > To: Doug Beattie ; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: Root Store Policy 2.5: Call For Review and Phase-In Periods > >

Re: Root Store Policy 2.5: Call For Review and Phase-In Periods

Hi Doug, On 20/06/17 16:31, Doug Beattie wrote: > I'd like to recommend a phase in of the requirement for technically > constrained CAs that issue Secure email certificates. For those following along at home, that is this change: https://github.com/mozilla/pkipolicy/issues/69

RE: Root Store Policy 2.5: Call For Review and Phase-In Periods

H Gerv, I'd like to recommend a phase in of the requirement for technically constrained CAs that issue Secure email certificates. We have 2 customers that can issue Secure Email certificates that are not technically constrained with name Constraints (the EKU is constrained to Secure Email and