Re: Root Store Policy 2.5: Call For Review and Phase-In Periods

2017-07-06 Thread Gervase Markham via dev-security-policy
On 06/07/17 16:31, Doug Beattie wrote: > Moving to a new CA within 6 months is certain reasonable, but having > enterprise customers also replace all certificates so the CA can be revoked > within 6 months might be a bit short, especially since several of those > months are over the holidays. W

RE: Root Store Policy 2.5: Call For Review and Phase-In Periods

2017-07-06 Thread Doug Beattie via dev-security-policy
Behalf Of > Gervase Markham via dev-security-policy > Sent: Thursday, June 22, 2017 8:50 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Root Store Policy 2.5: Call For Review and Phase-In Periods > > On 21/06/17 16:58, Doug Beattie wrote: > >> It's wo

Re: Root Store Policy 2.5: Call For Review and Phase-In Periods

2017-06-22 Thread Gervase Markham via dev-security-policy
On 21/06/17 16:58, Doug Beattie wrote: >> It's worth noting that if we had discovered this situation for SSL - that an >> unconstrained intermediate or uncontrolled power of issuance had been >> given to a company with no audit - we would be requiring the intermediate >> be revoked today, and proba

Re: Root Store Policy 2.5: Call For Review and Phase-In Periods

2017-06-21 Thread Peter Bowen via dev-security-policy
On Wed, Jun 21, 2017 at 7:15 AM, Gervase Markham via dev-security-policy wrote: > On 21/06/17 13:13, Doug Beattie wrote: >>> Do they have audits of any sort? >> >> There had not been any audit requirements for EKU technically >> constrained CAs, so no, there are no audits. > > In your view, having

RE: Root Store Policy 2.5: Call For Review and Phase-In Periods

2017-06-21 Thread Doug Beattie via dev-security-policy
@lists.mozilla.org > Subject: Re: Root Store Policy 2.5: Call For Review and Phase-In Periods > In your view, having an EKU limiting the intermediate to just SSL or to just > email makes it a technically constrained CA, and therefore not subject to > audit under any root program? The BRs c

Re: Root Store Policy 2.5: Call For Review and Phase-In Periods

2017-06-21 Thread Gervase Markham via dev-security-policy
On 21/06/17 13:13, Doug Beattie wrote: >> Do they have audits of any sort? > > There had not been any audit requirements for EKU technically > constrained CAs, so no, there are no audits. In your view, having an EKU limiting the intermediate to just SSL or to just email makes it a technically co

RE: Root Store Policy 2.5: Call For Review and Phase-In Periods

2017-06-21 Thread Doug Beattie via dev-security-policy
> -Original Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Tuesday, June 20, 2017 9:12 PM > To: Doug Beattie ; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: Root Store Policy 2.5: Call For Review and Phase-In Periods > > We h

Re: Root Store Policy 2.5: Call For Review and Phase-In Periods

2017-06-20 Thread Gervase Markham via dev-security-policy
Hi Doug, On 20/06/17 16:31, Doug Beattie wrote: > I'd like to recommend a phase in of the requirement for technically > constrained CAs that issue Secure email certificates. For those following along at home, that is this change: https://github.com/mozilla/pkipolicy/issues/69 https://github.com/

RE: Root Store Policy 2.5: Call For Review and Phase-In Periods

2017-06-20 Thread Doug Beattie via dev-security-policy
H Gerv, I'd like to recommend a phase in of the requirement for technically constrained CAs that issue Secure email certificates. We have 2 customers that can issue Secure Email certificates that are not technically constrained with name Constraints (the EKU is constrained to Secure Email and