On 6/17/15 12:05 PM, Kathleen Wilson wrote:
Therefore, the result of this discussion is as follows:
==
CNNIC may re-apply for full inclusion following the normal process,
after they have completed the following additional steps.
1. Provide a list of changes CNNIC has implemented to ensure that
On 5/22/15 2:15 PM, Kathleen Wilson wrote:
On 4/7/15 5:31 PM, Richard Barnes wrote:
As noted in our earlier conclusion with regard to CNNIC's status [1], the
CNNIC roots are currently in a partially disabled state, in which
certificates chaining to these roots are only to be accepted if they
On 30/05/15 20:20, Brian Smith wrote:
By the way, what is Firefox's market share in China and other places that
commonly use CNNIC-issued certificates? My understanding is that it is
close to 0%. That's why it was relatively easy to remove them in the first
place. It also means that there's no
On 28/05/15 23:07, Richard Barnes wrote:
I agree that if CNNIC is to reapply, it should be with a new root. It
creates a clean break between the past and the future. It clarifies that
the new audits that are required apply to the new thing, and that the old
thing is dead. It's marginally
On 28/05/15 00:32, Peter Kurrasch wrote:
I think this is the crux of the problem: how do we want to treat all
the existing certs which chain to this root?
That's not the only problem. Requiring CNNIC to apply with a new root
would also require them to go through the inclusion process again in
On Tue, May 26, 2015 at 5:50 AM, Gervase Markham g...@mozilla.org wrote:
On 24/05/15 06:19, percyal...@gmail.com wrote:
This is Percy from GreatFire.org. We have long advocated for the
revoking of CNNIC.
On Wed, May 27, 2015 at 4:32 PM, Peter Kurrasch fhw...@gmail.com wrote:
I see this question (new root cert/private key or continue with the
existing one) as being less about security and more about what got us here
in the first place.
From Ryan's reply:
1) Certificates that violate policy
On Tue, May 26, 2015 10:56 pm, Matt Palmer wrote:
On Tue, May 26, 2015 at 02:26:33PM -0700, Kathleen Wilson wrote:
But this raises the question of whether their re-application can be for
the
same (currently-included) root certificates, or if it has to be for a
new
root certificate. In
On 26/05/15 22:26, Kathleen Wilson wrote:
But this raises the question of whether their re-application can be for
the same (currently-included) root certificates, or if it has to be for
a new root certificate. In other words, should we consider taking the
stance that we will require a new root
Gerv,
I saw the previous thread on name constrain on possibly all gov CAs.But I have
to point out that state hackers routinely uses legit software vendors to sign
malware. Stating that I'm not an CA expert, CT sounds much more effective and
less subjective than constrain government CAs
On Tue, May 26, 2015 at 02:26:33PM -0700, Kathleen Wilson wrote:
But this raises the question of whether their re-application can be for the
same (currently-included) root certificates, or if it has to be for a new
root certificate. In other words, should we consider taking the stance that
we
On 5/22/15 4:24 PM, Ryan Sleevi wrote:
Nothing is said in the current policy for the population of existing certs
- whether or not they comply either to the BRs or to the CA's existing
policies.
This is somewhat obliquely discussed at
Hi Percy,
On 24/05/15 06:19, percyal...@gmail.com wrote:
This is Percy from GreatFire.org. We have long advocated for the
revoking of CNNIC.
https://www.google.com/webhp?sourceid=chrome-instantion=1espv=2ie=UTF-8#q=site%3Agreatfire.org%20cnnic
If CNNIC were to re-included, CT MUST be
On Fri, May 22, 2015 at 7:24 PM, Ryan Sleevi
ryan-mozdevsecpol...@sleevi.com wrote:
On Fri, May 22, 2015 3:11 pm, Eric Mill wrote:
On Fri, May 22, 2015 at 5:15 PM, Kathleen Wilson kwil...@mozilla.com
wrote:
On 4/7/15 5:31 PM, Richard Barnes wrote:
5. April 1, 2016 is the
Sent from my iPhone. Please excuse brevity.
On May 23, 2015, at 02:22, Eric Mill e...@konklone.com wrote:
On Fri, May 22, 2015 at 7:24 PM, Ryan Sleevi
ryan-mozdevsecpol...@sleevi.com wrote:
On Fri, May 22, 2015 3:11 pm, Eric Mill wrote:
On Fri, May 22, 2015 at 5:15 PM, Kathleen Wilson
On Fri, May 22, 2015 at 5:15 PM, Kathleen Wilson kwil...@mozilla.com
wrote:
On 4/7/15 5:31 PM, Richard Barnes wrote:
5. April 1, 2016 is the earliest date at which CNNIC may apply for full
inclusion, so SSL certificates issued after Apr 1 2015 for new domains will
be recognized.
Do you
On 4/7/15 5:31 PM, Richard Barnes wrote:
As noted in our earlier conclusion with regard to CNNIC's status [1], the
CNNIC roots are currently in a partially disabled state, in which
certificates chaining to these roots are only to be accepted if they were
issued before 1 Apr 2015. CNNIC may
CT is an accountability control, not an access control
We need both
Sent from my difference engine
On Apr 14, 2015, at 18:05, Matt Palmer mpal...@hezmatt.org wrote:
On Tue, Apr 14, 2015 at 01:38:55PM +0200, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an
On Tue, Apr 14, 2015 at 8:09 AM, Kurt Roeckx k...@roeckx.be wrote:
On 2015-04-14 13:54, Rob Stradling wrote:
On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose
On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert in the CT data since they have agreed to do that. What happens next?
What I've been
On 2015-04-14 13:54, Rob Stradling wrote:
On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert in the CT data since they have agreed to
On 14/04/15 13:09, Kurt Roeckx wrote:
On 2015-04-14 13:54, Rob Stradling wrote:
On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert in
On Tue, Apr 14, 2015 at 01:38:55PM +0200, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for whitehouse[dot]gov and
let's further suppose that CNNIC includes this cert in the CT data since
they have agreed to do that. What
On 14/04/15 00:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov
presumably without permission ;-)...
and let's further suppose that CNNIC includes this
cert in the CT data since they have agreed to do that. What happens
next?
If no-one
On 14/04/15 01:19, Matt Palmer wrote:
I'm not a fan of browser-imposed name constraints on CAs, at a philosophical
level. An important principle of the Mozilla root program, IMO, is that it
works for the public good (insofar as the public is represented by users
of Mozilla products). A name
On 11/04/15 01:05, Brian Smith wrote:
If a US-based CA were in a similar situation, would we consider name
constraining them to *.com, *.org, *.net, *.us?
If it were a US government CA, we could certainly constrain to .gov and
.mil.
No, because that's not
much of a constraint. For people
On Mon, Apr 13, 2015 at 06:15:52PM -0500, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for whitehouse[dot]gov
and let's further suppose that CNNIC includes this cert in the CT data
since they have agreed to do that. What happens next?
Where I'm going with this is
To: Brian Smith; Richard Barnes; mozilla-dev-security-pol...@lists.mozilla.org
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Requirements for CNNIC re-application
On 11/04/15 01:05, Brian Smith wrote:
If a US-based CA were in a similar situation, would we consider name
constraining them
On Mon, Apr 13, 2015 at 8:19 PM, Matt Palmer mpal...@hezmatt.org wrote:
To my mind, if a CA isn't trustworthy enough to be trusted to issue
certificates for every site on the Internet, they shouldn't be trusted to
issue certificates for *any* site on the Internet. In the case of the
proposed
Richard Barnes rbar...@mozilla.com wrote:
My argument is that if we think that CNNIC is likely to cause such
mis-issuance to occur because it runs the registry for those TLDs,
then there should be additional controls in place so that control over
those registries won't result in misissuance.
On Tue, April 7, 2015 5:31 pm, Richard Barnes wrote:
E. Require a certain amount of time to pass before CNNIC's re-inclusion
request will be considered.
I think this remains to be determined in relation to how Mozilla
implements their stated policy of a date-based check - e.g. whether this
is
31 matches
Mail list logo