RE: Intermediate certificate disclosure deadline in 2 weeks

It seems to me that requiring the registration of these subordinate CAs bloats the Salesforce database unnecessarily. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On Behalf Of Rob Stradling Sent: Wednesday, June

Re: Intermediate certificate disclosure deadline in 2 weeks

On Tue, Jun 21, 2016 at 12:10 PM, Peter Bowen wrote: > On Tue, Jun 21, 2016 at 8:26 AM, Rob Stradling > wrote: > > Revocation of a "parent intermediate" does not exempt "child > intermediates" > > from the disclosure requirement, AFAICT. So I think

Re: Intermediate certificate disclosure deadline in 2 weeks

On 21/06/16 17:56, Nick Lamb wrote: On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote: If all paths from a trusted root to a given intermediate are revoked or expired, then I don't think it "directly or transitively chain[s] to a certificate included in Mozilla’s CA Certificate

Re: Intermediate certificate disclosure deadline in 2 weeks

On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote: > It seems to me that requiring the registration of these subordinate CAs > bloats the Salesforce database unnecessarily. We've historically been at a chronic lack of data, rather than a chronic glut. I think we should

Re: Intermediate certificate disclosure deadline in 2 weeks

CAs are running OCSP responders up to the root tier. Once a CA is terminated in a standards-compliant and densely interoperable way from participating in a trusted discovery path to an embedded root, it should no longer be in the scope of business of root trust store owners. On Wed, Jun 22,

Re: Intermediate certificate disclosure deadline in 2 weeks

I think the vision is that in the long run, OneCRL would be based on the Salesforce data. Sent from my iPhone. Please excuse brevity. > On Jun 22, 2016, at 16:56, Jeremy Rowley wrote: > > That's why Mozilla has a policy to disclose all such CAs through OneCRL. >

Re: Intermediate certificate disclosure deadline in 2 weeks

I think there are two things getting conflated here: 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA 2) Disclosure of CA certificates signed by CAs that are the subject of #1 Imagine the following heirarchy: Univercert Root CA (in trust store) --(CA Cert A)-->

Re: Intermediate certificate disclosure deadline in 2 weeks

On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote: > I think there are two things getting conflated here: > > 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA > > 2) Disclosure of CA certificates signed by CAs that are the subject of #1 > > Imagine the

RE: Intermediate certificate disclosure deadline in 2 weeks

That's why Mozilla has a policy to disclose all such CAs through OneCRL. Seems like unnecessary information to disclose the CA as part of OneCRL and as part of the Salesforce program. -Original Message- From: dev-security-policy

Re: Intermediate certificate disclosure deadline in 2 weeks

On Wed, Jun 22, 2016 at 6:11 PM, Kurt Roeckx wrote: > On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote: > > I think there are two things getting conflated here: > > > > 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA > > > > 2) Disclosure of

Re: Intermediate certificate disclosure deadline in 2 weeks

On Wed, Jun 22, 2016 at 11:19 AM, Ryan Sleevi wrote: > On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote: >> It seems to me that requiring the registration of these subordinate CAs >> bloats the Salesforce database unnecessarily. > > We've historically