It seems to me that requiring the registration of these subordinate CAs bloats
the Salesforce database unnecessarily.
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On
Behalf Of Rob Stradling
Sent: Wednesday, June
On Tue, Jun 21, 2016 at 12:10 PM, Peter Bowen wrote:
> On Tue, Jun 21, 2016 at 8:26 AM, Rob Stradling
> wrote:
> > Revocation of a "parent intermediate" does not exempt "child
> intermediates"
> > from the disclosure requirement, AFAICT. So I think
On 21/06/16 17:56, Nick Lamb wrote:
On Tuesday, 21 June 2016 17:10:43 UTC+1, Peter Bowen wrote:
If all paths from a trusted root to a given intermediate are revoked
or expired, then I don't think it "directly or transitively chain[s]
to a certificate included in Mozilla’s CA Certificate
On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote:
> It seems to me that requiring the registration of these subordinate CAs
> bloats the Salesforce database unnecessarily.
We've historically been at a chronic lack of data, rather than a
chronic glut. I think we should
CAs are running OCSP responders up to the root tier. Once a CA is
terminated in a standards-compliant and densely interoperable way from
participating in a trusted discovery path to an embedded root, it should no
longer be in the scope of business of root trust store owners.
On Wed, Jun 22,
I think the vision is that in the long run, OneCRL would be based on
the Salesforce data.
Sent from my iPhone. Please excuse brevity.
> On Jun 22, 2016, at 16:56, Jeremy Rowley wrote:
>
> That's why Mozilla has a policy to disclose all such CAs through OneCRL.
>
I think there are two things getting conflated here:
1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
2) Disclosure of CA certificates signed by CAs that are the subject of #1
Imagine the following heirarchy:
Univercert Root CA (in trust store) --(CA Cert A)-->
On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote:
> I think there are two things getting conflated here:
>
> 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
>
> 2) Disclosure of CA certificates signed by CAs that are the subject of #1
>
> Imagine the
That's why Mozilla has a policy to disclose all such CAs through OneCRL.
Seems like unnecessary information to disclose the CA as part of OneCRL and
as part of the Salesforce program.
-Original Message-
From: dev-security-policy
On Wed, Jun 22, 2016 at 6:11 PM, Kurt Roeckx wrote:
> On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote:
> > I think there are two things getting conflated here:
> >
> > 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
> >
> > 2) Disclosure of
On Wed, Jun 22, 2016 at 11:19 AM, Ryan Sleevi wrote:
> On Wed, Jun 22, 2016 at 8:21 AM, Ben Wilson wrote:
>> It seems to me that requiring the registration of these subordinate CAs
>> bloats the Salesforce database unnecessarily.
>
> We've historically
11 matches
Mail list logo