Re: Audit requirements

2016-09-29 Thread Erwann Abalea
Bonjour, Le jeudi 29 septembre 2016 11:45:39 UTC+2, Varga Viktor a écrit : > Dear Peter, > > I am deeply in ETSI process, so I can give info some info: > > Formerly the ETSIs are based on > > *102042 for CAs > *101456 for CAs issuing qualified certificates (refernces frequently

WoSign and StartCom: next steps

2016-09-29 Thread Gervase Markham
Hi everyone, Following the publication of the recent investigative report, representatives of Qihoo 360 and StartCom have requested a face-to-face meeting with Mozilla. We have accepted, and that meeting will take place next Tuesday in London. After that, we expect to see a public response and

New Roots? (was: WoSign and StartCom)

2016-09-29 Thread Peter Kurrasch
I think we're well past the point where a "do-over" can be considered a reasonable remedy. The problem is not simply one in which certs were issued improperly nor is it simply one in which ‎there were mistakes in the CA infrastructure. Such problems, I think, could fall under a category where

Re: WoSign and StartCom: next steps

2016-09-29 Thread Han Yuwei
在 2016年9月29日星期四 UTC+8下午11:41:12,Gervase Markham写道: > Hi everyone, > > Following the publication of the recent investigative report, > representatives of Qihoo 360 and StartCom have requested a face-to-face > meeting with Mozilla. We have accepted, and that meeting will take place > next Tuesday

Re: Cerificate Concern about Cloudflare's DNS

2016-09-29 Thread Florian Weimer
* Patrick Figel: > On 17/09/16 16:38, Florian Weimer wrote: >> * Peter Bowen: >> >>> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei >>> wrote: So when I delegated the DNS service to Cloudflare, Cloudflare have the privilege to issue the certificate by default? Can

RE: Audit requirements

2016-09-29 Thread Varga Viktor
Dear Peter, I am deeply in ETSI process, so I can give info some info: Formerly the ETSIs are based on *102042 for CAs *101456 for CAs issuing qualified certificates (refernces frequently the 102042) o BRG and EV is referenced from them for SSL and EV SSL certificate

Re: WoSign and StartCom: next steps

2016-09-29 Thread Percy
On Thursday, September 29, 2016 at 10:12:37 AM UTC-7, Han Yuwei wrote: > 在 2016年9月29日星期四 UTC+8下午11:41:12,Gervase Markham写道: > > Hi everyone, > > > > Following the publication of the recent investigative report, > > representatives of Qihoo 360 and StartCom have requested a face-to-face > >

Re: WoSign and StartCom: next steps

2016-09-29 Thread Peter Kurrasch
So if WoSign will not be present to discuss possible sanctions against WoSign, what are we to infer from that? Is Qihoo 360 acting in a capacity that is more than just an investor in WoSign?  I'm trying not to get too far ahead of things, but this seems to be a very curious turn of events.  

Re: WoSign and StartCom: next steps

2016-09-29 Thread Vincent Lynch
Hi Peter, If you look in the original thread on M.S.D.P you will see that Qihoo made a statement that they owned a majority share in WoSign. Im sure that Mozilla has ensured Qihoo has the proper authority and permission to speak on behalf of WoSign. -Vincent On Thu, Sep 29, 2016 at 10:03 PM,

Re: WoSign and StartCom: next steps

2016-09-29 Thread 谭晓生
So far 360 is just an investor of Wosign, but we think we need to do something because of what happened. I’d like to have suggestions from Gev to see if Richard Wang to join the meeting is a better proposal. Thanks, Xiaosheng Tan 在 16/9/30 上午10:03,“dev-security-policy 代表 Peter