Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-11-17 Thread Gervase Markham
Hi Kathleen, On 15/11/16 00:51, Kathleen Wilson wrote: > There were some recommendations to deny this request due to the > versioning problems between the English documents and the original > documents. > > Do you all still feel that is the proper answer to this root > inclusion request? As I

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-11-17 Thread Han Yuwei
在 2016年11月16日星期三 UTC+8下午3:59:12,wangs...@gmail.com写道: > 在 2016年11月16日星期三 UTC+8上午1:11:05,Han Yuwei写道: > > 在 2016年11月15日星期二 UTC+8下午7:03:07,wangs...@gmail.com写道: > > > 在 2016年11月15日星期二 UTC+8上午8:51:25,Kathleen Wilson写道: > > > > On Friday, October 28, 2016 at 7:29:56 AM UTC-7, wangs...@gmail.com > > >

Re: Include Symantec-brand Class 1 and Class 2 Root Certs

2016-11-17 Thread Tarah Wheeler
Thanks, Jakob; I'll try and replicate that to check. Tarah Wheeler Principal Security Advocate Senior Director of Engineering, Website Security Symantec ta...@symantec.com > On Nov 17, 2016, at 2:13 AM, "dev-security-policy-requ...@lists.mozilla.org" >

Re: Technically Constrained Sub-CAs

2016-11-17 Thread Brian Smith
On Mon, Nov 14, 2016 at 6:39 PM, Ryan Sleevi wrote: > As Andrew Ayer points out, currently, CAs are required to ensure TCSCs > comply with the BRs. Non-compliance is misissuance. Does Mozilla share > that view? And is Mozilla willing to surrender the ability to detect >

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-11-17 Thread Jakob Bohm
On 17/11/2016 12:19, Gervase Markham wrote: Hi Kathleen, On 15/11/16 00:51, Kathleen Wilson wrote: There were some recommendations to deny this request due to the versioning problems between the English documents and the original documents. Do you all still feel that is the proper answer to

Re: Technically Constrained Sub-CAs

2016-11-17 Thread Jakob Bohm
On 17/11/2016 01:14, Matt Palmer wrote: On Wed, Nov 16, 2016 at 04:35:18PM +0100, Jakob Bohm wrote: Redacted CT records that tell the world that "there is this single certificate with this full TBS hash and these technical extensions issued to some name domain/e-mail under example.com, but it

Re: Technically Constrained Sub-CAs

2016-11-17 Thread Nick Lamb
On Thursday, 17 November 2016 19:28:54 UTC, Brian Smith wrote: > Let's say I screw up something and accidentally issue a certificate from my > sub-CA for google.com or addons.mozilla.org. Because of the name > constraints, this is a non-issue and shouldn't result in any sanctions on > the

Re: Technically Constrained Sub-CAs

2016-11-17 Thread Brian Smith
Ryan Sleevi wrote: > On Thu, Nov 17, 2016 at 3:12 PM, Nick Lamb wrote: > > There's a recurring pattern in most of the examples. A technical > counter-measure would be possible, therefore you suppose it's OK to > screw-up and the counter-measure saves us. I

Re: Technically Constrained Sub-CAs

2016-11-17 Thread Matt Palmer
On Thu, Nov 17, 2016 at 04:55:37PM -0800, Peter Bowen wrote: > On Thu, Nov 17, 2016 at 4:38 PM, Matt Palmer wrote: > >> (Note: Key pinning isn't the only advantage to being able to freely operate > >> your own intermediate CA.) > > > > I don't see how freely operating your

Re: Technically Constrained Sub-CAs

2016-11-17 Thread Andrew Ayer
On Thu, 17 Nov 2016 09:28:43 -1000 Brian Smith wrote: > On Mon, Nov 14, 2016 at 6:39 PM, Ryan Sleevi wrote: > > > As Andrew Ayer points out, currently, CAs are required to ensure > > TCSCs comply with the BRs. Non-compliance is misissuance. Does > >

Re: Technically Constrained Sub-CAs

2016-11-17 Thread Brian Smith
Nick Lamb wrote: > There's a recurring pattern in most of the examples. A technical > counter-measure would be possible, therefore you suppose it's OK to > screw-up and the counter-measure saves us. Right. > I believe this is the wrong attitude. These counter-measures

Re: Technically Constrained Sub-CAs

2016-11-17 Thread Matt Palmer
On Thu, Nov 17, 2016 at 02:10:58PM -1000, Brian Smith wrote: > Nick Lamb wrote: > > There's a recurring pattern in most of the examples. A technical > > counter-measure would be possible, therefore you suppose it's OK to > > screw-up and the counter-measure saves us. > >

Re: Technically Constrained Sub-CAs

2016-11-17 Thread Ryan Sleevi
On Thu, Nov 17, 2016 at 3:12 PM, Nick Lamb wrote: > There's a recurring pattern in most of the examples. A technical > counter-measure would be possible, therefore you suppose it's OK to screw-up > and the counter-measure saves us. I believe this is the wrong attitude.

Re: Technically Constrained Sub-CAs

2016-11-17 Thread Jakob Bohm
On 18/11/2016 06:23, Brian Smith wrote: Andrew Ayer wrote: The N month turnaround is only a reality if operators of TCSCs start issuing certificates that comply with the new rules as soon as the new rules are announced. How do you ensure that this happens? Imagine

Re: Technically Constrained Sub-CAs

2016-11-17 Thread Brian Smith
Andrew Ayer wrote: > The N month turnaround is only a reality if operators of TCSCs start > issuing certificates that comply with the new rules as soon as the new > rules are announced. How do you ensure that this happens? > Imagine that the TCSCs are also required to