On Thu, Oct 03, 2019 at 05:36:50PM -0700, Ronald Crane via dev-security-policy
wrote:
>
> On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote:
> > [snip]
> > > I guess I wasn't specific enough. I am looking for a good study that
> > > supports the proposition that the Internet
I've gone ahead and moved [4] to the "Recommended Practices" section.
The ballot to modify the BRs is now in the formal discussion period leading
up to a vote [5].
I'll be resolving the existing compliance bugs on this issue as INVALID.
I'd like to thank the CAs that proactively submitted
Hey Wayne,
I think there might be confusion on how the notification is supposed to happen.
Is notification through CCADB sufficient? We've uploaded all of the Sub CAs to
CCADB including the technically constrained ICAs. Each one that is
hosted/operated by itself is marked that way using the
On 10/3/2019 2:09 PM, Ryan Sleevi via dev-security-policy wrote:
[snip]
I guess I wasn't specific enough. I am looking for a good study that
supports the proposition that the Internet community has (1) made a
concerted effort to ensure that there is only one authentic domain per
entity (or, at
On 10/2/2019 9:44 PM, Peter Gutmann via dev-security-policy wrote:
Ronald Crane via dev-security-policy
writes:
Please cite the best study you know about on this topic (BTW, I am *not* snidely
implying that there isn't one).
Sure, gimme a day or two since I'm away at the moment.
I'd like to revisit this topic because I see it as a significant change and
am surprised that it didn't generate any discussion.
Taking a step back, a change [1] to notification requirements was made last
year to require CAs that are signing unconstrained subordinate CAs
(including cross-certs)
On Thu, Oct 3, 2019 at 3:45 PM Ronald Crane via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 10/2/2019 9:44 PM, Peter Gutmann via dev-security-policy wrote:
> > Ronald Crane via dev-security-policy <
> dev-security-policy@lists.mozilla.org> writes:
> >
> >> Please cite
Adding to Jeremy's post, I believe we need to also define a normative
requirement to mark an unconstrained Intermediate CA Certificate not
operated by the entity that controls the Root Key.
Section 7.1.6.3 of the Baseline Requirements requires an explicit policy
identifier for these subCAs. The
8 matches
Mail list logo