Re: Policy 2.7.1: MRSP Issue #186: Requirement to Disclose Self-signed Certificates

Jakob, On Thu, Nov 12, 2020 at 10:39 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > How would that phrasing cover doppelgangers of intermediary SubCAs under > an included root CA? > > > To clarify, the title of section 5.3 is "Intermediate

Re: TLS certificates for ECIES keys

Sorry! It looks like the attachments didn't come through. Here's each chain: Prio Statistics Facilitator_ XX.chain.pem -BEGIN CERTIFICATE- MIIDmTCCAz+gAwIBAgIQVUMIP1vPOWm3Rozjmb8qYzAKBggqhkjOPQQDAjBZMTUw MwYDVQQDDCxUZXN0IEFwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIENBIDYg

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On 2020-11-12 8:38 μ.μ., Ben Wilson wrote: On Thu, Nov 12, 2020 at 2:57 AM Dimitris Zacharopoulos mailto:ji...@it.auth.gr>> wrote: I believe this information should be the "minimum" accepted methods of proving that a Private Key is compromised. We should allow CAs to

Re: Policy 2.7.1: MRSP Issue #186: Requirement to Disclose Self-signed Certificates

On 2020-11-12 05:15, Ben Wilson wrote: Here is an attempt to address the comments received thus far. In Github, here is a markup: https://github.com/BenWilson-Mozilla/pkipolicy/commit/ee19ee89c6101c3a6943956b91574826e34c4932 This sentence would be deleted: "These requirements include all

Re: MRSP Issue #147 - Require EV audits for certificates capable of issuing EV certificates

On Thu, Nov 12, 2020 at 2:03 AM Dimitris Zacharopoulos via dev-security-policy wrote: > I see that this is related to > https://github.com/mozilla/pkipolicy/issues/152, so I guess Mozilla > Firefox does not enable "EV Treatment" if an Intermediate CA Certificate > does not assert the anyPolicy

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Thu, Nov 12, 2020 at 2:57 AM Dimitris Zacharopoulos wrote: > > I believe this information should be the "minimum" accepted methods of > proving that a Private Key is compromised. We should allow CAs to accept > other methods without the need to first update their CP/CPS. Do people > think

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Thu, Nov 12, 2020 at 1:39 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Nov 12, 2020 at 2:57 AM Dimitris Zacharopoulos > wrote: > > > > > I believe this information should be the "minimum" accepted methods of > > proving that a Private Key is

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

PS: In the meantime, we will continue to verify auditor qualifications as described here: https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications On 11/12/20 4:27 PM, Kathleen Wilson wrote: > It is proposed in Issue #192 > that

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

> It is proposed in Issue #192 > that information about > individual auditor's qualifications be provided--identity, competence, > experience and independence. (For those interested as to this independence > requirement, Mozilla Policy v.1.0

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On Thu, 12 Nov 2020 15:51:55 -0500 Ryan Sleevi via dev-security-policy wrote: > I would say the first goal is transparency, and I think that both > proposals try to accomplish that baseline level of providing some > transparency. Where I think it's different is that the concern > Dimitris raised

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On 12/11/2020 10:51 μ.μ., Ryan Sleevi via dev-security-policy wrote: On Thu, Nov 12, 2020 at 1:39 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On Thu, Nov 12, 2020 at 2:57 AM Dimitris Zacharopoulos wrote: I believe this information should be the

Re: MRSP Issue #147 - Require EV audits for certificates capable of issuing EV certificates

On 6/10/2020 11:38 μ.μ., Ben Wilson via dev-security-policy wrote: #147 - Require EV audits for certificates capable of issuing EV certificates – Clarify that EV audits are required for all intermediate certificates that are technically capable

Re: MRSP Issue #147 - Require EV audits for certificates capable of issuing EV certificates

On 12/11/2020 10:41 π.μ., Dimitris Zacharopoulos via dev-security-policy wrote: Finally, I would like to highlight that policy OID chaining is not currently supported in the webPKI by Browsers, so even if a CA adds a particular non-EV policyOID in an Intermediate CA Certificate, this SubCA

Re: Policy 2.7.1:MRSP Issue #205: Require CAs to publish accepted methods for proving key compromise

On 5/11/2020 10:33 μ.μ., Ben Wilson via dev-security-policy wrote: This email begins discussion of a potential change to section 6 of the Mozilla Root Store Policy . The method by which a person

Re: TLS certificates for ECIES keys

Hi, all, Thank you for your feedback on this project. In order to address your comments, we have adjusted our design and implementation so that publicly-trusted certificates are no longer used and have modified our use of Certificate Transparency. All certificates for encrypting data for Prio