Re: Technically Constrained Sub-CAs

2016-11-18 Thread Brian Smith
Gervase Markham wrote: > RFC 6962bis (the new CT RFC) allows certs below technically-constrained > sub-CAs (TCSCs) to be exempt from CT. This is to allow name privacy. > TCSCs themselves are also currently exempt from disclosure to Mozilla in > the Common CA Database. > > If

Re: Technically Constrained Sub-CAs

2016-11-18 Thread Brian Smith
Gervase Markham wrote: > On 18/11/16 01:43, Brian Smith wrote: > > The fundamental problem is that web browsers accept certificates with > > validity periods that are years long. If you want to have the agility to > > fix things with an N month turnaround, reject certificates

Re: Technically Constrained Sub-CAs

2016-11-18 Thread Gervase Markham
On 18/11/16 14:28, Jeremy Rowley wrote: > So much has changed since the last time we discussed shorter > validity periods at CAB forum that it'd be worth bringing up again. I > think the vocal minority opposed the change last time and they may > have switched positions by now. I like your

Re: Upcoming removals report

2016-11-18 Thread Kathleen Wilson
On Monday, November 14, 2016 at 10:00:31 AM UTC-8, Peter Bowen wrote: > Is there a CSV version of the upcoming root removals report? > https://mozillacaprogram.secure.force.com/CA/UpcomingRootRemovalsReport > > Thanks, > Peter https://wiki.mozilla.org/CA:RemovedCAcerts has these links: Upcoming

Re: Technically Constrained Sub-CAs

2016-11-18 Thread Jeremy Rowley
So much has changed since the last time we discussed shorter validity periods at CAB forum that it'd be worth bringing up again. I think the vocal minority opposed the change last time and they may have switched positions by now. > On Nov 18, 2016, at 7:12 AM, Gervase Markham

Re: Technically Constrained Sub-CAs

2016-11-18 Thread Gervase Markham
On 18/11/16 01:43, Brian Smith wrote: > The fundamental problem is that web browsers accept certificates with > validity periods that are years long. If you want to have the agility to > fix things with an N month turnaround, reject certificates that are valid > for more than N months. That's all

Re: Technically Constrained Sub-CAs

2016-11-18 Thread Gervase Markham
On 18/11/16 00:28, Andrew Ayer wrote: > I see the appeal of this. However, I'm concerned that allowing > leniency with name-constrained TCSCs will make it hard for Mozilla to > make security improvements to its certificate validation in the > future. Improvements like rejecting SHA-1, 1024-bit

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-11-18 Thread Gervase Markham
On 18/11/16 11:38, wangsn1...@gmail.com wrote: > GDCA takes security and governance seriously and we have a strict > control for Chinese version CP/CPS, all the contents are disclosed. > And The Chinese versions for CPS 4.1, 4.2, 4.3 are published on the > official website, so we cannot cover-up

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-11-18 Thread wangsn1206
在 2016年11月17日星期四 UTC+8下午7:20:05,Gervase Markham写道: > Hi Kathleen, > > On 15/11/16 00:51, Kathleen Wilson wrote: > > There were some recommendations to deny this request due to the > > versioning problems between the English documents and the original > > documents. > > > > Do you all still feel