Re: Include Symantec-brand Class 1 and Class 2 Root Certs

2016-11-21 Thread Kathleen Wilson
On Tuesday, November 15, 2016 at 3:58:26 PM UTC-8, Kathleen Wilson wrote: > If there are no objections or concerns about this request, then I will > recommend approval in the bug. Thanks to those of you who reviewed and commented on this request from Symantec to include their Symantec-brand

Re: SHA-1 Phase-out

2016-11-21 Thread Myers, Kenneth (10421)
Hi Gerv, I've been trying to stay on top of the SHA-1 phase-out discussion but lost track. Where did it leave off? I think I saw something of doing a ban at the browser level to not trust the SHA-1 algorithm. Is this possible? Kenneth Myers Manager +1.571.366.6120 +1.703.299.3046 fax

Re: Technically Constrained Sub-CAs

2016-11-21 Thread Ryan Sleevi
On Mon, Nov 21, 2016 at 11:51 AM, Brian Smith wrote: > Nobody said anything about blocking 6962-bis. Removing that one section is a > smaller change in terms than the change Google made to the document just > last week, as far as the practical considerations are concerned.

Re: Technically Constrained Sub-CAs

2016-11-21 Thread Brian Smith
Ryan Sleevi wrote: > On Mon, Nov 21, 2016 at 11:01 AM, Brian Smith > wrote: > > Absolutely we should be encouraging them to proliferate. Every site that > is > > doing anything moderately complex and/or that wants to use key pinning > > should be using

Re: Technically Constrained Sub-CAs

2016-11-21 Thread Ryan Sleevi
On Mon, Nov 21, 2016 at 11:01 AM, Brian Smith wrote: > Absolutely we should be encouraging them to proliferate. Every site that is > doing anything moderately complex and/or that wants to use key pinning > should be using them. I do hope you can expand upon the former as to

Re: Technically Constrained Sub-CAs

2016-11-21 Thread Brian Smith
Gervase Markham wrote: > On 18/11/16 19:13, Brian Smith wrote: > > Regardless, the main point of that message of mine was left out: You > could > > limit, in policy and in code, the acceptable lifetime of name-constrained > > externally-operated sub-CAs > > Presumably the

Mozilla CT Policy: discussion location

2016-11-21 Thread Gervase Markham
mozilla.dev.security.policy has become the /de facto/ place for discussion root program policy relating to the Web PKI, not just for Mozilla, because people want to take advantage of the expertise of the members here. Mozilla is very happy to host these wider discussions, in the name of making the

Re: Technically Constrained Sub-CAs

2016-11-21 Thread Rob Stradling
On 18/11/16 20:21, Brian Smith wrote: I think there might be ways to fix the name-constrained sub-CA stuff for RFC 6962-bis, but those kinds of improvements are unlikely to happen in RFC 6962-bis itself, it seems. They will have to happen in an update to RFC 6962-bis. I also disagree with

Re: Technically Constrained Sub-CAs

2016-11-21 Thread Gervase Markham
Hi Brian, On 18/11/16 19:13, Brian Smith wrote: > Regardless, the main point of that message of mine was left out: You could > limit, in policy and in code, the acceptable lifetime of name-constrained > externally-operated sub-CAs Presumably the "externally-operated" part would need to be