Re: Policy 2.7 Proposal: Ban "No Stipulation", Blank, and Missing CP/CPS sections

2019-04-16 Thread Wayne Thayer via dev-security-policy
I went ahead and added this change to the 2.7 branch: https://github.com/mozilla/pkipolicy/commit/1e7f4edb97c4497e2e04442797ebc670e9d80b44 I removed the phrase "In addition to existing rules placed on the structure of CPs and CPSes that comply with the CA/Browser Forum Baseline Requirements"

Re: Policy 2.7 Proposal: Require EKUs in End-Entity Certificates

2019-04-16 Thread Wayne Thayer via dev-security-policy
My conclusion from this discussion is that we should not add an explicit requirement for EKUs in end-entity certificates. I've closed the issue. - Wayne On Tue, Apr 16, 2019 at 9:56 AM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Tue, Apr 16, 2019 at

Re: Policy 2.7 Proposal: Incident Reporting Updates

2019-04-16 Thread Wayne Thayer via dev-security-policy
On Fri, Mar 29, 2019 at 11:59 AM Wayne Thayer wrote: > On Thu, Mar 28, 2019 at 5:29 PM Ryan Sleevi wrote: > >> >> On Thu, Mar 28, 2019 at 7:42 PM Wayne Thayer wrote: >> >>> On Thu, Mar 28, 2019 at 4:11 PM Ryan Sleevi wrote: >>> On Thu, Mar 28, 2019 at 6:45 PM Wayne Thayer via

Certinomis Issues

2019-04-16 Thread Wayne Thayer via dev-security-policy
Mozilla has decided that there is sufficient concern [1] about the activities and operations of the CA Certinomis to collect together a list of issues. That list can be found here: https://wiki.mozilla.org/CA/Certinomis_Issues Note that this list may expand or contract over time as issues are

Re: Policy 2.7 Proposal: Require EKUs in End-Entity Certificates

2019-04-16 Thread Ryan Sleevi via dev-security-policy
On Tue, Apr 16, 2019 at 12:41 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 16/04/2019 08:56, Tadahiko Ito wrote: > > On Tuesday, April 2, 2019 at 9:36:06 AM UTC+9, Brian Smith wrote: > > > >> I agree the requirements are already clear. The problem is

Re: Policy 2.7 Proposal: Require EKUs in End-Entity Certificates

2019-04-16 Thread Jakob Bohm via dev-security-policy
On 16/04/2019 08:56, Tadahiko Ito wrote: On Tuesday, April 2, 2019 at 9:36:06 AM UTC+9, Brian Smith wrote: I agree the requirements are already clear. The problem is not the clarity of the requirements. Anybody can define a new EKU because EKUs are listed in the certificate by OIDs, and

Re: Policy 2.7 Proposal: Require EKUs in End-Entity Certificates

2019-04-16 Thread Tadahiko Ito via dev-security-policy
On Tuesday, April 2, 2019 at 9:36:06 AM UTC+9, Brian Smith wrote: > I agree the requirements are already clear. The problem is not the clarity > of the requirements. Anybody can define a new EKU because EKUs are listed > in the certificate by OIDs, and anybody can make up an EKU. A standard >