Re: Policy 2.7 Proposal: Exclude Policy Certification Authorities from EKU Requirement

On 08/05/2019 16:05, Ryan Sleevi wrote: > On Wed, May 8, 2019 at 6:42 AM Fotis Loukos wrote: > >> ... > ... > >> The scheme I'm proposing is the following: >> >> Org CA (serverAuth, emailProtection, and possibly others such as >> clientAuth) >>\- Org SSL CA (serverAuth and possibly

Re: Certinomis Issues

On Tue, May 7, 2019 at 7:48 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > To continue to participate in the Mozilla CA program, I recommend that we > require Certinomis to create a new hierarchy and demonstrate their ability > to competently operate

Re: Policy 2.7 Proposal: Exclude Policy Certification Authorities from EKU Requirement

On Wed, May 8, 2019 at 6:42 AM Fotis Loukos wrote: > I agree with you that technically verifiable controls are always better > than procedural controls, however we are already relying on procedural > controls for many of the requirements, such as CAA. In addition, this > specific change can be

Re: Policy 2.7 Proposal: Exclude Policy Certification Authorities from EKU Requirement

On 2/5/19 4:36 μ.μ., Ryan Sleevi via dev-security-policy wrote: > On Thu, May 2, 2019 at 9:14 AM Fotis Loukos wrote: > >> The PCA (I am calling it PCA even if it does not follow all the design >> and architecture of RFC5288 PCAs for simplicity's sake) has the >> technical ability to issue both