Sorry! It looks like the attachments didn't come through. Here's each chain:
Prio Statistics Facilitator_ XX.chain.pem
-BEGIN CERTIFICATE-
MIIDmTCCAz+gAwIBAgIQVUMIP1vPOWm3Rozjmb8qYzAKBggqhkjOPQQDAjBZMTUw
MwYDVQQDDCxUZXN0IEFwcGxlIEFwcGxpY2F0aW9uIEludGVncmF0aW9uIENBIDYg
Hi, all,
Thank you for your feedback on this project. In order to address your comments,
we have adjusted our design and implementation so that publicly-trusted
certificates are no longer used and have modified our use of Certificate
Transparency.
All certificates for encrypting data for Prio
Hi, Matt,
We thought hard about the agility concerns for this particular application and
the impact to the WebPKI and CT ecosystems. First, all certificates involved in
this design are checked for expiration, revocation, and Certificate
Transparency using all of the same logic that verifies
Ryan,
Thank you for the questions. Answers in line.
Bailey
On Friday, October 30, 2020 at 8:43:46 AM UTC-7, Ryan Sleevi wrote:
> On Thu, Oct 29, 2020 at 2:07 PM Jacob Hoffman-Andrews via
> dev-security-policy wrote:
>
> > The processor sends the resulting TLS certificate to Apple. Apple
:
> On Fri, Oct 30, 2020 at 10:49 AM Bailey Basile via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
> >
> > We specifically chose not to issue Apple certificates for these keys
> > because we did not want users to have to trust only Apple's assertion
Hi, Devon,
The policy that evaluates the publicly-trusted certificates (note that there is
no requirement that ISRG be the issuer for these certificates) does require
id-kp-serverAuth. Yes, changing to a non-TLS certificate would require a change
to the Apple clients and would require an
6 matches
Mail list logo
