DSV Gruppe has applied to include the SHA-256 S-TRUST Universal Root
CA root certificate and enable the Email trust bit. DSV Gruppe’s SHA-1
S-TRUST Authentication and Encryption Root CA 2005:PN root certificate
was included in NSS via Bugzilla Bug #370627.
Deutscher Sparkassen Verlag GmbH
The CAB Forum's EV guidelines include the Baseline Requirements.
Likewise, the WebTrust EV audit criteria includes the Baseline
Requirements audit criteria. So, I have been asked to make the following
clarification.
In
On 11/7/14, 2:07 AM, Chema López wrote:
If the WebTrust EV audit criteria includes the Baseline Requirements audit
criteria and, In other words, the WebTrust EV audit statement will also
suffice as the WebTrust BR audit statement, why is required for CAs to pay
for three seals? Maybe it is
On 11/7/14, 2:51 PM, Ryan Sleevi wrote:
In order for Mozilla to recognize a root as EV, it must first be
recognized as a root for SSL certificate issuance. If a certificate is
issued by that root as non-EV, it will still be trusted for SSL.
The concern with your current proposal is that it
On 10/23/14, 11:50 AM, Kathleen Wilson wrote:
Staat der Nederlanden has applied to include the “Staat der Nederlanden
Root CA - G3” and “Staat der Nederlanden EV Root CA” root certificates;
turn on the Websites and Email trust bits for the “Staat der Nederlanden
Root CA - G3” root; turn
All,
As of this week I am using SalesForce to manage the CA program data.
The migration of the CA program into SalesForce will be done in several
phases, the first of which is migrating the spreadsheet data for
included root certificates and pending changes.
As you know, the spreadsheet of
On 11/17/14 5:10 PM, Kathleen Wilson wrote:
All,
As of this week I am using SalesForce to manage the CA program data.
The migration of the CA program into SalesForce will be done in several
phases, the first of which is migrating the spreadsheet data for
included root certificates and pending
On 11/20/14 3:19 PM, kirk_h...@trendmicro.com wrote:
Kathleen, out of curiosity -- what's the difference between a Root Renewal
Request and a simple request to add a new root to the Mozilla root store? Are they
essentially the same process, or is a root renewal request treated differently?
On 9/8/14 5:05 PM, Kathleen Wilson wrote:
I posted a security blog about 1024-bit certs...
https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/
==
The second phase of migrating off of 1024-bit root certificates
involves the changes identified
On 10/23/14 11:50 AM, Kathleen Wilson wrote:
Staat der Nederlanden has applied to include the “Staat der Nederlanden
Root CA - G3” and “Staat der Nederlanden EV Root CA” root certificates;
turn on the Websites and Email trust bits for the “Staat der Nederlanden
Root CA - G3” root; turn
On 11/6/14 11:37 AM, Kathleen Wilson wrote:
DSV Gruppe has applied to include the SHA-256 S-TRUST Universal Root
CA root certificate and enable the Email trust bit. DSV Gruppe’s SHA-1
S-TRUST Authentication and Encryption Root CA 2005:PN root certificate
was included in NSS via Bugzilla Bug
Entrust has applied to include the “Entrust Root Certification Authority
- G2” and “Entrust Root Certification Authority - EC1” root
certificates, turn on all three trust bits for both, and enable EV
treatment for both. These new root certificates are intended to
eventually replace Entrust's
On 12/16/14 11:28 AM, Kathleen Wilson wrote:
On 10/30/14 11:16 AM, Kathleen Wilson wrote:
IdenTrust has applied to include the “IdenTrust Commercial Root CA 1”
and “IdenTrust Public Sector Root CA 1” root certificates, and turn on
the Websites and Email trust bits for both. The “IdenTrust
On 12/1/14 11:59 AM, Kathleen Wilson wrote:
On 11/6/14 11:37 AM, Kathleen Wilson wrote:
DSV Gruppe has applied to include the SHA-256 S-TRUST Universal Root
CA root certificate and enable the Email trust bit. DSV Gruppe’s SHA-1
S-TRUST Authentication and Encryption Root CA 2005:PN root
All,
Should NSS and mozilla::pkix support DSA certificates?
Should we add support for DSA to Mozilla's CA Certificate Policy?
Background:
* Currently there are no DSA roots in the NSS root store.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
*
Thanks to all of you who reviewed and commented on this request from
CFCA to include the “CFCA EV ROOT” root certificate, turn on the
websites trust bit, and enable EV treatment.
I am closing this discussion, and I will recommend approval in the bug.
On 2/5/15 10:41 PM, Man Ho (Certizen) wrote:
However, if Mozilla would add one
more peer from CA background (except Let's Encrypt), it'd be even better.
There are indeed several representatives of the CAs in Mozilla's program
who regularly provide valuable contributions to the discernment
On 2/6/15 1:52 PM, Peter Bowen wrote:
Can you clarify the definition of peer in this context? In other
modules, it means someone who can approve changes without further
approval.
I envision that the migration of the CA Program into SalesForce will
eventually enable us to have more than one
: Mozilla CA Certificate Policy
Owner: Kathleen Wilson
Peers: Gervase Markham, Johnathan Nightingale, Sid Stamm
URL: http://www.mozilla.org/projects/security/certs/policy/
Module #2
Name: CA Certificates
Description: Determine which root certificates should be included in
Mozilla software products
I have been asked the following question about why both the Principles
and Criteria for Certification Authorities 2.0” and the “SSL Baseline
Requirements Audit Criteria” are required.
== Question ==
As far as we know the principles of both standards are identical, except
for technical network
On 1/14/15 1:14 AM, Kurt Roeckx wrote:
On 2014-12-22 21:26, Ryan Sleevi wrote:
snip
Adding support for DSA (as requested by at least one CA) would be a step
backwards for security. I'd like Mozilla to consider keeping the current
policy and prohibiting DSA, allowing only RSA and ECDSA roots.
On 1/7/15 1:23 PM, Kathleen Wilson wrote:
China Financial Certification Authority (CFCA) has applied to include
the “CFCA EV ROOT” root certificate, turn on the websites trust bit, and
enable EV treatment.
The first discussion resulted in CA action items, which have been
completed.
https
LuxTrust has applied to include the LuxTrust Global Root root
certificate, turn on the Websites and Code Signing trust bits, and
enable EV treatment.
LuxTrust S.A. provides PKI services for the whole economic marketplace
in Luxembourg, for both private and public organisations. LuxTrust S.A.
On 1/20/15 12:25 PM, Kathleen Wilson wrote:
On 1/7/15 1:23 PM, Kathleen Wilson wrote:
China Financial Certification Authority (CFCA) has applied to include
the “CFCA EV ROOT” root certificate, turn on the websites trust bit, and
enable EV treatment.
The first discussion resulted in CA action
All,
https://wiki.mozilla.org/CA:BaselineRequirements
Currently says: The CA's CP or CPS documents must include a commitment
to comply with the BRs, as described in BR section 8.3.
I have been asked if a CA can have their Webtrust audit statement
indicate their commitment to comply with the
All,
I posted a security blog about the second phase of the 1024-bit root
changes being in Firefox 36...
https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/
Kathleen
___
dev-security-policy mailing
statements have been updated in our records.
Regards,
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
==
== Overdue ==
To: Alias1 and Alias2 *and* the primary POC and CC POC(s)
Subject: Mozilla: Overdue Audit Statements
Dear Certification Authority,
Updated audit statements
On 1/5/15 11:48 AM, Kathleen Wilson wrote:
On 12/16/14 11:32 AM, Kathleen Wilson wrote:
On 12/1/14 2:28 PM, Kathleen Wilson wrote:
Entrust has applied to include the “Entrust Root Certification Authority
- G2” and “Entrust Root Certification Authority - EC1” root
certificates, turn on all
On 2/5/15 12:58 PM, Kathleen Wilson wrote:
According to https://wiki.mozilla.org/Modules: A module is a discrete
unit of code or activity. An owner is the person in charge of a module
or sub-module. A peer is a person whom the owner has appointed to help
them.
There are two modules associated
Krajowa Izba Rozliczeniowa (KIR) S.A. has applied to include the SZAFIR
ROOT CA root certificate and enable all three trust bits.
The first discussion is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/aNbK4zw_Zb8/ekmVXYXvfQ4J
The action items resulting from the first
On 12/19/14 4:40 AM, Erwann Abalea wrote:
Current Mozilla CA Policy (version 2.2) adopts CABR BR 1.1.5.
What is Mozilla's position about duplicate serial numbers? BR 1.2.2 added an
exemption for CT, to allow pre-certs to be issued under the same CA and having
the same serial number as the
On 12/19/14 2:18 PM, Bruce wrote:
On Friday, December 19, 2014 5:15:24 PM UTC-5, Bruce wrote:
On Friday, December 19, 2014 7:40:46 AM UTC-5, Erwann Abalea wrote:
So far, Entrust is the last of the big CAs who still uses sequential serial
numbers when CABF BR and Mozilla Policy impose at
On 12/16/14 11:32 AM, Kathleen Wilson wrote:
On 12/1/14 2:28 PM, Kathleen Wilson wrote:
Entrust has applied to include the “Entrust Root Certification Authority
- G2” and “Entrust Root Certification Authority - EC1” root
certificates, turn on all three trust bits for both, and enable EV
On 3/10/15 1:11 PM, Kathleen Wilson wrote:
On 1/22/15 1:43 PM, Kathleen Wilson wrote:
All,
As you know, we've moved the CA Program data from spreadsheets into
SalesForce.
We are now creating a program that will be run once per month to
automatically send email to CAs when audit statements
All,
I appreciate your thoughtful and constructive feedback on this situation.
The suggestions regarding the CNNIC root certificates that I've
interpreted from this discussion are as follows. These are listed in no
particular order, and are not necessarily mutually exclusive.
A) Remove both
All,
I have confirmed that KIR has made the changes listed below to their CPS
and CP.
CPS:
http://www.elektronicznypodpis.pl/files/doc/certification_practice_statement.pdf
CP: http://elektronicznypodpis.pl/files/doc/certification_policy.pdf
Are there any further questions or comments about
On 3/23/15 8:36 AM, Kathleen Wilson wrote:
Just to be clear... This is the wording copied as-is from the wiki page.
I have not proposed any changes yet -- I'm looking for your input on how
to update this wiki page, and I appreciate the input you all have
provided so far.
Thanks,
Kathleen
On 3
Peter, Did you read the blog posts?
1)
https://blog.mozilla.org/security/2015/03/23/revoking-trust-in-one-cnnic-intermediate-certificate/
2)
http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
Is there any data on this intermediate?
Does the
On 4/14/15 8:50 AM, yuhongbao_...@hotmail.com wrote:
On Thursday, March 19, 2015 at 1:02:06 PM UTC-7, Peter Bowen wrote:
On Wed, Mar 18, 2015 at 12:40 PM, Kathleen Wilson kwil...@mozilla.com wrote:
I propose removing the following root cert from NSS, due to inadequate audit
statements.
Issuer
On 12/1/14 9:25 AM, Kathleen Wilson wrote:
On 9/8/14 5:05 PM, Kathleen Wilson wrote:
I posted a security blog about 1024-bit certs...
https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/
The third and final phase of migrating off of 1024-bit root
On 3/17/15 8:59 AM, Kathleen Wilson wrote:
On 3/10/15 1:11 PM, Kathleen Wilson wrote:
On 1/22/15 1:43 PM, Kathleen Wilson wrote:
All,
As you know, we've moved the CA Program data from spreadsheets into
SalesForce.
We are now creating a program that will be run once per month to
automatically
On 4/9/15 9:32 AM, Kathleen Wilson wrote:
All,
I would like to send the next CA Communication in late April or early
May, and request CAs to respond to it within one month. For this
communication I plan to use SalesForce to email a customized survey link
to the Primary Point of Contact for each
On 4/13/15 1:15 PM, Brian Smith wrote:
Kathleen Wilson kwil...@mozilla.com wrote:
ACTION #4
Workarounds were implemented to allow mozilla::pkix to handle the things
listed here:
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
Hi Kathleen,
Thanks
.
Thanks,
Kathleen
Forwarded Message
Subject: Sandbox: DRAFT Mozilla Communication: Action requested by June
5, 2015
Date: Tue, 28 Apr 2015 23:57:04 + (GMT)
From: Kathleen Wilson kwilson=mozilla@example.com
To: kwil...@mozilla.com kwil...@mozilla.com
4/28/2015
Dear
On 4/20/15 5:05 PM, Kathleen Wilson wrote:
On 4/14/15 8:50 AM, yuhongbao_...@hotmail.com wrote:
On Thursday, March 19, 2015 at 1:02:06 PM UTC-7, Peter Bowen wrote:
On Wed, Mar 18, 2015 at 12:40 PM, Kathleen Wilson
kwil...@mozilla.com wrote:
I propose removing the following root cert from NSS
On 5/6/15 1:52 AM, Gervase Markham wrote:
On 05/05/15 21:54, Kathleen Wilson wrote:
EXAMPLE/DRAFT Survey Link:
https://community-mozillacaprogram.cs21.force.com/Communications/TakeSurvey?id=a04q004jpXoAAIcId=caId=none
LGTM.
Gerv
Thanks, I'm planning to send the communication early
On 4/23/15 4:21 PM, Kathleen Wilson wrote:
All,
It has been brought to my attention that we do not have a documented
procedure or policy about how to transfer a root certificate from one CA
to another.
Do we need to add expectations about root cert transfers to Mozilla's CA
Certificate Policy
On 5/4/15 4:02 PM, Ryan Sleevi wrote:
On Fri, April 24, 2015 4:45 pm, kwil...@mozilla.com wrote:
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=937589
Does anyone have questions or comments about this root renewal request
from Certinomis?
On 5/7/15 10:47 AM, Kathleen Wilson wrote:
On 5/6/15 1:52 AM, Gervase Markham wrote:
On 05/05/15 21:54, Kathleen Wilson wrote:
EXAMPLE/DRAFT Survey Link:
https://community-mozillacaprogram.cs21.force.com/Communications/TakeSurvey?id=a04q004jpXoAAIcId=caId=none
LGTM.
Gerv
Thanks, I'm
All,
The May 2015 CA Communication has been sent.
https://blog.mozilla.org/security/2015/05/12/may-2015-ca-communication/
https://wiki.mozilla.org/CA:Communications#May_2015
Thanks to all of you who contributed to it.
Thanks,
Kathleen
___
On 5/12/15 12:18 PM, Kathleen Wilson wrote:
All,
The May 2015 CA Communication has been sent.
https://blog.mozilla.org/security/2015/05/12/may-2015-ca-communication/
https://wiki.mozilla.org/CA:Communications#May_2015
Thanks to all of you who contributed to it.
Thanks,
Kathleen
CAs
On 5/12/15 2:49 PM, David E. Ross wrote:
On 5/12/2015 12:18 PM, Kathleen Wilson wrote:
All,
The May 2015 CA Communication has been sent.
https://blog.mozilla.org/security/2015/05/12/may-2015-ca-communication/
https://wiki.mozilla.org/CA:Communications#May_2015
Thanks to all of you who
On 5/12/15 3:48 PM, Kathleen Wilson wrote:
On 5/12/15 2:49 PM, David E. Ross wrote:
On 5/12/2015 12:18 PM, Kathleen Wilson wrote:
All,
The May 2015 CA Communication has been sent.
https://blog.mozilla.org/security/2015/05/12/may-2015-ca-communication/
https://wiki.mozilla.org
Certinomis has translated the following into English:
AA AGENTS CA for AA Servers
- (requirements for French Regulation and ETSI/TS 102 042 including BR-PTC)
http://www.certinomis.fr/publi/rgs/DT-FL-1310-040-PC-AA-1.4-EN.pdf
Easy CA for WebSSL
- (requirements ETSI/TS 102 042 including BR-PTC)
On 2/9/15 1:08 PM, Kathleen Wilson wrote:
Krajowa Izba Rozliczeniowa (KIR) S.A. has applied to include the SZAFIR
ROOT CA root certificate and enable all three trust bits.
The first discussion is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/aNbK4zw_Zb8/ekmVXYXvfQ4J
On 4/6/15 2:06 PM, Kathleen Wilson wrote:
On 2/9/15 1:08 PM, Kathleen Wilson wrote:
Krajowa Izba Rozliczeniowa (KIR) S.A. has applied to include the SZAFIR
ROOT CA root certificate and enable all three trust bits.
The first discussion is here:
https://groups.google.com/d/msg
On 4/2/15 10:24 AM, Richard Barnes wrote:
Thanks for the feedback on this plan, everyone. Gerv, Kathleen, and I have
discussed it, and our judgement is that there's consensus here to move
forward with the plan as proposed:
* Do not remove the CNNIC root, but
* Reject certificates chaining to
WoSign has applied to include the Certification Authority of WoSign G2
and CA WoSign ECC Root root certificates, turn on all three trust bits
for both roots, and enable EV treatment for both roots. WoSign's
previous root certificates were included via Bugzilla Bug #851435.
WoSign issues
On 6/17/15 12:05 PM, Kathleen Wilson wrote:
Therefore, the result of this discussion is as follows:
==
CNNIC may re-apply for full inclusion following the normal process,
after they have completed the following additional steps.
1. Provide a list of changes CNNIC has implemented to ensure
I'm not clear on what Mozilla expects here when standing up a new
subordinate and disclosing it for the first time. Assuming the operator
has an audit program in place, it is possible that it will be 12+ months
until they have an opinion from their auditor that calls out the new
subordinate (11
On 5/22/15 2:15 PM, Kathleen Wilson wrote:
On 4/7/15 5:31 PM, Richard Barnes wrote:
As noted in our earlier conclusion with regard to CNNIC's status [1], the
CNNIC roots are currently in a partially disabled state, in which
certificates chaining to these roots are only to be accepted
On 6/4/15 10:55 AM, Kathleen Wilson wrote:
WoSign has applied to include the Certification Authority of WoSign G2
and CA WoSign ECC Root root certificates, turn on all three trust bits
for both roots, and enable EV treatment for both roots. WoSign's
previous root certificates were included via
On 5/6/15 11:58 AM, Kathleen Wilson wrote:
On 4/23/15 4:21 PM, Kathleen Wilson wrote:
All,
It has been brought to my attention that we do not have a documented
procedure or policy about how to transfer a root certificate from one CA
to another.
Do we need to add expectations about root cert
On 5/12/15 3:59 PM, Kathleen Wilson wrote:
On 5/12/15 3:48 PM, Kathleen Wilson wrote:
On 5/12/15 2:49 PM, David E. Ross wrote:
On 5/12/2015 12:18 PM, Kathleen Wilson wrote:
All,
The May 2015 CA Communication has been sent.
https://blog.mozilla.org/security/2015/05/12/may-2015-ca
On 5/29/15 4:55 PM, David E. Ross wrote:
On 5/29/2015 2:16 PM, Kathleen Wilson wrote:
On 5/28/15 7:53 PM, David E. Ross wrote:
I have started the wiki page for this, and I will appreciate your
feedback on it.
https://wiki.mozilla.org/CA:RootTransferPolicy
Thanks,
Kathleen
Does the line
On 6/1/15 4:13 PM, David E. Ross wrote:
On 6/1/2015 2:45 PM, Kathleen Wilson wrote:
On 5/29/15 4:55 PM, David E. Ross wrote:
On 5/29/2015 2:16 PM, Kathleen Wilson wrote:
On 5/28/15 7:53 PM, David E. Ross wrote:
I have started the wiki page for this, and I will appreciate your
feedback
On 4/7/15 5:31 PM, Richard Barnes wrote:
As noted in our earlier conclusion with regard to CNNIC's status [1], the
CNNIC roots are currently in a partially disabled state, in which
certificates chaining to these roots are only to be accepted if they were
issued before 1 Apr 2015. CNNIC may
On 5/5/15 2:37 PM, Kathleen Wilson wrote:
On 5/4/15 4:02 PM, Ryan Sleevi wrote:
On Fri, April 24, 2015 4:45 pm, kwil...@mozilla.com wrote:
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=937589
Does anyone have questions or comments about
On 5/22/15 4:24 PM, Ryan Sleevi wrote:
Nothing is said in the current policy for the population of existing certs
- whether or not they comply either to the BRs or to the CA's existing
policies.
This is somewhat obliquely discussed at
On 8/5/15 2:49 AM, Gervase Markham wrote:
On 03/08/15 19:40, Kathleen Wilson wrote:
1) Responses to Action #3 -- SHA-1 Deprecation Plans
Several large CAs have significant outstanding inventory of SHA-1 certs
which are valid beyond 2017 and have no plans to revoke them. This is
fine
All,
It's time to begin discussions about updating Mozilla's CA Certificate
Policy.
The current policy is here:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Inclusion Policy:
On 6/17/15 12:11 PM, Kathleen Wilson wrote:
On 6/4/15 10:55 AM, Kathleen Wilson wrote:
WoSign has applied to include the Certification Authority of WoSign G2
and CA WoSign ECC Root root certificates, turn on all three trust bits
for both roots, and enable EV treatment for both roots. WoSign's
All,
Thank you for your thoughtful feedback on the new wiki page.
And I apologize for the delay in my response, due to my summer vacation.
I have updated the wiki page in an effort to incorporate all of your
feedback:
https://wiki.mozilla.org/CA:RootTransferPolicy
+ Added a second paragraph
SECOM has applied to enable EV treatment for the Security Communication
RootCA2 root certificate that was included in NSS via Bugzilla Bug #527419.
SECOM is a Japanese commercial CA that provides SSL and client
certificates for e-Government and participates in several projects for
financial
We now have the following report that is auto-generated from Salesforce:
https://mozillacaprogram.secure.force.com/Communications/PendingCACertificateReport
I plan to update https://wiki.mozilla.org/CA:PendingCAs to have a link
to this report, and no longer show the Google spreadsheet. The
On 7/28/15 3:17 PM, Kathleen Wilson wrote:
On 6/17/15 12:11 PM, Kathleen Wilson wrote:
On 6/4/15 10:55 AM, Kathleen Wilson wrote:
WoSign has applied to include the Certification Authority of WoSign G2
and CA WoSign ECC Root root certificates, turn on all three trust bits
for both roots
On 8/4/15 1:26 PM, Peter Bowen wrote:
On Tue, Aug 4, 2015 at 1:17 PM, Kathleen Wilson kwil...@mozilla.com wrote:
The Included CAs list is now being automatically generated directly from
Salesforce:
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
If everyone is OK
The Included CAs list is now being automatically generated directly from
Salesforce:
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
If everyone is OK with this new report, I will change
https://wiki.mozilla.org/CA:IncludedCAs to point to this new report, and
will
Here's the link to the automatically-generated report of CA responses:
https://mozillacaprogram.secure.force.com/Communications/CommunicationSummaryReport?CommunicationId=a04o00M89RCAAZ
All,
I apologize for my delay in following up on this, due to my summer vacation.
Every CA has
On 8/24/15 10:12 AM, Brian Smith wrote:
On Mon, Aug 24, 2015 at 5:53 AM, Gervase Markham g...@mozilla.org wrote:
On 20/08/15 19:12, Kathleen Wilson wrote:
It's time to begin discussions about updating Mozilla's CA Certificate
Policy.
Great :-)
A list of the things to consider changing
All,
In section 2.2 of version 1.3 of the CA/Browser Forum's Baseline
Requirements, it says:
"The disclosures MUST include all the material required by RFC 2527 or
RFC 3647, and MUST be structured in accordance with either RFC 2527 or
RFC 3647."
Some government CAs are bound by local
FNMT has applied to include the “AC RAIZ FNMT-RCM” root certificate and
enable the Websites trust bit.
Fábrica Nacional de Moneda y Timbre (FNMT) is a government agency that
provides services to Spain as a national CA.
The request is documented in the following bug:
On 10/1/15 3:44 PM, Kathleen Wilson wrote:
Unizeto Certum has applied to include the “Certum Trusted Network CA 2”
root certificate, turn on all three trust bits, and enable EV treatment.
This is the next generation of the “Certum Trusted Network CA” root cert
that was included via bug #532377
On 10/26/15 5:28 PM, Peter Kurrasch wrote:
I couldn't tell from the bug report if it means that a discussion will take
place once all the information is collected or if Mozilla is already moving
forward with incorporation of the root? I'd like to ask a question about
technical constraints on
On 9/21/15 4:02 PM, Kathleen Wilson wrote:
The next item on our list to discuss is:
https://wiki.mozilla.org/CA:CertificatePolicyV2.3
(D2) CA/Browser Forum Baseline Requirements version 1.1.6 added a
requirement regarding technically constraining subordinate CA
certificates, so item #9
On 10/28/15 2:14 PM, Kathleen Wilson wrote:
Google has blogged about this:
https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html
All,
We should discuss what actions Mozilla should require of Symantec, and
what would be the penalty of not completing
On 10/19/15 4:34 PM, Kathleen Wilson wrote:
Therefore, I also propose that we don't separate out the audit criteria
according to trust bit in version 2.3 of the policy. Rather, the
separation will be part of another effort to create a separate S/MIME
policy in 2016.
This means
Google has blogged about this:
https://googleonlinesecurity.blogspot.com/2015/10/sustaining-digital-certificate-security.html
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
All,
I have been asked to consider updating Mozilla's CA Certificate Policy
to clarify that a ccTLD is not acceptable in permittedSubtrees for
technically constraining subordinate CA certs.
In section 7.1.5 of version 1.3 of the Baseline Requirement it says:
"(a) For each dNSName in
On 11/9/15 3:54 PM, Kathleen Wilson wrote:
SECOM has applied to enable EV treatment for the "Security Communication
RootCA2" root certificate that was included in NSS via Bugzilla Bug
#527419.
SECOM is a Japanese commercial CA that provides SSL and client
certificates for e-
SECOM has applied to enable EV treatment for the "Security Communication
RootCA2" root certificate that was included in NSS via Bugzilla Bug #527419.
SECOM is a Japanese commercial CA that provides SSL and client
certificates for e-Government and participates in several projects for
financial
On 11/3/15 7:09 PM, Ryan Sleevi wrote:
On Tue, November 3, 2015 4:24 pm, Kathleen Wilson wrote:
Topic to discuss [1]:
(D3) Make the timeline clear about when the audit statements and
disclosure has to happen for new audited/disclosed subCAs.
What further clarification needs
The next two topics to discuss [1] have to do with section 8 of
Mozilla’s CA Certificate Maintenance Policy.
The proposals are:
- (D15) Deprecate SHA-1 Hash Algorithms in certs.
and
- (D4) In item #8 of the Maintenance Policy recommend that CAs avoid
SHA-512 and P-521, especially in their CA
On 11/5/15 10:58 AM, David E. Ross wrote:
Rather than list acceptable key types and sizes, cite the Baseline
Requirements along with listing exceptions, both types and sizes that
are not supported but are in the BR and types and sizes that are
supported but are not in the BR. I would not be
Topic to discuss [1]:
“(D3) Make the timeline clear about when the audit statements and
disclosure has to happen for new audited/disclosed subCAs.
Section 10 of the Inclusion Policy says:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
“The CA
All,
As many of you know, we've been working to customize Salesforce to
create a CA Community that enables CAs to directly provide the data for
all of the publicly disclosed and audited subordinate CAs chaining up to
root certificates in Mozilla's program, and to also directly provide
data
On 11/5/15 11:34 AM, s...@gmx.ch wrote:
It seems that we are going to untrust SHA-1 generally on July 1, 2016
[1]. Do we already have a bug number for this?
https://bugzilla.mozilla.org/show_bug.cgi?id=942515
I think certificates with 'notAfter >= 2017-7-1' should get a triangle
instead
On 8/4/15 1:26 PM, Peter Bowen wrote:
On Tue, Aug 4, 2015 at 1:17 PM, Kathleen Wilson <kwil...@mozilla.com> wrote:
The Included CAs list is now being automatically generated directly from
Salesforce:
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport
Is there
All,
Thank you for your patience throughout this long discussion. I
appreciate all of your thoughtful and constructive input.
I feel confident now that we should do the following:
1) Remove reference to the code signing trust bit from version 2.3 of
Mozilla's CA Certificate Policy.
2) When
All,
It was previously suggested[1] that we align Mozilla's CA Certificate
Policy to RFC 3647, so CAs can compare their CP/CPS side-by-side with
Mozilla's policy, as well as the BRs and audit criteria (such as the
forthcoming ETSI 319 411 series).
I responded by postponing that work to a
101 - 200 of 747 matches
Mail list logo