This request by the Government of Japan, Ministry of Internal Affairs and
Communications, is to include the GPKI 'ApplicationCA2 Root' certificate and
enable the Websites trust bit. This new root certificate has been created in
order to comply with the Baseline Requirements, and will eventually
On Monday, May 16, 2016 at 1:33:40 PM UTC-7, Rob Stradling wrote:
> However, ISTM that a "proposed change currently in discussion" is less
> authoritative than the CA Communication (which, as I've said, seems to
> explicitly require multiple disclosures of the same intermediate when
> multiple
Here is a summary of this discussion so far about Symantec's request to enable
EV treatment for the "VeriSign Class 3 Public Primary Certification Authority -
G4" root certificate that was included via bug #409235, and has all three trust
bits enabled.
1) The "Symantec AATL ECC Intermediate
On Wednesday, May 18, 2016 at 7:17:01 AM UTC-7, Rob Stradling wrote:
> The following intermediate certificate is not "technically constrained"
> according to the Policy. It contains id-kp-codeSigning, but does not
> "contain a directoryName permittedSubtrees constraint where each
>
On Thursday, May 19, 2016 at 6:58:36 AM UTC-7, Rob Stradling wrote:
> Specifically, what are the disclosure requirements for intermediates
> that can only issue id-kp-emailProtection and/or id-kp-codeSigning
> end-entity certs?
Quotes form policy and supporting wiki page:
~~
On Friday, May 20, 2016 at 2:39:20 AM UTC-7, Rob Stradling wrote:
> On 19/05/16 21:48, Kathleen Wilson wrote:
> > On Monday, May 16, 2016 at 1:33:40 PM UTC-7, Rob Stradling wrote:
> >> However, ISTM that a "proposed change currently in discussion" is less
&g
Does anyone have questions, concerns, or feedback on this request from the
Government of Japan, Ministry of Internal Affairs and Communications, to
include the GPKI 'ApplicationCA2 Root' certificate and enable the Websites
trust bit?
Kathleen
___
Thanks to all of you who have reviewed and commented on this request from
DocuSign to include the following root certificates, turn on the Websites and
Email trust bits for all of them, and enable EV treatment for all of them.
+ Certplus Root CA G1 - (SHA512, RSA4096)
+ Certplus Root CA G2 -
On Monday, May 16, 2016 at 9:20:56 AM UTC-7, Kathleen Wilson wrote:
> I am wondering if the BRs need to be updated to:
> + Define what is meant by "Certificate misuse, or other types of fraud".
> (e.g. being used for a purpose outside of that contained in the cert, or
> ap
> > This discussion should consider what's best for Mozilla's users. Perhaps
> > that aligns precisely with the minimum requirements in the EVGs, or perhaps
> > it doesn't. Mozilla are free to specify additional requirements if they
> > feel the need to do so, just as Microsoft did recently...
>
The new reports are at the following new links. A couple columns were added:
'Parent Name', 'SHA-256 Fingerprint'.
https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts
https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCertsCSV
I have also updated the links in
On Monday, May 16, 2016 at 11:27:21 AM UTC-7, Kathleen Wilson wrote:
> The new reports are at the following new links. A couple columns were added:
> 'Parent Name', 'SHA-256 Fingerprint'.
>
> https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateC
All,
I have been receiving questions about the following items in the CA/Browser
Forum Baseline Requirements, and I would appreciate your input on what the
answers are or should be.
== In the Baseline Requirements ==
Definitions:
Certificate Problem Report: Complaint of suspected Key
On Thursday, May 12, 2016 at 10:05:21 AM UTC-7, Kathleen Wilson wrote:
> I apologize for the delay.
>
> There will be new links, and we expect to have the new reports available
> today.
>
> I will update the links on the wiki page, and provide notice in this
> discussi
Rob, thanks for letting me know.
The following two reports are now exceeding Salesforce' CPU limits, so it will
take some time for us to figure out a solution. I will provide an update as
soon as possible.
https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCerts
On Tuesday, May 10, 2016 at 8:30:45 AM UTC-7, Erwann Abalea wrote:
> Bonjour,
>
> Le mardi 10 mai 2016 10:10:49 UTC+2, Kurt Roeckx a écrit :
> > On 2016-05-10 02:07, Kathleen Wilson wrote:
> > > Thanks to all of you who have reviewed and commented on this request from
&
On Wednesday, April 13, 2016 at 1:39:48 PM UTC-7, Kathleen Wilson wrote:
> All,
>
> I have added links to reports of the responses to the March 2016 CA
> Communication survey:
>
> https://wiki.mozilla.org/CA:Communications#March_2016_Responses
>
> Please keep in
All,
I have added links to reports of the responses to the March 2016 CA
Communication survey:
https://wiki.mozilla.org/CA:Communications#March_2016_Responses
Please keep in mind that the responses are considered preliminary and may be
changed until April 22, 2016. And remember that up until
On 7/13/16 8:02 PM, sanjay_m...@symantec.com wrote:
On Tuesday, July 12, Symantec erroneously produced and issued 8 SHA-1
certificates in support of one customer’s application to submit SHA-1 TBS
Certificates to the CA/B Forum for a SHA-1 exception. Symantec has revoked the
certificates. An
On Monday, July 18, 2016 at 4:39:46 PM UTC-7, Kathleen Wilson wrote:
> Therefore, I intend to proceed with closing this discussion and
> recommending approval in the bug.
Thanks to all of you who participated in this discussion about the request from
ISRG to include the "ISRG Ro
On Friday, May 20, 2016 at 3:33:56 PM UTC-7, Kathleen Wilson wrote:
> Does anyone have questions, concerns, or feedback on this request from the
> Government of Japan, Ministry of Internal Affairs and Communications, to
> include the GPKI 'ApplicationCA2 Root' certificate and enable the
On 7/17/16 7:16 PM, Andrew Ayer wrote:
On Wed, 29 Jun 2016 11:46:14 -0700 (PDT)
sanjay_m...@symantec.com wrote:
On Wednesday, May 18, 2016 at 2:58:54 PM UTC-7, Kathleen Wilson wrote:
1) The "Symantec AATL ECC Intermediate CA" needs to be revoked and
added to OneCRL. The intermediat
On 5/18/16 2:51 PM, Kathleen Wilson wrote:
Here is a summary of this discussion so far about Symantec's request to enable EV
treatment for the "VeriSign Class 3 Public Primary Certification Authority -
G4" root certificate that was included via bug #409235, and has all three
o everyone who has a login to the CA Community in Salesforce.
Kathleen
On 6/27/16 3:56 PM, Kathleen Wilson wrote:
All,
We are planning to do the import of the data corresponding to
Microsoft's root store program into the CA Community in Salesforce, with
the hopeful start time of 8:00am PDT
All,
The signature that we were waiting for has happened, so we will continue
with the data migration. The public-facing reports will not be available
when the data import is happening, and until we have verified the data.
Kathleen
On 6/28/16 7:56 PM, Kathleen Wilson wrote:
All,
I
, but access to the
system is very limited because we don't want any changes going into the
system until we finish the data import.
I will provide status updates as things progress.
Kathleen
On 6/28/16 8:29 AM, Kathleen Wilson wrote:
The work on this data migration is starting now. The CA
This request from Amazon is to enable EV treatment for the currently-included
“Starfield Services Root Certificate Authority - G2 certificate, and to include
the following 4 new root certificates, turn on the Email and Websites trust
bits for them, and enable EV treatment for all of them.
-
On Wednesday, March 23, 2016 at 2:08:19 PM UTC-7, Kathleen Wilson wrote:
> On 12/17/15 5:34 PM, Kathleen Wilson wrote:
> > The first discussion of LuxTrust's root inclusion request was here:
> > https://groups.google.com/d/msg/mozilla.dev.security.policy/47Jz7f8E4
https://wiki.mozilla.org/CA:SalesforceCommunity#Policies_and_Practices_Information
This is an automated email that will be sent regularly until the audit
statement information for the intermediate certificate records has been
completed.
Regards,
Kathleen Wilson
Mozilla
CA Program Manager
-- END DRAFT --
As
This request from Guangdong Certificate Authority (GDCA) is to include the
"GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and
enabled EV treatment.
GDCA is a nationally recognized CA that operates under China’s Electronic
Signature Law. GDCA’s customers are business
ot; notice as soon as it has all been restored.
Kathleen
On 6/28/16 8:57 PM, Kathleen Wilson wrote:
All,
The signature that we were waiting for has happened, so we will continue
with the data migration. The public-facing reports will not be available
when the data import is happening, and unt
All,
As you know, the CA Community in Salesforce (aka Common CA Database)
automatically sends audit reminder emails to CAs in Mozilla’s root store
with overdue audit statements on the 3rd Tuesday of each month.
As requested, here is a summary of the audit-reminder emails that were
sent
All,
It has come to our attention that Hongkong Post has recently issued a
SHA1 cert that can be used in TLS/SSL.
https://bugzilla.mozilla.org/show_bug.cgi?id=1267332#c3
The certificate was signed by the "Hongkong Post e-Cert CA 1 - 10"
intermediate certificate.
From the CA: "This
All,
I've added another Potentially Problematic Practice, as follows.
https://wiki.mozilla.org/CA:Problematic_Practices#Issuer_Encoding_in_CRL
The encoding of the Issuer field in the CRL should be byte-for-byte equivalent
with the encoding of the Issuer in the certificate; that is, using the
On Thursday, December 15, 2016 at 10:56:52 AM UTC-8, Brian Smith wrote:
> It is important to fix the DoS issue with the path building when there
> are many choices for the same subject. SKI/AKI matching only fixes the
> DoS issue for benign cases, not malicious cases. Therefore some way of
>
On Tuesday, December 13, 2016 at 2:36:15 PM UTC-8, Kathleen Wilson wrote:
> Thanks to all of you who have reviewed and commented on this request from
> Government of Taiwan, Government Root Certification Authority (GRCA), to
> include their renewed Government Root Certification Autho
All,
I will greatly appreciate it if a couple CAs would volunteer to be the first to
try out the new Audit Case ability in the Common CA Database.
https://wiki.mozilla.org/CA:CommonCADatabase#Updating_Audit_Information
Please send me a separate email if you are willing to help me with this.
On Friday, February 3, 2017 at 7:26:14 AM UTC-8, Jakob Bohm wrote:
>
> No, I am suggesting that while *still* listing it as a problematic
> practice for an edge case from a few few CAs, Mozilla offers those few
> CAs an easier way out, while at the same time obtaining for both itself
> and any
This request from the Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu
SM), is to include the “TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1” root
certificate, and enable the Websites trust bit. This SHA-256 root certificate
will eventually replace the SHA1 “TÜBİTAK UEKAE Kök Sertifika
All,
Does section 7.1.4.2 of the CA/Browser Forum's Baseline Requirements only apply
to end-entity certificates?
If yes, where does it specify that in the document?
This has come up in a few CA requests, due to errors we get when we run Kurt's
x509lint test.
Example:
On Monday, January 30, 2017 at 11:27:39 AM UTC-8, Kathleen Wilson wrote:
> On Monday, January 30, 2017 at 11:13:43 AM UTC-8, Jeremy Rowley wrote:
> > Based on the Symantec disclosure, we ran a test on our own certs (including
> > cross-signed partners) and found the followi
On Monday, January 30, 2017 at 11:13:43 AM UTC-8, Jeremy Rowley wrote:
> Based on the Symantec disclosure, we ran a test on our own certs (including
> cross-signed partners) and found the following certificates that were issued
> contrary to the Baseline Requirements. All of these certificates
On Thursday, January 26, 2017 at 9:27:52 PM UTC-8, Steve Medin wrote:
> Here is an attached PDF update regarding this certificate problem report.
>
> Kind regards,
> Steven Medin
> PKI Policy Manager, Symantec Corporation
>
The PDF file provided by Steven has been attached to this bug:
Forwarded Message
Subject: Summary of January 2017 Audit Reminder Emails
Date: Tue, 17 Jan 2017 20:02:07 + (GMT)
Mozilla: Audit Reminder
Root Certificates:
ISRG Root X1
Standard Audit: https://cert.webtrust.org/SealFile?seal=1987=pdf
Audit Statement Date: 2015-12-15
BR
All,
We had to take down https://cert-checker.allizom.org/ due to a security
issue.
This site hosted cert tests, EV tests, and the PEM->JSON tool used by
the CA Community in Salesforce for importing intermediate cert data.
We are actively looking for a solution, but do not currently have a
I updated https://bugzilla.mozilla.org/show_bug.cgi?id=1299579#c9
with:
""
... here is the approach that we plan to take:
We will add the "Hongkong Post e-Cert CA 1 - 10" intermediate cert to OneCRL at
the end of October.
Please replace all of the SSL certs chaining up to this intermediate cert
Thanks to all of you who have provided thoughtful and constructive input into
this discussion.
I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1299579 to request
that the "Hongkong Post e-Cert CA 1 - 10" intermediate cert be added to OneCRL.
See the bug for further details.
Kathleen
On 8/26/16 4:36 PM, Kathleen Wilson wrote:
We've added two columns to the Revoked Intermediate CA Certificates
reports that are available here:
https://wiki.mozilla.org/CA:RevokedSubCAcerts
The reports are:
https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsRevoked
and
https
On Thursday, August 4, 2016 at 10:51:58 AM UTC-7, Kathleen Wilson wrote:
>
> The CA has resolved the questions and concerns raised during the first
> discussion, and has provided an updated root certificate with corresponding
> updated documentation and audit statement.
>
On Thursday, August 25, 2016 at 2:37:43 PM UTC-7, Kathleen Wilson wrote:
> Does anyone else have questions, comments, or concerns about this request?
> If not, then I will proceed with recommending approval.
Thanks again to those of you who participated in this discussion about Amazon
On Monday, September 26, 2016 at 2:06:22 AM UTC-7, Gervase Markham wrote:
> Hi Kathleen,
>
> This generally all looks excellent, but:
>
> On 25/09/16 00:02, Kathleen Wilson wrote:
> > - 'CRl URl(s)' will be populated by urls ending with .crl only
>
> There is no stan
> Summary of changes:
>
> - 'Signature Hash Algorithm' will have new drop down list:
> md2WithRSAEncryption, md5WithRSAEncryption, sha1WithRSAEncryption,
> sha256WithRSAEncryption, sha384WithRSAEncryption, sha512WithRSAEncryption,
> ecdsaWithSHA256, ecdsaWithSHA384. ecdsaWithSHA521
> - 'Public
All,
Starting Sunday afternoon (PDT), we will be updating the production instance of
the Common CA Database (a.k.a. CA Community in Salesforce). This work will
continue into Monday. The system will still be available during that time, but
depending on when you access it or the corresponding
On Thursday, October 6, 2016 at 4:27:10 PM UTC-7, Peter Bowen wrote:
> On Thu, Oct 6, 2016 at 3:57 PM, Richard Barnes wrote:
> > I seem to recall we had some discussion a while back about what criteria
> > should be applied to email CAs. Where did we end up on that?
>
> I don't believe anything
On Wednesday, October 5, 2016 at 1:19:35 PM UTC-7, Kurt Roeckx wrote:
> This is why browsers have something like OneCRL, so that they
> actually do know about it and why Rob added that information
> to the bug tracker
> (https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2).
We are working on
On Thursday, September 8, 2016 at 9:07:33 AM UTC-7, Kathleen Wilson wrote:
> Does anyone have comments, questions, or concerns about this request from
> LuxTrust to include the "LuxTrust Global Root 2" certificate, turn on the
> Websites trust bit, and enable EV treatm
All,
In https://bugzilla.mozilla.org/show_bug.cgi?id=1301731 it was reported that
SHA-1 SSL certs have recently been issued in the IGC/A CA Hierarchy that is
owned by Government of France (ANSSI,DCSSI).
This root cert was already name constrained via
Added to the list here:
https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Accountability
And, yes, I am fully aware that a policy update is way overdue. :-(
Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
This request from Government of Taiwan, Government Root Certification Authority
(GRCA), is to include their Government Root Certification Authority root
certificate, and turn on the Websites and Email trust bits. This root cert will
eventually replace the previous GRCA root certificate that was
We've added two columns to the Revoked Intermediate CA Certificates
reports that are available here:
https://wiki.mozilla.org/CA:RevokedSubCAcerts
The reports are:
https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsRevoked
and
On Thursday, August 11, 2016 at 4:36:02 PM UTC-7, Kathleen Wilson wrote:
> >> FNMT has applied to include the “AC RAIZ FNMT-RCM” root certificate
> >> and enable the Websites trust bit.
> >>
> >> Fábrica Nacional de Moneda y Timbre (FNMT) is a government
On Tuesday, September 27, 2016 at 3:12:20 AM UTC-7, Rob Stradling wrote:
> How about "CA Fingerprint"?
>
> Peter's "CA ID" suggestion is definitely better than "Certificate ID".
> However, since crt.sh already has an integer "CA ID" field, I'd prefer
> to call this Salesforce field "CA
On Thursday, August 4, 2016 at 10:51:58 AM UTC-7, Kathleen Wilson wrote:
> On Wednesday, March 23, 2016 at 2:08:19 PM UTC-7, Kathleen Wilson wrote:
> > On 12/17/15 5:34 PM, Kathleen Wilson wrote:
> > > The first discussion of LuxTrust's root inclusion request was
On Wednesday, September 21, 2016 at 9:04:53 PM UTC-7, Ryan Sleevi wrote:
> I've reviewed this CP/CPS set again, keeping in mind the previous comments on
> the first round of discussion, and I don't believe there's anything noted
> that should prevent this inclusion from continuing.
Thanks,
> "Certificate ID" seems like entirely the wrong name for this field,
> given that it [SHA-256(der(subject) + der(spki))] doesn't actually
> identify a unique certificate!
> Indeed, the whole point of having this
> field seems to be to identify _multiple_ related certificates.
Correct
> Why
> > - Reports which use 'Signature Algorithm'/ 'Signing Key Parameters' will
> > show the new fields instead.
> > - CSV Reports which use 'Signature Algorithm'/ 'Signing Key Parameters'
> > will show the new fields instead.
>
>
> The reports are still being updated. Some additional changes
I greatly appreciate the significant amount of effort that you all have been
putting into this investigation and discussion.
As Gerv pointed out, since I am Mozilla's CA Certificate Module owner, I have
the responsibility of making some decisions... I am continuing to mull over all
of your
More links in simplified Chinese:
Weibo: http://weibo.com/1663337394/EeutZ447K?type=comment#_rnd1477447436655
Toutiao: http://www.toutiao.com/i6345313124182131201/
Below is some coverage from China, all coverage contained message pull-through
from Mozilla's blog post and mentioned WoSign's
ttings.
If you are still unclear about which intermediate certificates your CA still
needs to disclose in the CA Community in Salesforce, one resource for
identifying such intermediate certificates is here:
https://crt.sh/mozilla-disclosures#undisclosed
Regards,
Kathleen Wilson, M
I have sent the email to the following CAs.
Root Owner | # Certs still to add to Salesforce
Actalis 2
Asseco Data Systems S.A. (previously Unizeto Certum)1
Atos3
Autoridad de Certificacion Firmaprofesional 6
Camerfirma 19
certSIGN6
China Internet Network
On Tuesday, November 8, 2016 at 8:19:15 AM UTC-8, Gervase Markham wrote:
> Hi everyone,
>
> I'd like to take some action about persistent failures to properly
> disclose intermediates. The deadline for this was June, and CAs have had
> a number of reminders, so there's no excuse.
I've been
On Wednesday, November 9, 2016 at 4:16:56 AM UTC-8, Rob Stradling wrote:
> To have reached the incorrect conclusion that they'd "properly followed
> the requirement", a CA would've presumably either...
> 1. Looked at https://crt.sh/mozilla-disclosures#undisclosed, noticed
> that one or more of
On Wednesday, October 19, 2016 at 11:50:55 AM UTC-7, Gervase Markham wrote:
>
> Today at the CAB Forum I outlined some of Mozilla's thinking on how we
> rate the severity of incidents. It might be helpful to reproduce that
> here. This is what I said:
>
Thanks, Gerv!
I added that text to the
On Wednesday, October 19, 2016 at 3:13:50 PM UTC-7, okaphone.e...@gmail.com
wrote:
> Perhaps "haste" is not what you want here. How about "urgency"?
>
Yep. Changed in the wiki page.
Thanks,
Kathleen
___
dev-security-policy mailing list
intermediate certificate data you are expected to enter into the CA
Community in Salesforce, and instructions on how to do so.
Regards,
Kathleen Wilson, Mozilla CA Program Manager
~~
Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security
All,
I have filed the following two bugs.
WoSign Action Items:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824
StartCom Action Items:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311832
I will work on a security blog that will probably get posted early next week.
It will point to these
at were capable of being used to issue new certificates, and
which directly or transitively chain to their certificate(s) included in
Mozilla’s CA Certificate Program and were not Technically Constrained via
Extended Key Usage and Name Constraint settings.
Regards,
Kathleen Wilson, Mo
On Thursday, October 20, 2016 at 6:59:08 PM UTC-7, Percy wrote:
> Kathleen,
> As most users affected by this decision are Chinese, will you be able to make
> the blog post available in Chinese on the security blog as well? You can ask
> the Chinese firefox community or me to translate.
>
> As
All,
I will greatly appreciate it if you will review this request from Government of
Taiwan, Government Root Certification Authority (GRCA) to include their
Government Root Certification Authority root certificate, and turn on the
Websites and Email trust bits. This root cert will eventually
On Friday, October 28, 2016 at 7:29:56 AM UTC-7, wangs...@gmail.com wrote:
> We have uploaded the lastest translantion of CP/CPS.
> CP: https://bugzilla.mozilla.org/attachment.cgi?id=8805543
> CPS: https://bug1128392.bmoattachments.org/attachment.cgi?id=8805545
> EV CP:
On Tuesday, November 15, 2016 at 3:58:26 PM UTC-8, Kathleen Wilson wrote:
> If there are no objections or concerns about this request, then I will
> recommend approval in the bug.
Thanks to those of you who reviewed and commented on this request from Symantec
to include their Symantec
On Tuesday, November 22, 2016 at 12:16:43 PM UTC-8, jo...@letsencrypt.org wrote:
> Between 11:30am and 4pm Pacific on November 21, 2016, a problem with
> the Let’s Encrypt issuance blocklist was identified, confirmed, and fixed.
>
>
> The following certificates were found to have been
I have created a wiki page listing CA Bugs in Bugzilla:
https://wiki.mozilla.org/CA/ca-bugs
There are two sections:
1) Open Incident Related Bugs
2) Open BR Compliance Bugs
The data is pulled directly from Bugzilla.
I will greatly appreciate help from everyone in driving all of the BR
Here's a summary of the audit reminder emails that were sent today.
The following is now automatically generated when the audit reminder emails get
sent.
Forwarded Message
Subject: Summary of November 2016 Audit Reminder Emails
Date: Tue, 15 Nov 2016 20:00:42 + (GMT)
On Monday, November 14, 2016 at 10:00:31 AM UTC-8, Peter Bowen wrote:
> Is there a CSV version of the upcoming root removals report?
> https://mozillacaprogram.secure.force.com/CA/UpcomingRootRemovalsReport
>
> Thanks,
> Peter
https://wiki.mozilla.org/CA:RemovedCAcerts
has these links:
Upcoming
On Tuesday, November 15, 2016 at 10:41:28 AM UTC-8, Peter Bowen wrote:
> I think Mozilla needs to update its guidance to CAs. The information
> checklist directions
> (https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices)
> says "If the CP/CPS documents are not in
This request from Symantec is to only enable the Email trust bit for the
following 4 root certificates that will eventually replace the VeriSign-brand
class 1 and 2 root certs that are currently included in NSS.
1) Symantec Class 1 Public Primary Certification Authority - G6
2) Symantec Class 2
Per Bugzilla Bug #1314464 we are adding the "SecureSign Public CA11"
intermediate CA cert to OneCRL as a precautionary measure.
Here's some background on this...
The JCSI Root CA (SecureSign RootCA11) was acquired by Cybertrust Japan(CTJ) in
August 2014.
The current WebTrust CA audit
Just FYI...
We will be adding a new column to the revoked intermediate cert reports that
are available here:
https://wiki.mozilla.org/CA:RevokedSubCAcerts
It will be called "Alternate CRL" and will be between the current "CRL URL(s)"
and "OCSP URL(s)" columns.
The "Alternate CRL" field will
int settings.
If you are still unclear about which intermediate certificates your CA still
needs to disclose in the CA Community in Salesforce, you may view the data
here: https://crt.sh/mozilla-disclosures#undisclosed
Regards,
Kathleen Wilson, Mozilla CA Program Manager
~~
All,
Thanks again to all of you who have put in so much time and effort to determine
what happened with WoSign and StartCom and discuss what to do about it.
Based on the information that I have seen regarding WoSign, I believe that
WoSign intentionally bent the rules in order to continue
On Thursday, October 13, 2016 at 10:17:28 AM UTC-7, Jonathan Rudenberg wrote:
> Can you clarify if the notBefore cutoff is October 1, 2016, and
> not October 21, 2016? There are two conflicting dates in the listed actions.
My thinking is that we would distrust certs issued after next week (Oct
On Thursday, October 13, 2016 at 10:39:05 AM UTC-7, Han Yuwei wrote:
>
> Is this the final decision or still pending?
Please consider this the draft of my decision. We are actively working on the
Mozilla action items, but this plan is still open for discussion.
Thanks,
Kathleen
On Monday, October 10, 2016 at 1:08:24 PM UTC-7, Ryan Sleevi wrote:
> On Monday, October 10, 2016 at 11:39:19 AM UTC-7, Kathleen Wilson wrote:
> > I would like to remind everyone that when making decisions about what to do
> > about CA mis-issuance, it is expressly *not* a goal for
Thanks to all of you who have reviewed and commented on this request from
Government of Taiwan, Government Root Certification Authority (GRCA), to
include their renewed Government Root Certification Authority root certificate,
and turn on the Websites and Email trust bits.
To summarize this
In regards to updating
https://wiki.mozilla.org/CA:How_to_apply#Root_certificates_with_the_same_subject_and_different_keys
?
How about the following?
~~
The standards allow for two CA certificates to have the same subject names but
different subject public keys. Please try to avoid this,
All,
We have added Audit Archiving to the Common CA Database (a.k.a. CA Community in
Salesforce).
https://wiki.mozilla.org/CA:SalesforceCommunity#Audit_Archive
~~
As of December 13, 2016, audit statements for root certificates in the Common
CA Database are archived. The CCADB will regularly
On Wednesday, December 14, 2016 at 3:23:39 PM UTC-8, Kathleen Wilson wrote:
> On Wednesday, December 14, 2016 at 3:12:51 PM UTC-8, Kathleen Wilson wrote:
> > All,
> >
> > We have added Audit Archiving to the Common CA Database (a.k.a. CA
> > Community in Salesforce
All,
Many of you have noticed that I have transitioned the job of Information
Verification[1] of root inclusion/change requests to Aaron Wu and Francis Lee,
because I no longer have the bandwidth to do that work.
Additionally, I hope to get a new process rolled out in Q1 that will enable CAs
Thanks to all of you who provided suggestions about how to resolve the
sun.security.validator.ValidatorException errors.
JC has provided a .jks file of the NSS keystore as of December 19, 2016. So, we
will try resolving the errors by using this .jks file.
Thanks,
Kathleen
301 - 400 of 747 matches
Mail list logo