Adding Distrust-After Date columns to CCADB reports

All, I have been asked to add two columns to the following CCADB reports. Columns to add: 1) Distrust for TLS After Date 2) Distrust for S/MIME After Date Reports to update: 1) https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport 2)

Re: Adding Distrust-After Date columns to CCADB reports

While we're at it we're going to update the date format in the reports to -MM-DD. On 8/4/20 9:06 AM, Kathleen Wilson wrote: No concerns have been raised, so we will proceed with the inserting the new columns between the "Trust Bits" and "EV Policy OID(s)" columns. On 7/29/20 11:11 AM,

Re: Adding Distrust-After Date columns to CCADB reports

No concerns have been raised, so we will proceed with the inserting the new columns between the "Trust Bits" and "EV Policy OID(s)" columns. On 7/29/20 11:11 AM, Kathleen Wilson wrote: All, I have been asked to add two columns to the following CCADB reports. Columns to add: 1) Distrust for

Re: Audit Reminders for Intermediate Certs

Forwarded Message Subject: Summary of August 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 4 Aug 2020 14:00:25 + (GMT) CA Owner: Government of Taiwan, Government Root Certification Authority (GRCA) - Certificate Name: 行政院工商憑證管理中心 (MOEACA) SHA-256

CCADB Updates August 20-24: Policy Document Objects

All, Currently CCADB only allows for one CP URL and one CPS URL per root certificate, so we are updating the CCADB to enable many-to-many mapping between policy documents and root certificates. One or more policy documents may be provided and associated with one or more root certificates and

Re: Audit Reminders for Intermediate Certs

Forwarded Message Subject: Summary of July 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 7 Jul 2020 14:00:11 + (GMT) CA Owner: Government of Taiwan, Government Root Certification Authority (GRCA) - Certificate Name: 行政院工商憑證管理中心 (MOEACA) SHA-256

Re: Verifying Auditor Qualifications

On 6/24/20 8:48 PM, Ryan Sleevi wrote: On Wed, Jun 24, 2020 at 3:08 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: I have updated the following section of the wiki page to incorporate feedback that I received from representatives of ACAB'c.

Re: Verifying Auditor Qualifications

I have updated the following section of the wiki page to incorporate feedback that I received from representatives of ACAB'c. https://wiki.mozilla.org/CA/Audit_Statements#Verifying_ETSI_Auditor_Qualifications I will greatly appreciate it if those of you familiar with ETSI audits will review

Re: Audit Reminder Email Summary

Forwarded Message Subject: Summary of June 2020 Audit Reminder Emails Date: Tue, 16 Jun 2020 19:00:31 + (GMT) Mozilla: Audit Reminder CA Owner: Shanghai Electronic Certification Authority Co., Ltd. (SHECA) Root Certificates: UCA Extended Validation Root UCA Global G2

Re: DRAFT May 2020 CA Communication/Survey

Based on the survey results, we (Ben and I) have recommended the following updates to the Browser Alignment Ballot. (currently in draft form here: https://github.com/sleevi/cabforum-docs/pull/10) 1) For the following changes proposed in the ballot, we have recommended that the effective date

Re: Verifying Auditor Qualifications

On 6/4/20 1:25 AM, Arvid Vermote wrote: Hi Kathleen Related to the below it would be helpful if the WebTrust organization would disclose additional details on the licensed WebTrust practitioners: right now there is no data publicly available on historical WebTrust auditor licensing. We don't

Re: Request to Include Microsec e-Szigno Root CA 2017 and to EV-enable Microsec e-Szigno Root CA 2009

On 6/4/20 11:17 AM, Ben Wilson wrote: Having received no further comments, I have recommended approval of this request in bug 1445364 - Ben To clarify, Ben is recommending approval of the request to include the e-Szigno Root CA 2017

Verifying Auditor Qualifications

All, It recently came to my attention that I need to be more diligent in verifying auditor qualifications. Therefore, we have added a field in the CCADB called “Date Qualifications Verified” (on Auditor Location objects), which will be used to remind root store operators to check each

Re: Audit Reminders for Intermediate Certs

Forwarded Message Subject: Summary of June 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 2 Jun 2020 14:00:11 + (GMT) intermediate certs chaining up to root certs in Mozilla's program.> ___

Re: Audit Reminder Email Summary

Forwarded Message Subject: Summary of July 2020 Audit Reminder Emails Date: Tue, 21 Jul 2020 19:00:13 + (GMT) Mozilla: Audit Reminder CA Owner: eMudhra Technologies Limited Root Certificates: emSign Root CA - C1 emSign ECC Root CA - C3 emSign ECC Root CA - G3

Re: CCADB Update to Salesforce Lightning Interface

On Thursday, December 3, we intend to migrate CCADB to Salesforce’s newer interface, called Lightning. Here is a document explaining the changes: https://docs.google.com/document/d/1RchT4pMUvzHkKpLPRYyzdhuIovVUKd88KwLyijzobT4/edit?usp=sharing The CCADB update to the newer Lightning

Re: CCADB Update to Salesforce Lightning Interface

On 12/3/20 10:30 AM, Kathleen Wilson wrote: On Thursday, December 3, we intend to migrate CCADB to Salesforce’s newer interface, called Lightning. Here is a document explaining the changes: https://docs.google.com/document/d/1RchT4pMUvzHkKpLPRYyzdhuIovVUKd88KwLyijzobT4/edit?usp=sharing

Re: Audit Reminders for Intermediate Certs

Forwarded Message Subject: Summary of December 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 1 Dec 2020 15:00:43 + (GMT) CA Owner: Government of The Netherlands, PKIoverheid (Logius) - Certificate Name: UZI-register Medewerker niet op naam CA G3

Re: Announcing the Chrome Root Program

Thank you, Ryan, for providing this very helpful information. ## What does this mean for the CA Certificates Module? Since 2015, I’ve been a Module Peer of the CA Certificates Module [1]. My role has been to support Kathleen and Ben, and previously also Wayne and Gerv, in performing detailed

CCADB Update to Salesforce Lightning Interface

CAs, On Thursday, December 3, we intend to migrate CCADB to Salesforce’s newer interface, called Lightning. Here is a document explaining the changes: https://docs.google.com/document/d/1RchT4pMUvzHkKpLPRYyzdhuIovVUKd88KwLyijzobT4/edit?usp=sharing Thanks, Kathleen

Re: Audit Reminder Email Summary

Forwarded Message Subject: Summary of December 2020 Audit Reminder Emails Date: Tue, 15 Dec 2020 20:00:28 + (GMT) Mozilla: Audit Reminder CA Owner: DigiCert Root Certificates: Symantec Class 2 Public Primary Certification Authority - G6 Symantec Class 1 Public Primary

Re: CCADB Update to Salesforce Lightning Interface

All, The new video about how to create an Audit Case in the CCADB is available here: https://www.ccadb.org/cas/updates#instructions Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

2H2020 Symantec Root Updates

All, Continuing with the distrust of the old Symantec root certificates, 10 root certificates were removed via bug 1670769 from NSS 3.60 and Firefox 85. 1. GeoTrust Global CA 2. GeoTrust Primary Certification Authority 3. GeoTrust Primary Certification Authority - G3 4. thawte Primary Root

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

PS: In the meantime, we will continue to verify auditor qualifications as described here: https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications On 11/12/20 4:27 PM, Kathleen Wilson wrote: > It is proposed in Issue #192 > that

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

> It is proposed in Issue #192 > that information about > individual auditor's qualifications be provided--identity, competence, > experience and independence. (For those interested as to this independence > requirement, Mozilla Policy v.1.0

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On 11/13/20 1:43 PM, Ryan Sleevi wrote: In this regard, the principles from Mozilla's 1.0 Certificate Policy provide a small minimum, along with some of the language from, say, the FPKI, regarding technical competencies. The basis here is simply for the auditor to *disclose* why they believe

Re: Audit Reminder Email Summary

Forwarded Message Subject: Summary of November 2020 Audit Reminder Emails Date: Tue, 17 Nov 2020 20:01:50 + (GMT) Mozilla: Audit Reminder CA Owner: Google Trust Services LLC (GTS) Root Certificates: GTS Root R2 GTS Root R3 GTS Root R4 GTS Root R1 GlobalSign

Re: CCADB Proposal: Add field called Full CRL Issued By This CA

All, The following changes have been made in the CCADB: On Intermediate Cert pages: - Renamed section heading ‘Revocation Information’ to ‘Revocation Information for this Certificate’ - Added section called ‘Pertaining to Certificates Issued by this CA’ - Added 'Full CRL Issued By This CA'

Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

>> For this MRSP Issue #152 update to v2.7.1, I propose that we make each >> occurrence of "capable of issuing EV certificates" link to >> https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable In the definition of EV TLS Capable, I'd move the last bullet up to the top. Done.

Re: Audit Reminders for Intermediate Certs

Forwarded Message Subject: Summary of November 2020 Outdated Audit Statements for Intermediate Certs Date: Tue, 3 Nov 2020 15:00:07 + (GMT) CA Owner: AC Camerfirma, S.A. - Certificate Name: MULTICERT SSL Certification Authority 001 SHA-256 Fingerprint:

Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

On 10/16/20 11:26 PM, Ryan Sleevi wrote: Because of this, it seems that there is a simpler, clearer, unambiguous path for CAs that seems useful to move to: - If a CA is trusted for purpose X, that certificate, and all subordinate CAs, should be audited against the criteria relevant for X I am

Re: Audit Reminder Email Summary

Forwarded Message Subject: Summary of January 2021 Audit Reminder Emails Date: Tue, 19 Jan 2021 20:00:30 + (GMT) Mozilla: Audit Reminder CA Owner: Krajowa Izba Rozliczeniowa S.A. (KIR) Root Certificates: SZAFIR ROOT CA2 Standard Audit:

Re: Action on Camerfirma Root CAs

I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1692094 to turn off the Websites trust bit for the 2008 root certs, and to set the "Distrust for S/MIME After Date" for the older root certs. Thanks, Kathleen ___ dev-security-policy mailing list

Re: Audit Reminders for Intermediate Certs

Forwarded Message Subject: Summary of February 2021 Outdated Audit Statements for Intermediate Certs Date: Tue, 2 Feb 2021 15:00:16 + (GMT) CA Owner: SECOM Trust Systems CO., LTD. - Certificate Name: JPRS Organization Validation Authority - G3 SHA-256 Fingerprint:

CCADB Update: Extended ALV to EV SSL Audits on Intermediate Certs

CAs, There are a couple updates to the CCADB that I would like to bring to your attention. 1) Added 'CCADB Release Notes' link to the CA home page. It links to: https://docs.google.com/document/d/1yMLYQFNH2JnOixVsByC99uoQd8fFfZcKlKBu-vgy3CU/edit#heading=h.6p4mru6ujyvl 2) Extended automated

Re: New intermediate certs and Audit Statements

On 3/24/21 5:32 AM, Rob Stradling wrote: On 9th July 2019, Kathleen wrote: I propose that to handle this situation, the CA may enter the subordinate CA's current audit statements and use the Public Comment field to indicate that the new certificate will be included in the next audit

MOVING mozilla.dev.security.policy to dev-security-policy in Mozilla’s Google Workspace (formerly GSuite)

All, This mozilla.dev.security.policy mailing list has been running on ancient custom-patched mailman software since the early Mozilla days. As many of you are aware, there are limitations and sometimes loss of data with the old configuration, so we are migrating this list to be hosted as a

CCADB Update to Audit and Root Inclusion Cases March 25-29

All, We will be applying updates to CCADB Audit Cases and Root Inclusion Cases starting tonight, March 25, and expected to be completed the afternoon of March 29. We will post the following message on the CCADB home page while the updates are in progress. -- UNDER CONSTRUCTION: Audit

Re: CCADB Update to Audit and Root Inclusion Cases March 25-29

All, The CCADB update has been completed, and the "UNDER CONSTRUCTION" notice will be removed today. There is still some cleanup that we will be doing, but you may proceed with using Audit Cases and Root Inclusion Cases now. Please let me know if you run into any problems with the CCADB.

Re: MOVING mozilla.dev.security.policy to dev-security-policy in Mozilla’s Google Workspace (formerly GSuite)

All, I posted the first message to the new group, with subject "WELCOME to dev-security-policy". If you do not receive the welcome message to the new group, you can subscribe to it by sending an email to dev-security-policy+subscr...@mozilla.org or to me or Ben. You can update your user

MOVED mozilla.dev.security.policy to dev-security-policy

All, This mozilla.dev.security.policy group has been moved to dev-security-policy in Mozilla’s Google Workspace (formerly GSuite). New Access Points: - Mailing List: dev-security-pol...@mozilla.org -- dev-security-policy@lists.mozilla.org will automatically forward to the new mailing list

Re: Audit Reminder Email Summary

Forwarded Message Subject: Summary of March 2021 Audit Reminder Emails Date: Tue, 16 Mar 2021 19:02:12 + (GMT) Mozilla: Audit Reminder CA Owner: certSIGN Root Certificates: certSIGN ROOT CA Standard Audit:

CCADB Proposal: Add field called JSON Array of Partitioned CRLs Issued By This CA

All, As previously discussed, there is a section on root and intermediate certificate pages in the CCADB called ‘Pertaining to Certificates Issued by this CA’, and it currently has one field called 'Full CRL Issued By This CA'. Proposal: Add field called 'JSON Array of Partitioned CRLs

Re: Audit Reminders for Intermediate Certs

Forwarded Message Subject: Summary of March 2021 Outdated Audit Statements for Intermediate Certs Date: Tue, 2 Mar 2021 15:00:24 + (GMT) CA Owner: SECOM Trust Systems CO., LTD. - Certificate Name: JPRS Organization Validation Authority - G3 SHA-256 Fingerprint:

Re: Audit Reminder Email Summary

Forwarded Message Subject: Summary of February 2021 Audit Reminder Emails Date: Tue, 16 Feb 2021 20:01:02 + (GMT) Mozilla: Audit Reminder CA Owner: Krajowa Izba Rozliczeniowa S.A. (KIR) Root Certificates: SZAFIR ROOT CA2 Standard Audit:

<    1   2   3   4