Re: TrustCor root inclusion request

2017-08-24 Thread Kathleen Wilson via dev-security-policy
Thanks again to everyone reviewed and commented on this request from TrustCor. I am now closing this discussion, and will recommend approval in the bug to include the “TrustCor RootCert CA-1”, “TrustCor RootCert CA-2”, and “TrustCor ECA-1” root certificates and enable the Websites and Email

Re: TrustCor root inclusion request

2017-08-17 Thread Kathleen Wilson via dev-security-policy
Thank you to everyone who has reviewed and commented on this request from TrustCor to include the “TrustCor RootCert CA-1”, “TrustCor RootCert CA-2”, and “TrustCor ECA-1” root certificates and enable the Websites and Email trust bits. I believe that all of the questions and concerns have been

Re: TrustCor root inclusion request

2017-08-17 Thread Andrew R. Whalley via dev-security-policy
Thanks Neil, I've looked over the updated CP and CPS documents and have no further comments or questions. Cheers, Andrew On Tue, Aug 15, 2017 at 12:18 PM, Neil Dunbar via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Andrew, > > SHA-1 has been removed from the TrustCor

Re: TrustCor root inclusion request

2017-08-15 Thread Neil Dunbar via dev-security-policy
Andrew, SHA-1 has been removed from the TrustCor OCSP list of acceptable hash algorithms for responder signatures. The minimum hash deemed acceptable now is SHA-256. We have updated the CP/CPS in section 6.1.5 to clarify that SHA-1 will no longer be honoured as a signature algorithm. Best

Re: TrustCor root inclusion request

2017-08-14 Thread Jakob Bohm via dev-security-policy
On 14/08/2017 21:48, Andrew Ayer wrote: On Mon, 14 Aug 2017 20:27:05 +0100 Neil Dunbar via dev-security-policy wrote: Note that TrustCor is capable of removing SHA-1 as a signature hash on OCSP responses, if the community determines it presents risk to

Re: TrustCor root inclusion request

2017-08-14 Thread Andrew Ayer via dev-security-policy
On Mon, 14 Aug 2017 20:27:05 +0100 Neil Dunbar via dev-security-policy wrote: > Note that TrustCor is capable of removing SHA-1 as a signature hash on > OCSP responses, if the community determines it presents risk to the > relying parties. However, this

Re: TrustCor root inclusion request

2017-08-14 Thread Neil Dunbar via dev-security-policy
Andrew, Many thanks for reading and commenting on the policy documents. In order to clarify and correct the issues which you highlight, new versions (at version 1.3.2) of both CP and CPS have been published. A summary of our actions follows. Paragraphs introduced with the text "" indicate our

Re: TrustCor root inclusion request

2017-08-12 Thread Neil Dunbar via dev-security-policy
Andrew. Thank you for the review, comments and questions on TrustCor's policy documents. We are in the process of reviewing your comments and formulating a response to each. We will provide our response and updates before EOB Tuesday, August 15th, published to this discussion list. Have

Re: TrustCor root inclusion request

2017-08-12 Thread Neil Dunbar via dev-security-policy
Andrew. Thank you for the review, comments and questions on TrustCor's policy documents. We are in the process of reviewing your comments and formulating a response to each. We will provide our response and updates before EOB Tuesday, August 15th, published to this discussion list. Have

Re: TrustCor root inclusion request

2017-08-11 Thread Neil Dunbar via dev-security-policy
Andrew. Thank you for the review, comments and questions on TrustCor's policy documents. We are in the process of reviewing your comments and formulating a response to each. We will provide our response and updates before EOB Tuesday, August 15th, published to this discussion list. Have a

Re: TrustCor root inclusion request

2017-08-10 Thread Andrew R. Whalley via dev-security-policy
Greetings, I have reviewed TrustCor's CP and CPS (both at version 1.3.1) and made the following notes: *CP* (http://www.trustcor.ca/resources/cp.pdf) 1.6.3 1.6.4 Nit: Section 1.1 says that "Sections which do not apply to TrustCor CA, or where TrustCor CA makes no authoritative statement, will

Re: TrustCor root inclusion request

2017-05-19 Thread Neil Dunbar via dev-security-policy
> On 19 May 2017, at 10:24, Gervase Markham via dev-security-policy > wrote: > > On 18/05/17 23:40, Nick Lamb wrote: >> Mmmm. I believe only 3.2.2.4 is acceptable to Mozilla, am I wrong >> here? Judging from self-assessment document, TrustCor's actual >>

Re: TrustCor root inclusion request

2017-05-19 Thread Gervase Markham via dev-security-policy
On 18/05/17 23:40, Nick Lamb wrote: > Mmmm. I believe only 3.2.2.4 is acceptable to Mozilla, am I wrong > here? Judging from self-assessment document, TrustCor's actual > practices are all intended to be 3.2.2.4 compliant (I will examine in > more detail later) but the language here suggests it

Re: TrustCor root inclusion request

2017-05-18 Thread Nick Lamb via dev-security-policy
On Thursday, 18 May 2017 04:23:17 UTC+1, Aaron Wu wrote: > - DV SSL Certificates - the domain name registrar must list the applicant as > part of the WHOIS record; or effective control of the domain shall be > demonstrated by the applicant or communication satisfying BR 3.2.2.4 shall be >

TrustCor root inclusion request

2017-05-17 Thread Aaron Wu via dev-security-policy
This request from TrustCor is to include the “TrustCor RootCert CA-1”, “TrustCor RootCert CA-2”, and “TrustCor ECA-1” root certificates and enable the Websites and Email trust bits. TrustCor, located in Canada, is a commercial organization that develops privacy protection services and issues