Re: Feasibility of a binding commitment to revoke before issuance

Mike and Amir, Here are some of the goals that come to my mind from the perspective of the Mozilla Root Program, followed by my short response concerning what to do with the current framework. 1. Security and Privacy of Users: Our foremost goal, from Principle #4 of the Mozilla Manifesto

Re: Feasibility of a binding commitment to revoke before issuance

Thanks, everyone, for keeping this conversation going. It's essential that we continue because I believe the current framework is unworkable. Ben On Wed, Jul 24, 2024 at 2:53 PM Mike Shaver wrote: > On Wed, Jul 24, 2024 at 2:36 PM 'Ben Wilson' via > dev-security-policy@mozilla.org

Re: Feasibility of a binding commitment to revoke before issuance

Dear Tim and Matt, Thank you both for your insightful comments and contributions to the ongoing discussion regarding timely certificate revocation. Your perspectives are invaluable as we strive to find balanced and effective solutions to this problem. Tim, your proposal to identify

Reminder: Mozilla's Community Participation Guidelines and Bugzilla Etiquette

Dear Community Members, As part of our ongoing commitment to fostering a respectful and productive environment, I would like to remind everyone of the importance of adhering to Mozilla’s Community Participation Guidelines

Re: Phasing out Legacy S/MIME Certificates

r your attention to this matter. Ben On Wednesday, June 5, 2024 at 9:54:19 AM UTC-6 Ben Wilson wrote: > All, > > The Mozilla Root Store Policy incorporates the CA/B Forum's S/MIME > Baseline Requirements > <https://cabforum.org/working-groups/smime/requirements/> (BRs). The >

Re: Intent to Approve Cybertrust / JCSI Japan Root Inclusions

wrote: > Dear Ben, > > Thank you for your help. > We would like Mozilla to set the key purpose of "websites" for both CA14 > and 15. > > Best regards, > Mitsuyoshi Tamura > Cybertrust Japan > > 2024年7月10日水曜日 23:09:36 UTC+9 Ben Wilson: > >> Dea

Re: Intent to Approve Cybertrust / JCSI Japan Root Inclusions

so change for single purpose before start > issuing certificates for subscribers. > > Best regards, > Mitsuyoshi Tamura > Cybertrust Japan > > P.S. > Please allow me to comment by miraclelinux.com domain that our company > possess. > > 2024年7月9日火曜日 6:19:08 UTC+9 Ben Wilson:

Re: Intent to Approve Cybertrust / JCSI Japan Root Inclusions

g EKS, but the new > set of 3 has Server auth in all of them along with a mix of other EKUs. > > > > When do CAs need to start providing dedicated TLS roots? > > > > Doug > > > > *From:* 'Ben Wilson' via dev-security-policy@mozilla.org < > dev-secur

Intent to Approve Cybertrust / JCSI Japan Root Inclusions

ast call” period for any final objections. Should there be any further concerns, please share them within this period. Thanks, Ben Wilson Mozilla Root Store Manager -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. T

Re: Approval of Taiwan CA's Root Inclusion Request

ecifically, on this incident: >> https://bugzilla.mozilla.org/show_bug.cgi?id=1886110 0 they didn't even >> understand what revocation actually entails. >> >> I'll go even further that Mozilla should consider a motion of distrust on >> this CA rather than extending trust t

Re: Recent Entrust Compliance Incidents

, Ben Wilson Mozilla Root Store Manager On Thursday, June 27, 2024 at 3:04:03 PM UTC-6 Mike Shaver wrote: > I don't know what the calculus will be for Google's trust of > Entrust-issued BIMI certificates, but I am pretty sure that they won't be > announcing that policy on MDSP—you

Draft "Lessons Learned" Wiki Page – Seeking Feedback

e community. Please send your comments to me directly or add them to the discussion page linked from the wiki. We look forward to your input and collaboration. Thank you for your continued support and commitment to maintaining high standards of security and compliance for CAs. Ben Wilson Mozill

Re: Mozilla delayed revocation incident expectations

I think it would be good to collect and analyze use-case environments from subscribers who have requested delayed revocation, if anyone has bandwidth. Thanks, Ben On Wed, Jun 26, 2024 at 2:15 PM Zacharias Björngren < zacharias.bjorng...@gmail.com> wrote: > ”Non-production services aren’t

Re: Proposal for a 24-hour pause in Entrust Discussion

ially change the dynamic, but I’m >> willing to give it a shot! >> >> Mike >> >> On Tue, Jun 25, 2024 at 5:32 PM 'Ben Wilson' via dev-secur...@mozilla.org >> wrote: >> >>> Hi Everyone, >>> >>> In light of the recent e

Proposal for a 24-hour pause in Entrust Discussion

Hi Everyone, In light of the recent exchanges regarding the Entrust report, I would like to propose a 24-hour pause in our discussions. This would give us an opportunity to reflect on the questions asked and the information shared thus far. It will also help to ensure that comments or responses

Re: Recent Entrust Compliance Incidents

Thanks. I think the best way to respond is for each person to gather all of their comments into a single email with a list of remaining issues found and then submit it to this thread. Thanks, Ben On Fri, Jun 21, 2024 at 1:21 PM Mike Shaver wrote: > Thanks, Bruce. > > On first quick read of the

Re: Recent Entrust Compliance Incidents

Wilson wrote: > Hi Mike, > Requests for clarification will be posted here. > Thanks, > Ben > > On Mon, Jun 10, 2024 at 5:41 PM Mike Shaver wrote: > >> On Mon, Jun 10, 2024 at 7:28 PM Ben Wilson wrote: >> >>> Preferably here, but if the requests for cla

Re: Distrust dates for GLOBALTRUST 2020 CA

Dear Andrew and all, We understand your concerns. We are evaluating and considering your suggestions. Thanks, Ben Wilson Mozilla Root Program Manager On Tuesday, June 11, 2024 at 4:58:02 PM UTC-6 rdau...@gmail.com wrote: > I have to echo the sentiments, and question what sett

Re: Distrust dates for GLOBALTRUST 2020 CA

authentication and S/MIME certificates issued before June 30, 2024, > > will be unaffected by this change, but certificates issued after June > > 30, 2024, will not be trusted. > > > > We want to clarify that although a separate assessment of ECM___s > > continued inclu

Re: Distrust dates for GLOBALTRUST 2020 CA

For CT-checking - the meta bug is here - https://bugzilla.mozilla.org/show_bug.cgi?id=1281469 Ben On Tue, Jun 11, 2024 at 9:55 AM Mike Shaver wrote: > Sorry, I meant for the CT-based validity checking! > > Mike > > On Tue, Jun 11, 2024 at 11:49 AM 'Ben Wilson' via > d

Re: Distrust dates for GLOBALTRUST 2020 CA

Here is the Bugzilla bug - https://bugzilla.mozilla.org/show_bug.cgi?id=1901080 Ben On Tuesday, June 11, 2024 at 9:43:33 AM UTC-6 Mike Shaver wrote: > On Tue, Jun 11, 2024 at 11:39 AM 'Ben Wilson' via > dev-security-policy@mozilla.org wrote:. > >> Our long-term plan is to enhan

Re: Distrust dates for GLOBALTRUST 2020 CA

be > taken into account. If solely based on NotBefore, are you monitoring for > backdated certificates in any way? > > Thanks, > > -dadrian > > On Tue, Jun 11, 2024 at 10:59 AM 'Ben Wilson' via > dev-security-policy@mozilla.org wrote: > >> All, >> &g

Distrust dates for GLOBALTRUST 2020 CA

tore in the future, that application will be considered on its merits. Sincerely yours, Ben Wilson Mozilla Root Program Manager -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop r

Re: Recent Entrust Compliance Incidents

Hi Mike, Requests for clarification will be posted here. Thanks, Ben On Mon, Jun 10, 2024 at 5:41 PM Mike Shaver wrote: > On Mon, Jun 10, 2024 at 7:28 PM Ben Wilson wrote: > >> Preferably here, but if the requests for clarification are structured in >> markdown in B

Re: Recent Entrust Compliance Incidents

t; Does this mean that Mozilla feels that the action items listed in that bug > are sufficiently detailed and concrete that they are appropriate as steps > for Entrust to take at this point? > > Mike > > On Mon, Jun 10, 2024 at 4:16 PM 'Ben Wilson' via &g

Re: Recent Entrust Compliance Incidents

'Bruce Morton' via dev-security-policy@mozilla.org wrote: > Please respond to comments you may have on our report or action items > here. We will track our progress against the action items list in Bugzilla > under bug 1901270. > > On Friday, June 7, 2024 at 12:51:48 PM UTC-4 Ben W

Re: Recent Entrust Compliance Incidents

ations to implement new best-practice >>> standards, often at a short notice. >>> >>> In 2020, Apple unilaterally opted for shorter TLS certificate durations, >>> reducing them from three years to 398 days, thereby increasing the burden >>> on certifi

Approval of Taiwan CA's Root Inclusion Request

Greetings, Public discussion regarding inclusion of the TWCA CYBER Root CA (websites trust bit with EV) and the TWCA Global Root CA G2 (email trust bit) began on the CCADB Public List on April 22, 2024 ( https://groups.google.com/a/ccadb.org/g/public/c/rAsxoNILZ6A/m/vqn7iTHEAwAJ) and concluded

Help Improve the Mozilla Root Store Policy

All, I am collecting suggested updates to improve the Mozilla Root Store Policy (MRSP). Share your thoughts on how we can make the MRSP more clear and better for improving Internet security. Feel free to

Re: Vulnurability Disclosure - How does it happen?

Amir, To answer the last question first, Chunghwa Telecom did not disclose this recent attack, but I don't think we have sufficient information from the article to determine the effects of the breach on the CA operations. So without more information, it might be premature to answer the question,

Re: Recent Entrust Compliance Incidents

00 UTC with all > certificates being revoked by 2023-11-26 14:50 UTC, but I don't think > that's correct if that was the case. > > On Friday, May 10th, 2024 at 5:27 PM, 'Ben Wilson' via > dev-security-policy@mozilla.org wrote: > > Here are draft summaries of the additional hist

Re: Recent Entrust Compliance Incidents

gi?id=1802916 > https://bugzilla.mozilla.org/show_bug.cgi?id=1804753 > https://bugzilla.mozilla.org/show_bug.cgi?id=1867130 > > On Tue, May 7, 2024 at 7:59 AM 'Ben Wilson' via > dev-security-policy@mozilla.org > wrote: > > > > Dear Mozilla Community, > > > > Ove

Recent Entrust Compliance Incidents

t’s report presents a credible and effective path towards re-establishing trust in Entrust’s operation. Submission should be no later than June 7, 2024. We thank community members for their engagement on these issues and look forward to their feedback on Entrust’s report and proposed commitments.

Re: comment on Entrust_Issues wiki page

All, I hadn't announced this page yet, hoping to reference it in an email currently undergoing internal review. But thanks for your comment. I'll see about posting the email as soon as I can. Thanks, Ben On Mon, May 6, 2024 at 3:58 PM Mike Shaver wrote: > The page lists the following issue: > >

Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH

hem? > > On Tuesday, March 5, 2024 at 11:18:13 AM UTC-5 Ben Wilson wrote: > >> All, >> March 1 was the scheduled end of public discussion on this matter. >> However, I have one unresolved question that I have presented to the CA >> operator and its audit firm regarding ACAB'c

Approval of Firmaprofesional CA Root-A Web

All, Public discussion regarding inclusion of the Firmaprofesional CA ROOT-A WEB began on the CCADB Public List on January 31, 2024 ( https://groups.google.com/a/ccadb.org/g/public/c/3TXrvZC0isw/m/TMkE2rb_AAAJ) and concluded on March 13 (

Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH

lschaft” (large corporation) and therefore >> needs to comply with all regulations of the Austrian GmbHG (limited >> liabilities company Act) and UGB (Commercial Code). >> >> e-commerce monitoring GmbH was taken over as a fully functional and >> independent

Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH

If incidents are sufficiently recent or still have relevance, then we could update the Bugzilla bugs "Summaries" by replacing the name of the previous operator with the name of the new entity when there is a name change or CA operator replacement.) Ben > > Thanks, > Aar

Re: Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH

the Mozilla Root Store Policy >> >> ·Ownership and governance >> >> ·Investment and budget for CA operations, risk management, and >> compliance >> >> ·Community engagement and involvement in industry groups >> >> ·E

Public Discussion of Acquisition of e-commerce monitoring GmbH by AUSTRIA CARD-Plastikkarten und Ausweissysteme GmbH

t in industry groups ·Employee expertise and continuity ·Operational design and ongoing GRC management ·Auditors and auditing Thanks, Ben Wilson Mozilla Root Store Program -- You received this message because you are subscribed to the Google Groups "dev-security-

Re: known bad certs blocklist

Hello Jan, This OneCRL list might be what you are looking for - https://crt.sh/mozilla-onecrl. Ben On Tue, Jan 9, 2024 at 9:17 AM 'Jan Schaumann' via dev-security-policy@mozilla.org wrote: > Hello, > > Is there a community-shared blocklist of known bad > certs (keys)? > > Chrome has > >

Re: Improvements to Vulnerability Disclosure wiki page

s that were missing in > the initial communication. > > > > Kind regards > Roman > > > > *From:* dev-security-policy@mozilla.org *On > Behalf Of *Ben Wilson > *Sent:* Mittwoch, 22. November 2023 20:35 > *To:* dev-secur...@mozilla.org > *Subject:* Re: Improvemen

Deutsche Telekom Security's Root Inclusion Request

All, Public discussion began on the CCADB Public List on Nov. 1, 2023 ( https://groups.google.com/a/ccadb.org/g/public/c/yiJ-bkv-Ftg/m/JsbbxpZJBAAJ) and concluded on Dec. 13 ( https://groups.google.com/a/ccadb.org/g/public/c/yiJ-bkv-Ftg/m/lxwjZDvhAAAJ) regarding Deutsche Telekom Security's

Re: S/MIME BR Transition Wiki Page

CA *must be audited according to the S/MIME BRs if the email trust bit is to be enabled *.* *A* , and the CA operator’s CP or CPS must state that they follow the current version of the S/MIME BRs. Are there any comments or suggestions? Thanks, Ben On Wed, Jul 19, 2023 at 11:01 AM Ben Wilson

D-Trust Inclusion Request (Email Trust Bit)

All, Public discussion concluded last Friday, Dec. 15, on the CCADB Public List, for D-Trust's root inclusion request. https://groups.google.com/a/ccadb.org/g/public/c/EPVczE_6oCc/m/jsZ0CsgdAAAJ This is notice that I am recommending approval of D-Trust's request to include the following root CA

Re: Improvements to Vulnerability Disclosure wiki page

zilla.org/CA/Vulnerability_Disclosure#Markdown_Template> that can be used in Bugzilla. Ben On Wed, Sep 27, 2023 at 11:47 AM Ben Wilson wrote: > All, > As mentioned in a previous email, I am soliciting feedback regarding the > Vulnerability > Disclosure wiki page > &

Updated Incident Reporting Requirements

All, The framework for reporting compliance incidents has been updated on the CCADB website. See https://www.ccadb.org/cas/incident-report. Note that the expected contents in Sections 1 through 7 of an incident report have changed. Effective immediately, incident reports should use the markdown

Intent to Approve Commscope's CA Inclusion Request

All, We recently concluded a 6-week public discussion on the CCADB list of the request for inclusion of root CA certificates by Commscope. See https://groups.google.com/a/ccadb.org/g/public/c/HVwBXDw6GnU/m/q2WRYe_TBQAJ. In accordance with Step 7 of the Mozilla inclusion process,

Improvements to Vulnerability Disclosure wiki page

All, As mentioned in a previous email, I am soliciting feedback regarding the Vulnerability Disclosure wiki page . If you have any specific suggestions that we can use to enhance clarity or to make the page more complete, please don't hesitate

Re: MRSP 2.9: Survey Results - August 2023 CA Communication and Survey

of these terms accordingly. Thanks, Ben and Kathleen On Mon, Sep 18, 2023 at 10:01 AM Ben Wilson wrote: > All, > The period for submitting survey responses has now concluded, and the > results are in the sheet linked below (in my previous email). > I will now summarize the com

Re: MRSP 2.9: Survey Results - August 2023 CA Communication and Survey

All, The period for submitting survey responses has now concluded, and the results are in the sheet linked below (in my previous email). I will now summarize the comments and post them here. Thanks, Ben On Fri, Sep 8, 2023 at 2:12 PM Ben Wilson wrote: > All, > > While survey

Blog Post About Mozilla Root Store Policy Version 2.9

All, Recently, I posted on the Mozilla Security Blog a brief overview of updates to the Mozilla Root Store Policy (v 2.9). See https://blog.mozilla.org/security/2023/09/13/version-2-9-of-the-mozilla-root-store-policy/ Ben -- You received this message because you are subscribed to the Google

MRSP 2.9: Survey Results - August 2023 CA Communication and Survey

All, While survey responses are not due until Sept. 15th, here are the results we've received thus far. https://docs.google.com/spreadsheets/d/1xJ6VRs2R0tw3-QHoIRzIIO8MWWoqNs576KOxPKYsp3w/edit?usp=sharing Thanks, Ben -- You received this message because you are subscribed to the Google

Re: MRSP 2.9: Draft CA Communication and Survey

Communication and Survey, then please contact me directly, and I will provide you with the link. Thanks, Ben On Fri, Aug 18, 2023 at 4:20 PM Ben Wilson wrote: > All, > Below for your review and comment is a draft CA Communication and Survey > to be sent next week via the CCADB to all CA

MRSP 2.9: Draft CA Communication and Survey

All, Below for your review and comment is a draft CA Communication and Survey to be sent next week via the CCADB to all CA operators in Mozilla's root store. Thanks, Ben Mozilla CA Operator Survey - Respond By September 15, 2023Section 1: The purpose of this communication and survey is to ensure

Re: MRSP 2.9: S/MIME BRs and Audits

in the subjectAltName. Please provide any questions or comments. Otherwise, I'll assume that discussion of this matter can be closed. Thanks, Ben On Wed, Jul 19, 2023 at 3:06 PM Ben Wilson wrote: > All, > > For comment and discussion, here is some draft language for replacement i

Re: MRSP 2.9: Issues 261, 263 and 267, Miscellaneous Clarifications and Corrections

All, I don't believe we received any comments or questions, and the proposed changes have been made to the draft version of MRSP v.2.9. Therefore, I will assume that discussion of these issues can now be closed. Thanks, Ben On Thu, Jul 13, 2023 at 2:23 PM Ben Wilson wrote: > All, > > T

Re: MRSP 2.9: Issue #250: Clarify MRSP 5.3.2 to expressly include revoked CA certificates

-Mozilla/pkipolicy/commit/b8f6e16aaf16324bcdca7653e6b8e3f2d25070c7 . Unless there are additional comments, I am assuming that discussion on this topic is now closed. Thanks, Ben On Wed, Jul 5, 2023 at 1:28 PM Ben Wilson wrote: > All, > > This email opens up discussion of our

Re: MRSP 2.9: Issue #239: Audit Statement Content

can now be closed. Here is a reference to the currently proposed language: https://github.com/BenWilson-Mozilla/pkipolicy/commit/117054ecf1eff757cfebe40d7c952ce1e3fca920 . Thanks, Ben On Thu, Jun 29, 2023 at 8:44 AM Ben Wilson wrote: > Hi Pedro, > If the CA has two sites, one primary a

Re: MRSP 2.9: Issue #254: Harmonize CRL Reason Codes with CA/B Forum Revocation Reasons

#End_Entity_TLS_Certificate_CRLRevocation_Reasons Unless I hear otherwise, I will assume that this closes discussions on this Issue #254. Ben On Thu, Jun 22, 2023 at 11:04 AM Ben Wilson wrote: > All, > > This email opens up discussion of our proposed resolution of GitHub Issue > #254 <https://github.com/mozilla/pkipo

TrustAsia CA Root Inclusion Request

All, Public discussion concluded yesterday, August 16th, on the CCADB Public List, for TrustAsia's root inclusion request. See https://groups.google.com/a/ccadb.org/g/public/c/KHaSShYA-eY/m/D7J6ycgZAgAJ This is notice that I am recommending approval of TrustAsia's request to include the

Re: MRSP 2.9: Final Review of MRSP 2.9

ozilla/pkipolicy/blob/2.9/rootstore/policy.md Thanks, Ben On Thu, Jul 27, 2023 at 9:50 AM Ben Wilson wrote: > All, > > Here is a link to a GitHub comparison that shows all changes proposed to > the MRSP for version 2.9: > https://github.com/mozilla/pkipolicy/compare/e8a3f55ea7565bc72e9

Re: MRSP 2.9: S/MIME BRs Transition Timeline

Greetings again, This has been posted on our CA wiki page of transition instructions related to CA implementation of the S/MIME BRs - https://wiki.mozilla.org/CA/Transition_SMIME_BRs#Audit_Migration_Plan. Thanks, Ben On Fri, Jun 16, 2023 at 10:36 AM Ben Wilson wrote: > Greetings, >

Re: MRSP 2.9: S/MIME BRs and Audits

pe id-on-SmtpUTF8Mailbox in the subjectAltName (i.e. an "email certificate")? Thanks, Ben On Wed, Jul 19, 2023 at 3:06 PM Ben Wilson wrote: > All, > > For comment and discussion, here is some draft language for replacement in > MRSP > section 1.1 Scope > <

Re: MRSP 2.9: Issue #123: Annual Compliance Self-Assessment

days to send the self-assessment, based on the end > date of the audit... I don't see then why you add the SHOULD to do it at > the same time. > > Maybe I missed something... > > El jueves, 27 de julio de 2023 a las 17:26:35 UTC+2, Ben Wilson escribió: > >> Thanks, Bru

MRSP 2.9: Final Review of MRSP 2.9

All, Here is a link to a GitHub comparison that shows all changes proposed to the MRSP for version 2.9: https://github.com/mozilla/pkipolicy/compare/e8a3f55ea7565bc72e9f9e9ab3e57c993fb0812d..342c5ab3172e3be4eca1b6e2bba6a61900e1c4f8 Alternatively, you can review the unmarked draft version 2.9

Re: MRSP 2.9: Issue #123: Annual Compliance Self-Assessment

wrote: > Looks good. There might be an issue with the version of the > self-assessment template as I don't think the CAs know when it will be > updated. Is there a schedule or is this random? > > On Thursday, July 27, 2023 at 11:01:17 AM UTC-4 Ben Wilson wrote: > >> Thank

Re: MRSP 2.9: Issue #123: Annual Compliance Self-Assessment

ds a self-assessment for a root inclusion > request. So, in many cases the first self-assessment is already done. > > On Thursday, July 27, 2023 at 10:40:56 AM UTC-4 Ben Wilson wrote: > >> Thanks, Bruce. If we took that approach, then the language in MRSP >> section 3.4 m

Re: MRSP 2.9: Issue #123: Annual Compliance Self-Assessment

cord's “BR Audit Period End Date” for the > preceding audit period. CA owners should submit the self assessment to the > CCADB at the same time as uploading audit reports.” * > > Perhaps a CCADB policy could be proposed to address this requirement > consistently. > > Thanks, B

Re: MRSP 2.9: Issues #252 and #266 - Incident Reporting

n > > -Original Message- > From: dev-security-policy@mozilla.org > On Behalf Of Matt Palmer > Sent: Mittwoch, 12. Juli 2023 08:03 > To: dev-security-policy@mozilla.org > Subject: Re: MRSP 2.9: Issues #252 and #266 - Incident Reporting > > On Tue, Jul 11, 2

Re: MRSP 2.9: Issue #123: Annual Compliance Self-Assessment

And, for section 3.3 (CPs and CPSes), I am thinking that the same change should be made from 365 to 366 days, and that item 4 would read, "all CPs, CPSes, and combined CP/CPSes MUST be reviewed and updated as necessary at least once every 366 days." Ben On Wed, Jul 26, 2023 at 3:35 PM

Re: MRSP 2.9: Issue #123: Annual Compliance Self-Assessment

self-assessment >> at least every 365 days, then each year it will be earlier to provide some >> insurance time to meet the requirement. Is there any way we can provide the >> requirement to stop this progression? Something like "on an annual basis, >> but not more longer

Re: MRSP 2.9: Issue#232: Root CA Lifecycles

However, I think "forever > forbidden" is unnecessarily harsh! > > So I suggest changing "MUST" to "SHOULD". > > -- > *From:* dev-security-policy@mozilla.org > on behalf of Ben Wilson > *Sent:* 26 July 2023 16:42 > *T

MRSP 2.9: Issue#232: Root CA Lifecycles

All, We previously announced this change in policy over a year ago, and will be finalizing it in Version 2.9 of the Mozilla Root Store Policy (MRSP). Please review this addition, and let us know if you have any final comments. - Begin MRSP Revision - *7.4 Root CA Lifecycles* For a root

Re: MRSP 2.9: S/MIME BRs and Audits

rtificates that are all in scope, such end entity certificates having either: - an Extended Key Usage (EKU) extension that contains one or more of these KeyPurposeIds: anyExtendedKeyUsage, id-kp-serverAuth, id-kp-emailProtection; or - no EKU extension. Thoughts? Ben On Wed, Jul 19, 2023 at 1

S/MIME BR Transition Wiki Page

All, I have created a wiki page (https://wiki.mozilla.org/CA/Transition_SMIME_BRs) to address miscellaneous issues that might arise for CAs in their transition toward compliance with the CA/Browser Forum’s Baseline Requirements for S/MIME Certificates (S/MIME BRs). (The wiki page is for items

Re: MRSP 2.9: S/MIME BRs and Audits

in the working group and > intentionally out-scoping them from the SBRs to avoid unintended adverse > effects, so wonder how to interpret the proposed update to the MRSP. > > > > Kind regards, > > > > Christophe > > > > *From:* dev-security-policy@

MRSP 2.9: Issues 261, 263 and 267, Miscellaneous Clarifications and Corrections

All, This email announces discussion of three more GitHub issues that we would like to address in Version 2.9 of the Mozilla Root Store Policy (MRSP). *#261 - Merge 5 and 5.1 in Section 2.1* Currently, item 5.1 in section 2.1 of the MRSP has a

Re: Review of e-Tugra's Inclusion in Mozilla’s Root Store

oot store, and go through Mozilla’s full root inclusion process <https://wiki.mozilla.org/CA/Application_Process>. Thanks, Ben and Kathleen On Mon, Jun 5, 2023 at 11:36 AM Ben Wilson wrote: > Dear Mozilla Community, > > This email relates to the e-Tugra breach that was d

MRSP 2.9: Issues #252 and #266 - Incident Reporting

All, We are proposing to revise Mozilla Root Store Policy (MRSP) Section 2.4 (Incidents) to address GitHub Issue # 252 and Issue # 266 . *Issue #252

MRSP 2.9: Issue #250: Clarify MRSP 5.3.2 to expressly include revoked CA certificates

All, This email opens up discussion of our proposed resolution of GitHub Issue #250 . Currently, MRSP section 5.3.2 (Intermediate CA Certificates must be publicly disclosed and audited) requires that all types of intermediate CAs capable of

Re: MRSP 2.9: Issue #239: Audit Statement Content

pecify the locations that "were not > audited". > What does this mean? > Thanks! > Pedro > > El martes, 27 de junio de 2023 a las 17:37:44 UTC+2, Ben Wilson escribió: > >> All, >> >> Section 5.1 of the CCADB Policy >> https://www.ccadb.org/poli

MRSP 2.9: Issue #239: Audit Statement Content

All, Section 5.1 of the CCADB Policy https://www.ccadb.org/policy#51-audit-statement-content now specifies required audit letter content very similar to what is currently in section 3.1.4 of the Mozilla Root Store Policy (MRSP). And so it has been proposed that much of the current language in

MRSP 2.9: Issue #123: Annual Compliance Self-Assessment

All, Historically, Mozilla has required that CAs perform an annual Self-Assessment of their compliance with the CA/Browser Forum's TLS Baseline Requirements and Mozilla's Root Store Policy (MRSP). See https://wiki.mozilla.org/CA/Compliance_Self-Assessment. While there has not been any

MRSP 2.9: Issue #254: Harmonize CRL Reason Codes with CA/B Forum Revocation Reasons

All, This email opens up discussion of our proposed resolution of GitHub Issue #254 , “Harmonize CRL Reason Codes with CA/B Forum Revocation Reasons”. We would like to reduce text in Mozilla’s Root Store Policy that is now part of the CA/B Forum

Re: Policy 2.9: Candidate Issues to Address in MRSP v. 2.9

All, I plan to proceed with this list. I've already started discussion on Issue #258 - adoption of the S/MIME Baseline Requirements. I'll be posting the other issues for discussion here on dev-security-policy soon. Thanks, Ben On Wed, May 31, 2023 at 9:25 PM Ben Wilson wrote: >

LAWtrust CA Inclusion Request

All, Public discussion concluded last Friday, June 16, on the CCADB Public List, for LAWtrust's root inclusion request. https://groups.google.com/a/ccadb.org/g/public/c/gk8vbpg5WHo/m/EObfkeUwBQAJ This is notice that I am recommending approval of LAWtrust's request to include the following root

MRSP 2.9: S/MIME BRs Transition Timeline

Greetings, Our proposal for a migration plan towards having Certification Authorities (CAs) follow the CA/Browser Forum’s Baseline Requirements for S/MIME Certificates (S/MIME BRs) is as follows, keeping in mind that the Effective Date for version 1.0.0 of the S/MIME BRs is September 1, 2023, and

MRSP 2.9: S/MIME BRs and Audits

All, This email opens up discussion of our proposed resolution of GitHub Issue #258 (SMIME Baseline Requirements). We plan to add requirements to version 2.9 of the Mozilla Root Store Policy

Sectigo CA Inclusion Request

All, Public discussion concluded last Friday, June 9, on the CCADB Public List. https://groups.google.com/a/ccadb.org/g/public/c/1sKKdixUyFs/m/Nb3uWA0aBAAJ This is notice that I am recommending approval of Sectigo's request to include the following four (4) root CA certificates: -

Review of e-Tugra's Inclusion in Mozilla’s Root Store

Dear Mozilla Community, This email relates to the e-Tugra breach that was described in a blog post by Ian Carroll and subsequent discussions here and in CCADB Public

Policy 2.9: Candidate Issues to Address in MRSP v. 2.9

841af0686676f0435769db8c641d7d17dfb3..444d1cfd4d54edafaa9581e71572280a7bb483a8 Thanks, Ben Wilson Mozilla Root Store -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop

CA/Browser Forum S/MIME Baseline Requirements

All, The CA/Browser Forum (CABF) has created a set of Baseline Requirements for publicly trusted S/MIME digital certificates (S/MIME BRs), with an effective date of September 1, 2023. The S/MIME BRs (https://cabforum.org/smime-br/) are the result of several years of work by the CA/Browser

Root Inclusion Request of SSL.com

All, We recently concluded a six-week public discussion of SSL.com's request (Bugzilla #1799533 and #1799703 ) to include four root CA certificates. See

Re: ATOS Trustcenter's Root Inclusion Request

s://bugzilla.mozilla.org/show_bug.cgi?id=1782092#c16 [2] https://pki.atos.net/Download/Atos_TrustedRoot_CPS_RootCA_v2.7.3.pdf On Sat, Apr 1, 2023 at 8:28 PM Ben Wilson wrote: > All, > > We recently conducted a six-week public discussion on the request from > ATOS Trustcenter for inclusion

ATOS Trustcenter's Root Inclusion Request

All, We recently conducted a six-week public discussion on the request from ATOS Trustcenter for inclusion of its four root certificates. See https://groups.google.com/a/ccadb.org/g/public/c/v5yFBHjuBRo/m/PDTc_JT8AAAJ I have just completed a CPS review and attached it to Bug #1782092 in

Re: Public Discussion re: Beijing CA (BJCA)

n 3.x, the reports mention 2.x. I'd like the same version as > the one mentioned specifically in the reports. > > On Mon, Mar 13, 2023 at 8:39 PM Ben Wilson wrote: > >> Kurt, >> Here is the link to the software download that BJCA provided: >> http://

Re: Public Discussion re: Beijing CA (BJCA)

Kurt, Here is the link to the software download that BJCA provided: http://download.bjca.org.cn/download/yzt/BJCAClientV3.8.101.0052.exe Ben On Mon, Mar 13, 2023 at 8:24 PM 'Kurt Seifried' via dev-security-policy@mozilla.org wrote: > > > On Mon, Mar 13, 2023 at 2:35 PM Kathleen Wilson > wrote:

Re: Public Discussion re: Beijing CA (BJCA)

gt; Certification Management System are issued following the roles of >>>>>> operations in the trusted-role list. All members of the operation team >>>>>> are >>>>>> full-time employees working for the company. >>>>>> >>>>&g

Re: CA Communication re: Mozilla Root Store Policy (MRSP) Version 2.8.1

so we know which to > prioritize looking at? > > On Mon, Feb 6, 2023 at 12:34 PM Ben Wilson wrote: > >> Yes - that is correct. >> >> On Fri, Feb 3, 2023 at 9:56 PM Kurt Seifried wrote: >> >>> Is there an up-to-date list of all the applicants? Is this BZ

  1   2   3   4   >