Apologies, I somehow managed to send white-on-white HTML from gmail mobile
and I honestly have no idea how.
On Sat, Jun 8, 2024 at 9:48 PM Jeffrey Walton wrote:
> I would caution against that. Effectively, Mozilla would be fiddling
> with the market. The market should be the one to punish (or
On Sat, Jun 8, 2024 at 9:48 PM Jeffrey Walton wrote:
> I would caution against that. Effectively, Mozilla would be fiddling
> with the market. The market should be the one to punish (or reward)
> Entrust for the premiums on manual issuance, not Mozilla. When
> subscribers get tired of paying too
On Sat, Jun 8, 2024 at 6:15 PM Watson Ladd wrote:
>
> On Sat, Jun 8, 2024 at 2:15 PM Mike Shaver wrote:
> >"It would mean that revenue from the financial disincentive that Entrust
> >puts in place against Subscriber automation (I believe it's called
> >"SUB-PKI-CEG-ACME")"
>
> So for four
On Sat, Jun 8, 2024 at 6:29 PM Paul Wouters wrote:
>
> > On Jun 8, 2024, at 18:16, Watson Ladd wrote:
> >
> >
> > Could Mozilla update the root store policy to make clear that
> > improvements like ACME shouldn't be extra cost items but instead
> > considered part of the service provided to
On Sat, Jun 8, 2024 at 6:15 PM Watson Ladd wrote:
> On Sat, Jun 8, 2024 at 2:15 PM Mike Shaver wrote:
> >"It would mean that revenue from the financial disincentive that Entrust
> puts in place against Subscriber automation (I believe it's called
> "SUB-PKI-CEG-ACME")"
>
> So for four years,
On Sat, Jun 8, 2024 at 2:15 PM Mike Shaver wrote:
>"It would mean that revenue from the financial disincentive that Entrust puts
>in place against Subscriber automation (I believe it's called
>"SUB-PKI-CEG-ACME")"
So for four years, while Entrust told us it was working to get its
subscribers
une 7.
>
> o_O
> prior to June 7
>
O___O
Date: Fri, 7 Jun 2024 12:53:10 -0700 (PDT)
From: "'Bruce Morton' via dev-security-policy@mozilla.org"
To: "dev-security-policy@mozilla.org"
Cc: Ben Wilson
Subject: Re: Recent Entrust Compliance Incidents
In
While Entrust have not provided details on their incident handling and
decision-making as requested in this report, a few details have came to
light in a reply to an incident today. This is specifically regarding
#1886532 the delayed revocation CPSuri certificates.
Dear Bruce,
This report is completely unsatisfactory. It starts by presuming that
the problem is 4 incidents. Entrust is always under an obligation to
explain the root causes of incidents and what it is doing to avoid
them as per the CCADB incident report guidelines. That's not the
reason Ben and
issue certificates with a very short lifetime. I suppose no
>>>>> one
>>>>> thought it would take so much time.
>>>>>
>>>>> Short-lived certificates are designed to help address a certificate
>>>>> revocation issue. Back in 2012, Adam Langle
are designed to help address a certificate
>>>>> revocation issue. Back in 2012, Adam Langley discussed the seat-belt
>>>>> issue,
>>>>> where it works fine, but snaps when you crash. This was based on the fact
>>>>> the browser impl
y, TLS/SSL certificates are typically valid for about a year,
>>> according to the Certification Authority Browser (CA/B) Forum requirements.
>>> This yearly renewal cycle is convenient for organizations to manage and
>>> schedule. However, transitioning to shorter-li
t; due to the need for buffer time, certificates may need to be renewed every
>> 60 days. Ultimately, this change could lead to replacing certificates more
>> than six times every 12 months, depending on the renewal window chosen.
>> *---*
>>
>> Apologies that some of t
n Saturday, May 11, 2024 at 8:04:24 PM UTC+1 Chris Bailey wrote:
>
>> To Ben Wilson and the Mozilla Community:
>>
>>
>>
>> I want to acknowledge your letter and the input from you and the
>> community. We agree that we have go-forward opportunities to improv
tes
>
> Entrust
>
>
>
> *From: *'Ben Wilson' via dev-secur...@mozilla.org <
> dev-secur...@mozilla.org>
> *Date: *Tuesday, May 7, 2024 at 10:59 AM
> *To: *dev-secur...@mozilla.org
> *Subject: *[EXTERNAL] Recent Entrust Compliance Incidents
>
> Dear M
. Until then, please contact me directly
with additional questions or feedback.
Sincerely,
Chris Bailey
VP-Digital Certificates
Entrust
From: 'Ben Wilson' via dev-security-policy@mozilla.org
Date: Tuesday, May 7, 2024 at 10:59 AM
To: dev-secur...@mozilla.org
Subject: [EXTERNAL] Recent Entrust
Added " Although not expressed in the bug, it appears that certificate
revocation was delayed as well."
On Fri, May 10, 2024 at 10:54 AM George wrote:
> Although it was not mentioned in the original bug, it may be worth adding
> that the certificates in bug 1867130
>
Although it was not mentioned in the original bug, it may be worth adding that
the certificates in [bug
1867130](https://bugzilla.mozilla.org/show_bug.cgi?id=1867130) were also not
revoked within 5 days of discovery. Entrust might've based the start of the 5
day deadline at the time the
Here are draft summaries of the additional historic incidents. I'll be
adding these to the Entrust Issues page:
https://wiki.mozilla.org/CA/Entrust_Issues
*Invalid data in State/Province Field -*
https://bugzilla.mozilla.org/show_bug.cgi?id=1658792
It was initially discovered that Entrust had
Could we add a section for geographical incidents? This is slightly
outside your time window, but I think reading the series here has some
uncanny echos in the ones in your window.
https://bugzilla.mozilla.org/show_bug.cgi?id=1658792
https://bugzilla.mozilla.org/show_bug.cgi?id=1658794
Dear Mozilla Community,
Over the past couple of months, a substantial number of compliance
incidents have arisen in relation to Entrust. We have summarized these
recent incidents in a dedicated wiki page:
https://wiki.mozilla.org/CA/Entrust_Issues. In brief, these incidents arose
out of
21 matches
Mail list logo
