Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

On Saturday, March 6, 2021 at 11:17:53 PM UTC-5, bwi...@mozilla.com wrote: > Thanks, Bruce, for raising the issue of pre-generated, yet unassigned keys. > The intent was to cover this scenario. We are aware that CAs might > generate 1000s of keys in a partition and then years later assign a few

Re: Public Discussion re: Inclusion of the ANF Secure Server Root CA

Hello, I can't find the test URIs for this root certificate... ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

AW: Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Dear Ben, Dear Kahtleen, we suppose, there are no other changes intendent then apart from what you say below? If the rest of section 3.2 remains as it is, the specific matter of the ETSI auditor qualification would be addressed through the referrer back to BRG section 8.2. It would then

Re: Public Discussion re: Inclusion of the ANF Secure Server Root CA

Here you go: https://testvalidsslev.anf.es https://testrevokedsslev.anf.es https://testexpiredsslev.anf.es On Thu, Mar 11, 2021 at 6:38 AM Andrey West Siberia via dev-security-policy wrote: > Hello, > I can't find the test URIs for this root certificate... >

Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

Hi Bruce, I think the answer is yes. A CA certificate is no longer trusted once it has expired or been revoked (or added to OneCRL for subCAs) or removed (roots). But I'm double-checking on the case of certificates with validity periods that extend past the expiration of the root. Ben On Thu, Mar

Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

Bruce, The answer would be yes because we check the validity of the root CA certificate and other CA certificates. Ben On Thu, Mar 11, 2021 at 10:33 AM Ben Wilson wrote: > Hi Bruce, > I think the answer is yes. A CA certificate is no longer trusted once it > has expired or been revoked (or

Re: Public Discussion re: Inclusion of the ANF Secure Server Root CA

On Wed, 10 Mar 2021 13:43:55 -0700 Ben Wilson via dev-security-policy wrote: > This is to announce the beginning of the public discussion phase of > the Mozilla root CA inclusion process for the ANF Secure Server Root > CA. I'd like to draw attention to the first misissuance mentioned in

Re: Clarification request: ECC subCAs under RSA Root

OK. Thanks for your answers. In summary, my understanding is that we can ignore that illustrative control of the Webtrust Criteria and that the community is cool with these subordinations of CAs with stronger keys (same or different algorithm). Best, Pedro