On 2015-02-04 14:55, Man Ho (Certizen) wrote:
But making a statement in CP/CPS means that CA has already
complied with the latest version of BRs. In other words, CA has
already complied with all potential changes of BRs at all time. Such
statement could be a false statement when the latest
Hi Kathleen,
On 2015-01-22 22:43, Kathleen Wilson wrote:
All,
As you know, we've moved the CA Program data from spreadsheets into
SalesForce.
We are now creating a program that will be run once per month to
automatically send email to CAs when audit statements are past due;
meaning that the
On Mon, Jan 26, 2015 at 01:25:50PM -0800, Ryan Sleevi wrote:
To offer concrete suggestions on this:
I'm not sure what you mean exactly, so I'm going to give examples.
Assuming the last audit period was 2013-01-01 to 2013-12-31, and
the audit statement on 2014-03-15.
According to the BR rules
On 2014-12-22 21:26, Ryan Sleevi wrote:
As part of the transition to BoringSSL, we've chosen to remove DSA
support. The number of well-formed DSA certificates out there was single
digits, so this is not likely to be a large Web Compat issue
My charts (http://roeckx.be/certificates/dsa.png)
On 2015-03-24 10:35, Florian Weimer wrote:
* Kurt Roeckx:
So it's my understanding that they were only supposed to issue
certificates for their own domain(s). Why wasn't this enforced by
using a name constraint?
Sadly, name constraints do not work because they do not constrain the
Common
On 2015-03-23 00:18, Kathleen Wilson wrote:
admin@domain
administrator@domain
I've seen a few stories like this. I think they all used either admin
or administrator. So I recommend not to allow those. They also don't
show up in a default /etc/aliases file while the other 3 do.
On 2015-04-14 13:54, Rob Stradling wrote:
On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert in the CT data since they have agreed
On 2015-04-24 01:21, Kathleen Wilson wrote:
4) Before the new CA begins issuing certs in the transferred CA cert
hierarchy, there should be an audit performed at the new CA's site to
confirm that the transfer was successful and that the root cert is ready
to resume issuance.
Would this be a
On Sat, May 02, 2015 at 06:48:44PM -0400, Richard Barnes wrote:
Hey Matthew,
I believe We are in the process of collecting this information from CAs.
I understand that this is being collected in SalesForce and that
as some point we should be able to get that list.
In the current form it's
On 2015-05-07 16:33, Jonas Witmer wrote:
Hi Christopher
As you can see on your SSLLabs Report, your server is forcing weak RC4
ciphers.
It also only support TLS 1.0. TLS 1.1 and 1.2 fix issues with the
protocol and I suggest you really look into getting TLS 1.2.
On 2015-05-18 13:06, Matt Palmer wrote:
On Mon, May 18, 2015 at 12:26:26PM +0200, Kurt Roeckx wrote:
On 2015-05-14 17:25, Gervase Markham wrote:
2) If it is different, does name-constraining government CAs make
things better, or not?
I think it only makes sense to name constrain a government
On 2015-05-19 12:04, Gervase Markham wrote:
On 18/05/15 17:39, Kurt Roeckx wrote:
On the other hand, if it covers the whole country, they can abuse
it for domains in that country, but not for other domains. I'm
not sure why you would find it acceptable that they can abuse it
in their own
On 2015-05-14 17:25, Gervase Markham wrote:
2) If it is different, does name-constraining government CAs make
things better, or not?
I think it only makes sense to name constrain a government CA if the
name constrained only covers government websites, and not all websites
in the country.
On Sat, Apr 11, 2015 at 10:44:38AM +, Peter Gutmann wrote:
Did anyone save a copy of the cert chain? I'd like to add it to my collection
of broken cer^H^H^H^H^Hcert parser test vectors, but the site has been fixed
and the Bugzilla entry doesn't contain it.
The site hasn't been fixed, at
On 2015-05-14 17:25, Gervase Markham wrote:
CAs currently in Mozilla's program which may fit one or more definitions
of government CA are:
It might be a little out of scope of your question, but maybe we should
agree on what we think the (government) CAs should be able to do and
what not.
On 2015-06-09 15:26, Peter Kurrasch wrote:
3) How frequently might such tools run? Or to put it differently, how much time
do I probably have between when I issue a gmail cert and when someone figures
it out (and of course how much longer before my illegitimate cert is no longer
valid)? I
On Tue, Jun 09, 2015 at 12:00:23PM -0700, Rick Andrews wrote:
On Tuesday, June 9, 2015 at 7:45:05 AM UTC-7, Kurt Roeckx wrote:
On 2015-06-09 15:26, Peter Kurrasch wrote:
3) How frequently might such tools run? Or to put it differently, how
much time do I probably have between when I
Hi Richard,
You seem to be saying that the CRL number always matches the amount of
times you've revoked a certificate. This is not the case. Each time
the CRL is updated, even when the list of revoked certificates is the
same, you should update the CRL number. That is, if you generate the
On 2015-10-21 22:18, s...@gmx.ch wrote:
There was also a plan for certificates with 'notAfter >= 2017-1-1'
(still valid in 2017+).
Chrome already shows a broken https icon for them.
See https://sha1-2017.badssl.com/
This was discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=942515
So
On 2015-11-11 19:46, Steve Roylance wrote:
Hypothetically, a government organization wishing to issue S/MIME
certificates to citizens on a range of ccTLD based domains could be
technically constrained through the inclusion of EKU's
I just wondering how you would imagine this would work. Would
On Tue, Nov 17, 2015 at 05:40:28PM +, Rob Stradling wrote:
>
> Great. I tried importing the list into postgres but I couldn't persuade it
> to accept the invalid character encodings, so I gave up.
When importing data in my postgres database I leave the fields
NULL in case I really can't do
On 2015-11-06 17:47, loths...@gmail.com wrote:
https://bugzilla.mozilla.org/s... [mozilla.org]
Firefox only currently supports DHE with SHA1. Are they going add support for
SHA256 DHE when they disable SHA1?
The dropping of SHA1 is only in certificates, not in any of the cipher
suites.
On 2015-11-05 19:46, Kathleen Wilson wrote:
Another option is to delete this section from Mozilla's policy, because
it is covered by the Baseline Requirements. However, the Baseline
Requirements allows for DSA, which Mozilla does not support.
Maybe the BR should be updated to remove DSA
On 2015-11-05 21:01, s...@gmx.ch wrote:
I would like to see SHA-3 signatures and Ed25519/curve25519 ASAP.
The later one is not that far away [1].
Maybe it's the right time to consider them?
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=957105
This is about certificate, so as far as I know
On 2015-10-20 20:39, Kathleen Wilson wrote:
- We are re-evaluating when we should start rejecting all SHA-1 SSL
certificates (regardless of when they were issued). As we said before,
the current plan is to make this change on January 1, 2017. However, in
light of recent attacks on SHA-1, we
On 2015-09-03 20:22, Kathleen Wilson wrote:
2) Remove included root certs that only have the Code Signing trust bit
enabled. To our knowledge, no one is using such root certs via the NSS
root store.
I'm wondering how you currently support things like java applets. As
far as I understand for
On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote:
> 28. Remove Code Signing trust bits. As of Firefox 38, add-ons are signed
> using Mozilla's own roots. There doesn't appear to be anyone else using the
> roots in the NSS root store for Code Signing. -- currently under discussion
>
On Thu, Sep 10, 2015 at 01:20:02PM -0700, Kathleen Wilson wrote:
> Proposal for version 2.3 of Mozilla's CA Certificate Policy:
>
> Remove the code signing trust bit.
>
> If this proposal is accepted, then there would be follow-up action items
> that would need to happen after version 2.3 of the
On Fri, Sep 11, 2015 at 03:34:21PM -0400, Richard Barnes wrote:
> And that the certificate has the "identify websites" bit set?
You mean that when it's important into firefox, he should say it
should be trusted for websites? Or are you talking about an
extention in the certificate itself?
Kurt
On Wed, Sep 16, 2015 at 02:51:28PM -0700, AnilG wrote:
>
> there's another issue blocking them for Firefox: Secure Connection Failed.
> The connection to wiki.mozilla.org was interrupted while the page was loading.
I wonder if firefox is using certificate pinning for
*.mozilla.org.
Kurt
On 2015-10-01 11:05, Gervase Markham wrote:
On 01/10/15 02:43, Brian Smith wrote:
Perhaps nobody's is, and the whole idea of using publicly-trusted CAs for
code signing and email certs is flawed and so nobody should do this.
I think we should divide code-signing and email here. I can see how
On Mon, Sep 21, 2015 at 07:07:07PM -0700, Kathleen Wilson wrote:
>
> First, we need to determine if the Email trust bit should remain part of
> Mozilla's CA Certificate Policy.
I'm really concerned about this. S/MIME and PGP are the only
(popular) ways to do encryption over email. The
On 2015-12-04 02:55, Jakob Bohm wrote:
How huge and unwieldy are CRLs really, especially if letting the
computer (NSS/Firefox) do the updating?
Individual CRLs are in the range of a few kB to a few MB. For the CA
that issues the subscriber certificates they have a maximum validity of
10
On 2015-12-04 15:21, Jakob Bohm wrote:
On 04/12/2015 11:19, Kurt Roeckx wrote:
On 2015-12-04 02:55, Jakob Bohm wrote:
How huge and unwieldy are CRLs really, especially if letting the
computer (NSS/Firefox) do the updating?
Individual CRLs are in the range of a few kB to a few MB. For the CA
On 2015-01-22 22:43, Kathleen Wilson wrote:
All,
As you know, we've moved the CA Program data from spreadsheets into
SalesForce.
We are now creating a program that will be run once per month to
automatically send email to CAs when audit statements are past due;
meaning that the audit statement
On Mon, Dec 07, 2015 at 10:24:34AM -0800, Peter Bowen wrote:
> The current CA policy does not specify when audit reports are due to
> Mozilla relative to the end date of the audit period. It only says
> that CAs much provide the reports to Mozilla within 30 days of
> receiving the report from
On 2015-11-20 17:27, Peter Bowen wrote:
On Fri, Nov 20, 2015 at 7:32 AM, Kurt Roeckx <k...@roeckx.be> wrote:
On 2015-11-19 22:19, douglas.beat...@gmail.com wrote:
I realize I'm a little late to the game, but I had a question on the
maximum length. If I'm reading this correctly, it look
On Wed, Jun 22, 2016 at 02:25:37PM -0700, Peter Bowen wrote:
> I think there are two things getting conflated here:
>
> 1) Disclosure of revoked unexpired CA certificates signed by a trusted CA
>
> 2) Disclosure of CA certificates signed by CAs that are the subject of #1
>
> Imagine the
On Tue, Jan 19, 2016 at 01:49:21AM +, Charles Reiss wrote:
> Via censys.io, I found a couple SHA-1 certs with notBefore dates from this
> year
> which chain to root CAs in Mozilla's program:
I also have some from C=US,O=VeriSign\, Inc.,OU=VeriSign Trust
Network,OU=Terms of use at
On Mon, Feb 08, 2016 at 12:18:12PM -0800, Kathleen Wilson wrote:
> All,
>
> We recently added two tests that CAs must perform and resolve errors for
> when they are requesting to enable the Websites trust bit for their root
> certificate.
>
> Test 1) Browse to https://crt.sh/ and enter the SHA-1
On Mon, Feb 08, 2016 at 02:30:05PM -0800, Kathleen Wilson wrote:
>
> Not much you can do about a currently-included root certificate other than
> re-issue the root certificate which can cause many other problems.
So I was under the impression that they needed to check their
currently signed
On 2016-03-11 01:14, Jakob Bohm wrote:
- Non-PrintableString/UTF8String in DNs. Workaround to be removed in
Bug #[TBD].
Does this also apply to "pure ASCII" fields such as country ("C=US")
etc.? Some of those were historically constrained to one of the
lesser ASN.1 string types.
I think C
On 2016-03-11 15:33, Jakob Bohm wrote:
On 11/03/2016 09:55, Kurt Roeckx wrote:
On 2016-03-11 01:14, Jakob Bohm wrote:
- Non-PrintableString/UTF8String in DNs. Workaround to be removed in
Bug #[TBD].
Does this also apply to "pure ASCII" fields such as country ("C=US")
On 2016-04-29 09:42, Nick Lamb wrote:
I'm sure Rob can give a more technical answer, but my understanding is that
crt.sh doesn't (and probably can't) detect that individual certificates have
enough entropy, instead it flags certificates based on the length of the serial
numbers. So it's
On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote:
> "By providing more reliable third-party verified identity and address
> information regarding the business, EV Certificates may help to [...]
> Assist law enforcement organizations in their investigations of
> phishing and other online
On 2016-05-10 02:07, Kathleen Wilson wrote:
Thanks to all of you who have reviewed and commented on this request from
DocuSign to include the following root certificates, turn on the Websites and
Email trust bits for all of them, and enable EV treatment for all of them.
+ Certplus Root CA G1 -
On 2016-04-20 15:48, Ryan Sleevi wrote:
On Tuesday, April 19, 2016 at 10:15:16 AM UTC-7, Nick Lamb wrote:
Some more thoughts (my previous substantive comments are awaiting moderation
because I foolishly sent them before subscribing)
1. Historically other CAs in this family have issued
On Fri, Aug 05, 2016 at 09:44:58PM -0700, Ryan Sleevi wrote:
> On Friday, August 5, 2016 at 4:32:52 PM UTC-7, Kathleen Wilson wrote:
> > I am planning to have Salesforce automatically send the following email on
> > the second and fourth Tuesday of each month to the Primary POC for each CA
> >
> On Jun 24, 2016, at 08:01,
> > "dev-security-policy-requ...@lists.mozilla.org<mailto:dev-security-policy-requ...@lists.mozilla.org>"
> >
> > <dev-security-policy-requ...@lists.mozilla.org<mailto:dev-security-policy-requ...@lists.mozilla.org>>
> >
On Wed, Aug 17, 2016 at 09:55:24AM -0700, Ryan Sleevi wrote:
> > I don't think adding that CA certificate to OneCRL is enough, that would
> > only protect Mozilla users. They should revoke all the relevant
> > certificates.
>
> Define "relevant"? If a SHA-1 collision has been mounted, Hongkong
On Wed, Feb 01, 2017 at 11:51:48PM +0100, Hanno Böck wrote:
> On Wed, 1 Feb 2017 22:38:54 +
> Jeremy Rowley wrote:
>
> > Some of these curves are considered much better than the NIST curves
> > (well, that’s what I’ve read anyway).
>
> Overall they have mostly
On Mon, Jan 23, 2017 at 04:01:58PM -0800, Peter Bowen wrote:
> On Mon, Jan 23, 2017 at 3:32 PM, Kathleen Wilson wrote:
> > Does section 7.1.4.2 of the CA/Browser Forum's Baseline Requirements only
> > apply to end-entity certificates?
> >
> > If yes, where does it specify
On 2017-01-28 07:51, Peter Gutmann wrote:
Jakob Bohm writes:
DSA and ECDSA signatures are only secure if the hash algorithm is specified
in the certificate, presumably as part of the AlgorithmIdentifier in the
SubjectPublicKeyInfo.
It's in the (badly-named) signature
On Wed, Jan 18, 2017 at 07:23:35AM -0800, Peter Bowen wrote:
>
> > On Jan 18, 2017, at 7:18 AM, Gervase Markham wrote:
> >
> > On 17/01/17 23:33, Jakob Bohm wrote:
> >> How about "_and versions and strong (>= 256 bits) hashes_",
> >
> > Do people think we need to go this far?
On Fri, Sep 02, 2016 at 07:27:13PM +0200, Kurt Roeckx wrote:
> On Fri, Sep 02, 2016 at 10:00:28AM -0700, Andrew Ayer wrote:
> > 2. A certificate has already been found which they didn't log to CT
> > despite their assertion that they had logged all certificates,
>
> Can you
On Fri, Sep 02, 2016 at 10:00:28AM -0700, Andrew Ayer wrote:
> 2. A certificate has already been found which they didn't log to CT
> despite their assertion that they had logged all certificates,
Can you please point to those that weren't logged?
Kurt
On Sat, Sep 03, 2016 at 09:24:33AM +1000, Matt Palmer wrote:
> On Fri, Sep 02, 2016 at 07:55:36AM -0700, Peter Bowen wrote:
> > Do you also plan to submit these to at least one Google-operated log?
>
> Did you mean "non-Google-operated log"? I was under the impression that we
> didn't want
On Sat, Sep 03, 2016 at 11:45:21AM +0200, Kurt Roeckx wrote:
> On Sat, Sep 03, 2016 at 09:29:45AM +0100, Gervase Markham wrote:
> > On 02/09/16 16:21, Peter Bowen wrote:
> > > It seems then there is a newly exposed bug.
> > > https:/
On 2016-09-05 17:55, Jakob Bohm wrote:
Indeed, I have found that a number of common web server implementations
simply lack the ability to do OCSP stapling at all.
I would really like to see OCSP stapling as mandatory. There currently
only seem to be around 25% of the servers that do it, and
On 2016-09-06 10:13, Nick Lamb wrote:
Quality of implementation for OCSP stapling seems to remain poor in at least apache and
nginx, two of the most popular servers. Apache's in particular gives me that OpenSSL
"We read this standards document and implemented everything in it as a series of
On 2016-09-05 22:37, Percy wrote:
In page 11, you mentioned that "System blocked many illegal request every day, the
following screen shot is the reject order log", in which you attached a log with
Google, Microsoft, QQ domains. Those domains are rejected because of the top domain
whitelist.
On 2016-09-06 14:16, Jakob Bohm wrote:
On 06/09/2016 10:25, Kurt Roeckx wrote:
If you think there is something we can do in OpenSSL to improve this,
please let us know.
Here are a list of software where I have personally observed bad OCSP
stapling support:
OpenSSL 1.0.x itself
Hi Nick,
I want to thank you for bringing this up, because we always seem to have
the same kind of discussions when something happened. Ryan's mail has a
bunch of other suggestions for what we can do.
1. Implement "Require SCTs" for problematic CAs.
Is there a reason we don't require
On 2016-08-31 20:13, Ryan Sleevi wrote:
Setting aside for a second whether or not distrusting is the right action,
let's think about what possible responses.
A) Remove the CA. Users may manually trust it if they re-add it, but it will
not be trusted by default.
B) Actively distrust the CA.
On 2016-09-01 14:21, Matt Palmer wrote:
On Thu, Sep 01, 2016 at 10:53:36AM +0300, Eddy Nigg wrote:
On 09/01/2016 04:20 AM, Matt Palmer wrote:
You were knowingly violating a MUST provision of RFC5280.
From experience there have been many RFC violations, sometimes even
knowingly and
On 2016-09-02 05:59, Peter Gutmann wrote:
Vincent Lynch writes:
I think Eddy Nigg (founder of StartCom) and/or Richard Wang (of WoSign)
should make a statement about this.
+1. I'd already asked for something like this earlier and got silence as a
response, which isn't
On 2016-09-07 13:00, Gervase Markham wrote:
Hi Richard,
On 07/09/16 11:06, Richard Wang wrote:
This discuss has been lasting two weeks, I think it is time to end
it, it doesn’t worth to waste everybody’s precious time.
Unfortunately, I think we may be only beginning.
I have prepared a list
On Sun, Sep 04, 2016 at 02:53:01PM +0200, Kurt Roeckx wrote:
> On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote:
> > Hi all,
> >
> > We finished the investigation and released the incidents report today:
> > https://www.wosign.com/report/wosign_in
On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote:
> Hi all,
>
> We finished the investigation and released the incidents report today:
> https://www.wosign.com/report/wosign_incidents_report_09042016.pdf
>
> This report has 20 pages, please let me if you still have any questions,
On Sun, Sep 04, 2016 at 12:04:21PM +0300, Eddy Nigg wrote:
> On 09/02/2016 07:02 PM, Nick Lamb wrote:
> > On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote:
> > > Lets speak about relying parties - how does this bug affect you?
> > As a relying party I am entitled to assume that there
On Sun, Sep 04, 2016 at 10:05:11AM +0100, Gijs Kruitbosch wrote:
> So if I understand correctly, you've published all certificates issued in
> 2015 to CT, and any cert with a notBefore of/after July 5th 2016. Is that
> correct?
>
>
> As noted in
>
On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote:
> Hi all,
>
> We finished the investigation and released the incidents report today:
> https://www.wosign.com/report/wosign_incidents_report_09042016.pdf
In section 2.2 you explain that there is a mail at 9:01 and 9:38,
where I
On 2016-09-02 04:22, Richard Wang wrote:
For https://crt.sh/?id=29884704 , he finished the website control validation.
We and Alibaba are investigating why he can do the website control validation.
The is the log, but we can't expose more now since it is related to Alibaba.
2016-06-23
On Sat, Sep 03, 2016 at 09:29:45AM +0100, Gervase Markham wrote:
> On 02/09/16 16:21, Peter Bowen wrote:
> > It seems then there is a newly exposed bug.
> > https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad
> > shows a certificate issued by your CA
On 2016-08-31 04:56, Peter Bowen wrote:
In reviewing the Certificate Transparency logs, I noticed the StartCom
has issued multiple certificates with identical serial numbers and
identical issuer names.
https://crt.sh/?serial=14DCA8 (2014-12-07)
https://crt.sh/?serial=04FF5D653668DB (2015-01-05)
On Thu, Oct 06, 2016 at 08:22:20AM +0200, Hanno Böck wrote:
> On Wed, 5 Oct 2016 22:46:24 -0700
> Peter Bowen wrote:
>
> > I think we can all look back with 20/20 hindsight and say that device
> > vendors should not use the same roots as browsers and that maybe CAs
> > should
On Tue, Oct 04, 2016 at 11:13:21AM +0100, Rob Stradling wrote:
> On 04/10/16 07:10, Gervase Markham wrote:
>
> >> [4] https://crt.sh/?cablint=1+week
> >
> > This URL is a 404.
>
> Sorry, crt.sh is a bit under the weather right now. Someone submitted a
> batch of several million certs to the
On Fri, Oct 07, 2016 at 03:21:48AM +, Peter Gutmann wrote:
> Kurt Roeckx <k...@roeckx.be> writes:
>
> >This is why browsers have something like OneCRL, so that they actually do
> >know about it and why Rob added that information to the bug tracker (
> &g
On Wed, Oct 05, 2016 at 01:30:37PM +, Peter Gutmann wrote:
> Rob Stradling writes:
>
> >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds
> >either.
>
> What I was really asking, in a tongue-in-cheek way, was whether there was any
>
On 2016-09-21 12:11, Richard Wang wrote:
Please check the first 313 certificate serial is
“56D1570DA645BF6B44C0A7077CC6769” and the second 27 certificate is
“D3BBDC3A0175E38F9D0070CD050986A” that only 31 bytes. But our serial number
rule is 32 bytes.
This is a little misleading. The hex
On 2016-09-21 11:16, Gervase Markham wrote:
Hi Xiaosheng,
On 20/09/16 16:31, 谭晓生 wrote:
Qihoo 360 is a company valued at USD$9.99B as it finished the
privatization on July 15th 2016, we have invested in more than 200
companies across the world, Wosign is just a very small one and we
even do
On 2016-09-20 17:31, 谭晓生 wrote:
Dear Gerv and all,
Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on July 15th
2016, we have invested in more than 200 companies across the world, Wosign is just a very
small one and we even do not have any people sent to this
On 2016-09-21 16:26, Richard Wang wrote:
R: You can place order there and don't do the domain validation, 4 months
later, you finished the domain control validation, then issue the certificate.
Please try it by yourself here: https://buy.wosign.com/free/
So the date in the certificate is
On 2016-09-23 13:38, Richard Wang wrote:
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA
finished the PKI/CA system upgrade that all licensed CA MUST be able to issue
SM2 certificate to
On Wed, Sep 07, 2016 at 02:08:24PM +0200, Kurt Roeckx wrote:
> On 2016-09-07 13:00, Gervase Markham wrote:
> > Hi Richard,
> >
> > On 07/09/16 11:06, Richard Wang wrote:
> > > This discuss has been lasting two weeks, I think it is time to end
> > > it
On 2016-08-17 00:23, Ryan Sleevi wrote:
Practically speaking, what steps could be taken?
6) Ask them to immediately stop issuing SHA-1 based certificates that
chain back to any of the root certificates in the Mozilla root store,
and revoke the one they shouldn't have issued. If they fail to
On 2016-08-16 21:42, Kathleen Wilson wrote:
Root Certificates:
Autoridad de Certificacion Firmaprofesional CIF A62634068
[...]
2) jurisdictionOfIncorporation should be PrintableString coded, but we
code it in UTF8: we fail to understand this requirement when UTF8 is
more recent and to
Hi,
In their report and the audit statement they talk about 392
duplicate serial numbers, with links to the crt.sh page for those
serial numbers.
But they in fact actually point to 393, the first group has 314
and not 313 duplicates in it. This was already the case before
they published their
On 2016-09-27 01:18, Jakob Bohm wrote:
It would perhaps be useful if you could dispute, using Firefox as an
example, and considering the real deployment (not the theorhetical
abstract of ways in which someone 'might' configure about:flags, but
no one can and still have the same experience), the
On 2016-09-27 11:31, Gervase Markham wrote:
Hi Kurt,
On 26/09/16 23:45, Kurt Roeckx wrote:
In their report and the audit statement they talk about 392
duplicate serial numbers, with links to the crt.sh page for those
serial numbers.
But they in fact actually point to 393, the first group has
On Sat, Oct 01, 2016 at 11:35:06AM -0700, Percy wrote:
> "Apple products will trust individual existing certificates issued from this
> intermediate CA and published to public Certificate Transparency log servers
> by 2016-09-19"
>
> It seems that Apple has taken the explicit white-listed
On Tue, Oct 25, 2016 at 12:12:47PM -0700, Ryan Sleevi wrote:
> 8. All certificates that are capable of being used to issue new certificates,
> and which directly or transitively chain to a certificate included in
> Mozilla’s CA Certificate Program, MUST be operated in accordance with
>
On Tue, Oct 25, 2016 at 12:12:47PM -0700, Ryan Sleevi wrote:
> That is, according to the BRs, the issuer of a technically constrained
> subordinate CA has a BR-obligation to ensure that their TCSCs are adhering to
> the BRs and the issuing CA's policies and practices, as well as conduct a
>
On 2016-11-09 10:58, Gervase Markham wrote:
At the moment, Firefox recognises an EE cert as a server cert if it has
an EKU extension with id-kp-serverAuth, or if it has no EKU at all.
So not when the anyExtendedKeyUsage is present?
> On 17th of Feb 2013, Mozilla published CA policy 2.1, which
On Wed, Nov 09, 2016 at 10:57:54AM -0800, Peter Bowen wrote:
> I think it makes sense to have a new doc that applies to all CAs and
> specifies when requirements apply to certificates. That way we can
> say "SSL BRs apply if X, S/MIME BRs apply if Y, Code Signing applies
> if Z, this doc applies
On 2016-11-07 15:08, Gervase Markham wrote:
https://github.com/mozilla/pkipolicy/compare/2.2...master
So one of the changes is that you now have:
-issuing certificates), as described in [CA/Browser Forum
-Baseline Requirement
-
On 2016-11-07 18:25, Ryan Sleevi wrote:
This is why it's vitally important that clients fetch inclusion proofs in some
manner
Have you considered a TLS extension, have the server fetch them and send
to the client?
Kurt
___
dev-security-policy
On Sat, Nov 05, 2016 at 09:09:49AM +, Gervase Markham wrote:
> > If they had sent an incident report to Mozilla I would agree, but I do
> > not think that CAs should be credited for noticing mistakes when they
> > try to sweep them under the rug. This is particularly true in the case
> > of
On 2016-10-19 01:37, Rob Stradling wrote:
On 18/10/16 23:49, Gervase Markham wrote:
On 18/10/16 15:42, Ryan Hurst wrote:
I do not understand the desire to require StartCom / WoSign to not
utilize their own logs as part of the associated quorum policy.
My original logic was that it could be
On 2016-10-14 10:19, Nick Lamb wrote:
On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer wrote:
Will there be any requirements around the qualification status of the logs,
or could anyone who wanted to be "nice" just stand up a log, and have these
CAs obtain precerts from them?
I don't
1 - 100 of 300 matches
Mail list logo