On 28/04/14 20:04, Kathleen Wilson wrote: > Please respond with one of the following: > A) Mozilla’s spreadsheet of included root certificates has the correct > link to our most recent audit statement, and the audit statement date is > correct. > B) Here is the most recent audit statement for our certificates that are > included in Mozilla’s CA program: <insert link here> > C) We plan to send Mozilla our current audit statement by <insert date > here>.
"... We have identified and resolved the process problem which led to us not supplying this information in a timely manner"? Do we want to put something in giving the mechanism by which we would prefer to be pushed this information on a yearly basis? Is it email to you? > 2) Send Mozilla the link to your most recent Baseline Requirements audit > statement. Details about Mozilla's audit requirements are listed in > section 11 of Mozilla's CA Certificate Inclusion Policy. > > Please respond with one of the following: > A) Mozilla’s spreadsheet of included root certificates has the correct > link to our most recent Baseline Requirements audit statement. > B) Here is the most recent Baseline Requirements audit statement for our > certificates that are included in Mozilla’s CA program: <insert link here> > C) We plan to send Mozilla our current Baseline Requirements audit > statement by <insert date here>. > D) The websites (SSL/TLS) trust bit is not enabled for our certificates > that are included in Mozilla's CA program. Same addendum as above, for B and/or C? > Please respond with one of the following: > A) We have tested certificates in our CA hierarchy with Mozilla's new > Certificate Verification library, and found that the certificates in our > CA hierarchies are not impacted by the changes introduced in mozilla::pkix. > B) We have found the following issues when testing certificates in our > CA hierarchy with mozilla::pkix. <descriptions or Bugzilla bug numbers, > related URLs and/or certificates> > C) We are testing certificates in our CA hierarchy with Mozilla's new > Certificate Verification library, and plan to send Mozilla our results > by <insert date here, must be before June 30, 2014>. You might note that they should particularly make sure to check EV status, and to check chains through all currently-used intermediates. Perhaps this could be noted on the testing page itself, though. > 4) Check your certificate issuance to confirm that no new certificates > will be issued with the problems listed here: > https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix If we are sending out a wiki URL, we should link to a particular historical version so the CAs have a stable target. E.g.: https://wiki.mozilla.org/index.php?title=SecurityEngineering/mozpkix-testing&oldid=970104 Otherwise, if that page gets edited, and they say "item 5", you might not know what they were referring to. > Please respond with one of the following: > A) We have not and will not issue certificates with ....any of... > the problems listed > in the mozpkix-testing#Things_for_CAs_to_Fix wiki page. > B) We have previously issued certificates with the following problems > listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page: <list the > problems that needed to be fixed>. The last of those certificates expire > <insert dates here>. One date per problem. > We will not issue new certificates with the > problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page > as of this date: <date when your operations will be updated, no later > than June 30, 2014> Does the list on that wiki page need to include the Microsoft equivalent of the SGC EKU? Or are we not mentioning that? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
