On Sat, Sep 10, 2016 at 9:14 AM, Lee <[email protected]> wrote: > On 9/10/16, Gervase Markham <[email protected]> wrote: >> On 09/09/16 11:53, Jakob Bohm wrote: > > Does Mozilla feel that using 'clear text' protocols to validate > domains is adequate security? > https://cabforum.org/2016/08/05/ballot-169-revised-validation-requirements/ >> Authorized Port: One of the following ports: 80 (http), 443 (http), 115 >> (sftp), 25 (smtp), 22 (ssh).
This is basically a catch-22 for initial issuance. If you allow validation via connection to a host operating that the requested FQDN, then it will almost surely not be using a trusted public certificate for the first connection. Using ssh or accepting a self-signed certificate does not appear to address any critical part of the threat model. > How bad does an auditor have to be before Mozilla will no longer > accept them as "a trusted auditor for the Mozilla root program"? > https://wiki.mozilla.org/CA:WoSign_Issues#Issue_J:_Various_BR_Violations_.28Apr_2015.29 >> Google noted that many of these issues should have been caught by a >> competent auditor. >> WoSign's auditors at the time were Ernst and Young (Hong Kong). > > Will Mozilla accept CA audits done by Ernst and Young in the near future? > > Does Mozilla plan on giving any extra attention to CAs whose last > audit was done by Ernst and Young? EY, like BDO, Deloitte, KPMG, and PwC, are not single firms. They are "networks" of firms which usually carry out their audit/attest services independently and are independently owned and operated. So an opinion from Ernst & Young Bedrijfsrevisoren BCVBA (Belgium) is likely written by a team independent from the team that wrote an opinion from Ernst & Young P/S (Demark) which is independent from the team that wrote an opinion from EY 安永 (Hong Kong). That being said, I suspect that EY Global wants to protect its brand, so I would hope they review any reports from any member firm that appear to be lacking. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
