On Wed, Jan 18, 2017 at 07:23:35AM -0800, Peter Bowen wrote: > > > On Jan 18, 2017, at 7:18 AM, Gervase Markham <g...@mozilla.org> wrote: > > > > On 17/01/17 23:33, Jakob Bohm wrote: > >> How about "_and versions and strong (>= 256 bits) hashes_", > > > > Do people think we need to go this far? > > > > If we do, we'll need them to specify filenames, not just document > > titles. Otherwise, one wouldn't know if the hash was a .doc, a .pdf, or > > what. > > I don’t think hashes of documents is necessary, but I do think including the > version information is critical. > > I would support requiring inclusion of the full distinguished names of all > the CAs that are covered (and maybe their SPKI hash), as that is currently an > even larger gap.
And I would like to see that as a requirement in the audit report, which CA are actually checked. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy