Thanks Alex. Greatly appreciated.
From: Alex Gaynor [mailto:agay...@mozilla.com] Sent: Thursday, April 27, 2017 2:05 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: Rob Stradling <rob.stradl...@comodo.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Symantec Conclusions and Next Steps On Thu, Apr 27, 2017 at 3:52 PM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: Your post made me realize that we never publicly posted the status of these last few CAs. Sorry about that. Here's the plan: 1. ABB - ABB was supposed to be technically constrained (and is restricted to certain names). However, the technical constraints were added incorrectly and didn't exclude IPv6. We're working with them to update the intermediate with a properly constrained sub CA. 2. Bechtel - The Bechtel intermediates are scheduled for revocation the last day of April. 3. Nets Norway - This intermediate lacked an EKU but was constrained to certain domain names under Nets Norway's control. Nets Norway is no longer using the intermediate but would like to leave the intermediate active until the certs expire. I'm not sure what to do on this one. Any thoughts? To save everyone else 3 minutes of search crt.sh, the oldest cert that I saw under this intermediate was November 2019. Alex 4. Belgium Roots - The Belgium roots have audits now. We are waiting on the audit report publication to change the status. The reports were provided to the browsers but aren't available publicly yet. The Belgium CAs only issue client certificates. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley <mailto:dev-security-policy-bounces%2Bjeremy.rowley> =digicert.com@lists.mozilla .org] On Behalf Of Rob Stradling via dev-security-policy Sent: Thursday, April 27, 2017 4:38 AM To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Symantec Conclusions and Next Steps On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote: <snip> > (Note: A few of the non-Symantec entries currently listed by > https://crt.sh/mozilla-disclosures#undisclosed are false positives, I > think. It looks like Kathleen has marked some roots as "Removed" on > CCADB ahead of the corresponding certdata.txt update on mozilla-central). Ah, I take that back. The March certdata.txt update did hit mozilla-central on 11th April, but I missed an alert. I've just pushed that update to crt.sh. https://crt.sh/mozilla-disclosures#undisclosed is currently free of false positives. It shows that DigiCert, StartCom and Symantec are currently out-of-compliance with Mozilla's disclosure requirement. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy