Hey Ben, Take a look at the thread "Disclosing unconstrained emailProtection intermediates to CCADB" by Rob, it explains the change and has the relevant dates by which CAs must comply.
Alex On Tue, Jul 11, 2017 at 3:21 PM, Ben Wilson via dev-security-policy < [email protected]> wrote: > By the way, I just noticed on https://crt.sh/mozilla- > disclosures#undisclosed > that CA certificates with an EKU of eMailProtection (1.3.6.1.5.5.7.3.4) are > now listed when they weren't required to be listed previously. Presumably > CAs will be given ample time to update these entries. > > -----Original Message----- > From: dev-security-policy > [mailto:[email protected]] On > Behalf Of Nick Lamb via dev-security-policy > Sent: Tuesday, July 11, 2017 7:57 AM > To: [email protected] > Subject: Re: How long to resolve unaudited unconstrained intermediates? > > On Tuesday, 11 July 2017 10:56:43 UTC+1, Kurt Roeckx wrote:> > > So at least some of them have been notified more than 3 months ago, > > and a bug was filed a month later. I think you already gave them too > > much time to at least respond to it, and suggest that you sent a new > > email indicating that if they don't respond immediately that they will > > get added to OneCRL. > > Agreed. It may also make sense to add telemetry that allows Mozilla to > determine whether listing such subCAs in the OneCRL are ever actually > blocking anything. This makes a difference in my opinion as to the > severity > of the breach of policy by the CA in question. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
