On 07/09/2018 15:55, Bruce wrote:
On Thursday, September 6, 2018 at 7:44:15 PM UTC-4, Wayne Thayer wrote:
All,
I've drafted a new email and survey that I hope to send to all CAs in the
Mozilla program next week. it focuses on compliance with the new (2.6.1)
version of our Root Store Policy. I would appreciate your feedback on the
draft:
https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003rMGLL
<https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003mogw7>
Thanks,
Wayne
With regard to the actions.
ACTION 6 - Can we select CA certificates which we do not want pre-loaded? In
some cases the CA certificate is no longer used and does not need pre-loading.
ACTION 7 - Although we support the Chrome CT requirement, we do have a process
to allow customers to choose not to CT log their certain SSL certificates. We
do not redact names, but I suppose we allow a customer to redact certificates.
As such, I don't think the responses listed in action 7 covers this model.
Thanks, Bruce.
The CRLite document linked from the draft is an old scientific article
that contains some factually wrong assumptions, which will hopefully be
fixed in Mozilla's implementation anyway.
Would it be useful for Mozilla's CRLite implementation to accept lists
of certificates from a source much shorter than the Google CT logs, for
example a CRL-like file (signed by the CA) containing only the minimum
number of attributes (serial number only for now) for each issued
certificate?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
