Thanks for the response Bruce. On Fri, Sep 7, 2018 at 6:55 AM Bruce via dev-security-policy < [email protected]> wrote:
> On Thursday, September 6, 2018 at 7:44:15 PM UTC-4, Wayne Thayer wrote: > > All, > > > > I've drafted a new email and survey that I hope to send to all CAs in the > > Mozilla program next week. it focuses on compliance with the new (2.6.1) > > version of our Root Store Policy. I would appreciate your feedback on the > > draft: > > > > > https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003rMGLL > > < > https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003mogw7 > > > > > > Thanks, > > > > Wayne > > With regard to the actions. > > ACTION 6 - Can we select CA certificates which we do not want pre-loaded? > In some cases the CA certificate is no longer used and does not need > pre-loading. > > > We're of the opinion that this adds more complexity and risk that it's worth. We're not planning to preload revoked intermediates, and in the case you've described, it sounds like revocation is a viable option. > > ACTION 7 - Although we support the Chrome CT requirement, we do have a > process to allow customers to choose not to CT log their certain SSL > certificates. We do not redact names, but I suppose we allow a customer to > redact certificates. As such, I don't think the responses listed in action > 7 covers this model. > > > I've updated the response options to include both redaction and opting specific certificates out of logging. Please let me know if there are more choices that aren't covered. > > Thanks, Bruce. > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
