On Fri, Jan 3, 2020 at 12:49 PM Corey Bonnell via dev-security-policy < [email protected]> wrote:
> On Friday, January 3, 2020 at 10:27:26 AM UTC-5, Wayne Thayer wrote: > > I've made some additional improvements to the survey based on feedback > from > > Kathleen: > > > > > https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J00003waNOW > > > > I'm planning to send this out to CAs on Tuesday. > > > > On Mon, Dec 23, 2019 at 12:39 PM Wayne Thayer <[email protected]> > wrote: > > > > > On Thu, Dec 19, 2019 at 3:59 PM Jeremy Rowley < > [email protected]> > > > wrote: > > > > > >> Should anything be mentioned about the allowed algorithms? That's the > > >> largest change to the policy and confirming the AlgorithmIdentifiers > in > > >> each case may take some time. > > >> > > >> > > > I'd argue that this is a clarification rather than a change, and > depending > > > on the CA, confirming compliance with the updates in section 5.1 may > not > > > take as long as the CPS updates. I'm not strongly opposed to calling > this > > > out but I'd argue that it's hard to miss when reviewing all of the > updates > > > as required by question #1. > > > > > Perhaps a minor question/nit, but it's better to raise it to remove all > doubt: for Action Item 3, if there exists revoked (but still unexpired) > end-entity certificates w/o a EKU but the CA has already switched to > universally including the EKU in end-entity certificates, should the CA > select "All unexpired end-entity certificates that we issue or have issued > and are within the scope of Mozilla’s policy currently comply with this > requirement" (which loosely interprets the meaning of "unexpired" to > encompass "non-revoked" as well), or should the CA select one of the other > options? > > Thank you Corey. I have explicitly added "non-revoked" to the option that you quoted above. I believe the intent of the discussion in > https://groups.google.com/d/msg/mozilla.dev.security.policy/5lAI-8lkQbM/1D392GR1BQAJ > indicates that Mozilla doesn't care about revoked certificates in this > case, so perhaps the language for option 1 should be clarified to specify > "unexpired, non-revoked" to better convey the intent. > > Thanks, > Corey > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
