> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of Gervase
> Markham via dev-security-policy
> Sent: Wednesday, April 12, 2017 4:45 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> >
Hi Doug,
Kathleen is unavailable this week, so I'll try and answer. (This might
have been better as a new top-level post, though...)
On 11/04/17 21:14, Doug Beattie wrote:
> This is my understanding:
>
> - Under policy 2.3 a CA that is technically
> constrained with EKU set to only secure email
.org
> Subject: Re: Next CA Communication
>
> On Tuesday, April 4, 2017 at 10:38:28 AM UTC-7, Kathleen Wilson wrote:
> >
> > The email has been sent, and the survey is open.
> >
>
>
> Published a security blog about it:
> https://blog.mozilla.org/security/
On Tuesday, April 4, 2017 at 10:38:28 AM UTC-7, Kathleen Wilson wrote:
>
> The email has been sent, and the survey is open.
>
Published a security blog about it:
https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/
Cheers,
Kathleen
__
On Monday, April 3, 2017 at 2:21:14 PM UTC-7, Kathleen Wilson wrote:
> All,
>
> I'm getting ready to send the April 2017 CA Communication email.
>
> I updated the wiki page to have the survey introduction text, and a
> (read-only) link to the full survey:
> https://wiki.mozilla.org/CA:Communicat
All,
I'm getting ready to send the April 2017 CA Communication email.
I updated the wiki page to have the survey introduction text, and a (read-only)
link to the full survey:
https://wiki.mozilla.org/CA:Communications#April_2017
The survey in the Common CA Database is now open, with an expirati
On Monday, April 3, 2017 at 10:13:22 AM UTC-7, Kathleen Wilson wrote:
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
> still shows version 2.4.
It's been updated to version 2.4.1.
Thanks,
Kathleen
___
dev-securi
On Saturday, April 1, 2017 at 3:59:28 AM UTC-7, Gervase Markham wrote:
> On 31/03/17 22:20, Kathleen Wilson wrote:
> > Please let me know asap if you see any problems, typos, etc. in this
> > version.
>
> Now that policy 2.4.1 has been published, we should update Action 3 to
> say the following at
On 31/03/17 22:20, Kathleen Wilson wrote:
> Please let me know asap if you see any problems, typos, etc. in this
> version.
Now that policy 2.4.1 has been published, we should update Action 3 to
say the following at the top:
Versions 2.4 and 2.4.1 of Mozilla's CA Certificate Policy have been
publ
I have moved the draft of the April 2017 CA Communication to production, so the
link has changed to:
https://mozillacaprogram.secure.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a05o03WrzBC
It is also available here:
https://wiki.mozilla.org/CA:Communications#April_
On 28/03/2017 16:13, Ryan Sleevi wrote:
On Tue, Mar 28, 2017 at 10:00 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
In principle any source of information could change just one minute
later. A domain could be sold, a company could declare bankruptcy, a
On Tue, Mar 28, 2017 at 10:00 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> In principle any source of information could change just one minute
> later. A domain could be sold, a company could declare bankruptcy, a
> personal domain owner could die.
>
Y
On 28/03/2017 15:20, Ryan Sleevi wrote:
On Tue, Mar 28, 2017 at 8:52 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
While this has apparently already passed, the earlier date for
requiring revalidation is going to be a problem for any CA that has
already
On Tue, Mar 28, 2017 at 8:52 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> While this has apparently already passed, the earlier date for
> requiring revalidation is going to be a problem for any CA that has
> already sold a large number (thousands, mil
On 27/03/2017 11:10, Gervase Markham wrote:
On 17/03/17 15:30, Gervase Markham wrote:
The URL for the draft of the next CA Communication is here:
https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
Note that this is a
On 27/03/17 16:22, Ryan Sleevi wrote:
> Would it be useful to thus also query whether there would be impact in
> Mozilla applications failing to trust such certificates, but otherwise to
> continue permitting their issuance.
That is a good idea. How about:
If you are unable to support a compreh
On 27/03/17 16:18, Ryan Sleevi wrote:
> I'm curious whether you would consider 18 months an appropriate target for
> a deprecation to 1 year certificates. That is, do you believe a transition
> to 1 year certificates requires 24 months or 18 months, or was it chosen
> simply for its appeal as a sta
On Mon, Mar 27, 2017 at 10:18 AM, Ryan Sleevi wrote:
> Gerv,
>
> I'm curious whether you would consider 18 months an appropriate target for
> a deprecation to 1 year certificates. That is, do you believe a transition
> to 1 year certificates requires 24 months or 18 months, or was it chosen
> sim
ar certs, 2
years -> 1 year certs)
On Mon, Mar 27, 2017 at 5:10 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 17/03/17 15:30, Gervase Markham wrote:
> > The URL for the draft of the next CA Communication is here:
> > https
On 17/03/17 15:30, Gervase Markham wrote:
> The URL for the draft of the next CA Communication is here:
> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
>
> Note that this is a _draft_ - the form parts w
On Friday, March 24, 2017 at 3:11:17 AM UTC-7, Gervase Markham wrote:
> On 23/03/17 23:07, Kathleen Wilson wrote:
> > Second paragraph of Action 1 now says: ~~ Note that version 1.4.2 of
> > the BRs does not contain all 10 of these methods, but it does contain
> > section 3.2.2.4.11, "Other Methods
On 23/03/17 23:07, Kathleen Wilson wrote:
> Second paragraph of Action 1 now says: ~~ Note that version 1.4.2 of
> the BRs does not contain all 10 of these methods, but it does contain
> section 3.2.2.4.11, "Other Methods", so the subsections of version
> 3.2.2.4 that are marked "Reserved" in versi
On Tuesday, March 21, 2017 at 11:34:30 AM UTC-7, Gervase Markham wrote:
> On 21/03/17 10:16, Gervase Markham wrote:
> > On 17/03/17 11:30, Gervase Markham wrote:
> >> The URL for the draft of the next CA Communication is here:
> >> https://mozilla-mozillacaprogram.cs
On Tuesday, March 21, 2017 at 7:17:26 AM UTC-7, Gervase Markham wrote:
> On 17/03/17 11:30, Gervase Markham wrote:
> > The URL for the draft of the next CA Communication is here:
> > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CA
On Tuesday, March 21, 2017 at 5:51:29 AM UTC-7, Kurt Roeckx wrote:
> On 2017-03-21 12:51, Jakob Bohm wrote:
> > On 21/03/2017 10:09, Kurt Roeckx wrote:
> >> Action 6 says:
I've updated action #6, but it still might not be clear.
Here's the new draft:
ACTION 6: QUALIFIED AUDIT STATEMENTS
When an
On 21/03/17 10:16, Gervase Markham wrote:
> On 17/03/17 11:30, Gervase Markham wrote:
>> The URL for the draft of the next CA Communication is here:
>> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
On 17/03/17 11:30, Gervase Markham wrote:
> The URL for the draft of the next CA Communication is here:
> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
A few more wording tweaks on the current version:
* Action
On 2017-03-21 12:51, Jakob Bohm wrote:
On 21/03/2017 10:09, Kurt Roeckx wrote:
On 2017-03-17 16:30, Gervase Markham wrote:
The URL for the draft of the next CA Communication is here:
https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId
On 21/03/2017 10:09, Kurt Roeckx wrote:
On 2017-03-17 16:30, Gervase Markham wrote:
The URL for the draft of the next CA Communication is here:
https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
Action 6 says:
However
On 2017-03-17 16:30, Gervase Markham wrote:
The URL for the draft of the next CA Communication is here:
https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
Action 6 says:
However, a point-in-time audit statement only
On Monday, March 20, 2017 at 2:43:22 PM UTC-7, Gervase Markham wrote:
> On 20/03/17 15:33, Kathleen Wilson wrote:
> >> * Action 7: some of the BR Compliance bugs relate to CAs which are no
> >> longer trusted, like StartCom. If StartCom does become a trusted CA
> >> again, it will be with new syste
On 20/03/17 16:29, Kathleen Wilson wrote:
> updated
>
> See action 9 here:
> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
You now need to remove the second bullet in this action, as it's
redundant with the reduced sco
On 20/03/17 13:07, Peter Bowen wrote:
>> E) SHA-1 and S/MIME
>>
>> Does your CA issue SHA-1 S/MIME certificates? If so, please explain your
>> plans for ceasing to do so, and any self-imposed or external deadlines
>> you are planning to meet. Mozilla plans to make policy in this area in
>> the futu
On 20/03/17 15:33, Kathleen Wilson wrote:
>> * Action 7: some of the BR Compliance bugs relate to CAs which are no
>> longer trusted, like StartCom. If StartCom does become a trusted CA
>> again, it will be with new systems which most likely do not have the
>> same bugs. Should we close the StartCo
On Mon, Mar 20, 2017 at 4:52 PM Rob Stradling
wrote:
> On 20/03/17 17:07, Peter Bowen via dev-security-policy wrote:
>
> >> B) Your attention is drawn to the cablint and x509lint tools, which you
> >> may wish to incorporate into your certificate issuance pipeline to get
> >> early warning of ci
On Monday, March 20, 2017 at 1:37:32 PM UTC-7, Jeremy Rowley wrote:
> Something like: "Does your CA have any third-party Registration Authority
> (RA)s program that the CA relies on to perform the domain validation
> required under Section 3.2.2.4 of the Baseline Requirements."
Updated
_
son via dev-security-policy
Sent: Monday, March 20, 2017 2:29 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Next CA Communication
On Monday, March 20, 2017 at 10:59:41 AM UTC-7, Peter Bowen wrote:
> On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via
> > [JR] This shou
On Monday, March 20, 2017 at 10:59:41 AM UTC-7, Peter Bowen wrote:
> On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via
> > [JR] This should be limited to SSL certs IMO. With client certs, you're
> > going
> > to get a lot more RAs that likely function under the standard or legal
> > framework de
On Monday, March 20, 2017 at 9:50:38 AM UTC-7, Gervase Markham wrote:
> On 17/03/17 15:30, Gervase Markham wrote:
> > The URL for the draft of the next CA Communication is here:
> > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CA
On Friday, March 17, 2017 at 9:17:07 AM UTC-7, Peter Bowen wrote:
> I would replace this with:
>
> + Distinguished name and SHA-256 hash of the SubjectPublicKeyInfo of
> each certificate issuer covered by the audit scope
> + Clear indication of which in-scope certificate issuers are Root CAs
>
On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via
dev-security-policy wrote:
> A) Does your CA have an RA program, whereby non-Affiliates of your company
> perform aspects of certificate validation on your behalf under contract? If
> so, please tell us about the program, including:
>
> * How man
A) Does your CA have an RA program, whereby non-Affiliates of your company
perform aspects of certificate validation on your behalf under contract? If
so, please tell us about the program, including:
* How many companies are involved
* Which of those companies do their own domain ownership valid
On Mon, Mar 20, 2017 at 8:36 AM, Gervase Markham via
dev-security-policy wrote:
> On 17/03/17 15:30, Gervase Markham wrote:
>> The URL for the draft of the next CA Communication is here:
>> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicat
On 17/03/17 15:30, Gervase Markham wrote:
> The URL for the draft of the next CA Communication is here:
> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
* Action 1 should say that if in future additional sp
On Fri, Mar 17, 2017 at 8:30 AM, Gervase Markham via
dev-security-policy wrote:
> The URL for the draft of the next CA Communication is here:
> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
>
> Note th
The URL for the draft of the next CA Communication is here:
https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2
Note that this is a _draft_ - the form parts will not work, and no CA
should attempt to use this URL or the form
On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote:
> Are there any other topics that I should include in this upcoming CA
> Communication?
Also, I think that the SHA-1 topic should be brought up again. Some CA folks
will be tired of reading about this, having managed the issue wi
On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote:
> Are there any other topics that I should include in this upcoming CA
> Communication?
It can be worth following-up on date-in-time commitments from those CAs in
replies to the previous communication this year. Each CA should be
.
So, I think I should send the next CA Communication[3] to make sure all
of the CAs in Mozilla's program are aware of these new requirements, and
update their CP/CPS accordingly by March 1, 2017.
Are there any other topics that I should include in this upcoming CA
Communication?
T
On 5/12/15 11:27 AM, Kathleen Wilson wrote:
On 5/7/15 10:47 AM, Kathleen Wilson wrote:
On 5/6/15 1:52 AM, Gervase Markham wrote:
On 05/05/15 21:54, Kathleen Wilson wrote:
EXAMPLE/DRAFT Survey Link:
https://community-mozillacaprogram.cs21.force.com/Communications/TakeSurvey?id=a04q004jpXoAA
On 5/7/15 10:47 AM, Kathleen Wilson wrote:
On 5/6/15 1:52 AM, Gervase Markham wrote:
On 05/05/15 21:54, Kathleen Wilson wrote:
EXAMPLE/DRAFT Survey Link:
https://community-mozillacaprogram.cs21.force.com/Communications/TakeSurvey?id=a04q004jpXoAAI&cId=&caId=none
LGTM.
Gerv
Thanks, I'
On 5/6/15 1:52 AM, Gervase Markham wrote:
On 05/05/15 21:54, Kathleen Wilson wrote:
EXAMPLE/DRAFT Survey Link:
https://community-mozillacaprogram.cs21.force.com/Communications/TakeSurvey?id=a04q004jpXoAAI&cId=&caId=none
LGTM.
Gerv
Thanks, I'm planning to send the communication early ne
On 05/05/15 21:54, Kathleen Wilson wrote:
> EXAMPLE/DRAFT Survey Link:
> https://community-mozillacaprogram.cs21.force.com/Communications/TakeSurvey?id=a04q004jpXoAAI&cId=&caId=none
LGTM.
Gerv
___
dev-security-policy mailing list
dev-security-polic
On 5/1/15 3:26 AM, Jesper Kristensen wrote:
Den 30-04-2015 kl. 11:43 skrev Gervase Markham:
On 29/04/15 17:23, Kathleen Wilson wrote:
I will appreciate your feedback on the email and the survey (use link
below).
All looks good to me. Although it's a shame Salesforce seems not to be
able to em
Den 30-04-2015 kl. 11:43 skrev Gervase Markham:
On 29/04/15 17:23, Kathleen Wilson wrote:
I will appreciate your feedback on the email and the survey (use link
below).
All looks good to me. Although it's a shame Salesforce seems not to be
able to embed links.
Gerv
That survey looks like a
On 29/04/15 17:23, Kathleen Wilson wrote:
> I will appreciate your feedback on the email and the survey (use link
> below).
All looks good to me. Although it's a shame Salesforce seems not to be
able to embed links.
Gerv
___
dev-security-policy mailing
All,
I have entered the draft CA Communication into the sandbox area of
SalesForce, so we can see how it will look.
Below is an example of the email that will be sent to the Primary Point
of Contact (POC) for each CA with a root included in Mozilla's program.
The survey link in each email wi
On 4/13/15 1:15 PM, Brian Smith wrote:
Kathleen Wilson wrote:
ACTION #4
Workarounds were implemented to allow mozilla::pkix to handle the things
listed here:
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
Hi Kathleen,
Thanks for including this in the CA co
On 4/9/15 9:32 AM, Kathleen Wilson wrote:
All,
I would like to send the next CA Communication in late April or early
May, and request CAs to respond to it within one month. For this
communication I plan to use SalesForce to email a customized survey link
to the Primary Point of Contact for each
Kathleen Wilson wrote:
> ACTION #4
> Workarounds were implemented to allow mozilla::pkix to handle the things
> listed here:
> https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
Hi Kathleen,
Thanks for including this in the CA communication.
That list of workarou
On 09/04/15 21:12, yuhongbao_...@hotmail.com wrote:
> What about Mozilla's own aus3.mozilla.org certificate for which the SHA-1
> intermediate was pinned?
I'm afraid I don't understand the question, or how it relates to the CA
Communication. Can you clarify?
Gerv
___
Ryan Sleevi schrieb:
> On Fri, April 10, 2015 7:49 am, Jürgen Brauckmann wrote:
>> Is this just a survey, or does the question imply a new Mozilla policy
>> which requires CAs to actively force their customers to stop using old,
>> non-expired SHA-1 certificates?
>>
>> The latter would be quit
On Thursday, April 9, 2015 at 9:32:48 AM UTC-7, Kathleen Wilson wrote:
> All,
>
> I would like to send the next CA Communication in late April or early
> May, and request CAs to respond to it within one month. For this
> communication I plan to use SalesForce to email a customi
All,
I would like to send the next CA Communication in late April or early
May, and request CAs to respond to it within one month. For this
communication I plan to use SalesForce to email a customized survey link
to the Primary Point of Contact for each CA owner, and the responses
will be
64 matches
Mail list logo