Suggestion: "List of CA policy documents _and versions_"
Having seen audits that simply say "CPS at [URL]" leaves it ambiguous
as to which version was audited. It also raises concerns of a CA
forgetting to update their public CP/CPS with whatever the auditor
examined.
On Thu, Jan 12, 2017 at
Gerv,
I'd like to push a little and suggest that the IP issues are not a
significant reason for Mozilla not to formalize on 1.4.1 (e.g. with
169 included)
Notably, 1.3.7 also has IP encumbrances - and uncertainty - the same
as 1.4.1, so presumably, Mozilla is OK with having encumbered methods
On Wednesday, January 11, 2017 at 5:03:08 AM UTC+2, Wayne Thayer wrote:
> ... and will also be logged to the Google Pilot CT log.
Why not posting _ALL_ certificates issues via that method to CT log?
___
dev-security-policy mailing list
> From: Gervase Markham [mailto:g...@mozilla.org]
> Sent: Thursday, January 12, 2017 3:07 AM
> To: Wayne Thayer ; mozilla-dev-security-
> pol...@lists.mozilla.org
> Subject: Re: Incident Report – Certificates issued without proper domain
> validation
>
> Hi Wayne,
>
> Thanks
I agree with this approach. Nothing of note was include after the domain
validation passed so making 1.3.7 the effective version makes sense.
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of
All,
Many of you have noticed that I have transitioned the job of Information
Verification[1] of root inclusion/change requests to Aaron Wu and Francis Lee,
because I no longer have the bandwidth to do that work.
Additionally, I hope to get a new process rolled out in Q1 that will enable CAs
The current CA policy does not specify when audit reports are due to
Mozilla relative to the end date of the audit period. It only says that
CAs much provide the reports to Mozilla within 30 days of receiving the
report from their auditor.
Peter Bowen proposed some revised and more specific
Point 12 of the Inclusion section requires conformance to the Baseline
Requirements version 1.3, released on 16th April 2015. The current
version is 1.4.1.
I propose changing to version 1.3.7. This is the one before the version
which updated the domain validation requirements and which has had to
Currently, Inclusion point 7 requires conformance to EV 1.4 or later.
This was released in May 2012. The current version of EV (as of a week
ago) was 1.6.
We should update directly to 1.6, which was released in July 2016.
This is: https://github.com/mozilla/pkipolicy/issues/29
---
This is
On 16/12/16 15:18, Gervase Markham wrote:
> Nevertheless, we should update our policy to also use this text, because
> our policy also covers email certificates. We discussed this at the All
> Hands recently and we did not think that there were any compelling
> reasons to provide exemptions to
On 16/12/16 15:20, Gervase Markham wrote:
> Kathleen's proposal is to change:
>
> "or that the certificate has otherwise been misused;"
>
> to
>
> "or that the certificate has been used for a purpose outside of that
> indicated in the certificate or in the CA's subscriber agreement;"
On 16/12/16 15:15, Gervase Markham wrote:
> Proposal: add another sentence to the second bullet in point 3 of the
> Maintenance section:
>
> "The nextUpdate of the OCSP response must be before or equal to the
> notAfter date of the certificate which signs it, and all other
> certificates in the
On 08/12/16 20:46, Gervase Markham wrote:
> We want to change the policy to make it clear that whether a cert is
> covered by our policy or not is dependent on whether it is technically
> capable of issuing server certs, not whether it is intended by the CA
> for issuing server certs.
>
> Until
Hi Wayne,
Thanks for these prompt and detailed responses.
On 12/01/17 00:27, Wayne Thayer wrote:
> Our initial response as reported yesterday was to fix the bug
> introduced in July. Based on internal discussions and comments here,
> as of 12 midnight PST last night (1/11) we stopped using this
14 matches
Mail list logo