Re: Policy 2.4 Proposal: Define how quickly audit reports must be provided

2017-01-17 Thread Jakob Bohm
On 18/01/2017 01:12, Nick Lamb wrote: On Tuesday, 17 January 2017 23:34:20 UTC, Jakob Bohm wrote: How about "_and versions and strong (>= 256 bits) hashes_", Frankly any _cryptographic_ hash should be adequate for this purpose. Even for the most creaky crypto hashes I can think of (e.g.

Re: Policy 2.4 Proposal: Define how quickly audit reports must be provided

2017-01-17 Thread Nick Lamb
On Tuesday, 17 January 2017 23:34:20 UTC, Jakob Bohm wrote: > How about "_and versions and strong (>= 256 bits) hashes_", Frankly any _cryptographic_ hash should be adequate for this purpose. Even for the most creaky crypto hashes I can think of (e.g. MD4) pre-image attacks are theoretical

Re: Policy 2.4 Proposal: Define how quickly audit reports must be provided

2017-01-17 Thread Jakob Bohm
On 16/01/2017 12:31, Gervase Markham wrote: On 13/01/17 02:00, Ryan Sleevi wrote: Suggestion: "List of CA policy documents _and versions_" Yes, good idea. Gerv How about "_and versions and strong (>= 256 bits) hashes_", given recent confusion about CP/CPS translation change procedures at

Re: Policy 2.4 Proposal: Update required version number of Baseline Requirements to 1.3.7

2017-01-17 Thread Ryan Sleevi
On Mon, Jan 16, 2017 at 3:30 AM, Gervase Markham wrote: > On 13/01/17 01:56, Ryan Sleevi wrote: >> Notably, 1.3.7 also has IP encumbrances - and uncertainty - the same >> as 1.4.1, so presumably, Mozilla is OK with having encumbered methods >> included. Considering some of these

Re: Policy 2.4 Proposal: Define how quickly audit reports must be provided

2017-01-17 Thread Jakob Bohm
On 12/01/2017 18:12, Gervase Markham wrote: The current CA policy does not specify when audit reports are due to Mozilla relative to the end date of the audit period. It only says that CAs much provide the reports to Mozilla within 30 days of receiving the report from their auditor. Peter Bowen

RE: GoDaddy verification issue history appears incomplete: possible regression of bug in 2010

2017-01-17 Thread Wayne Thayer
> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+wthayer=godaddy@lists.mozilla.org] On Behalf Of Jakob > Bohm > Sent: Tuesday, January 17, 2017 9:25 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: GoDaddy verification issue

Re: Audit Reminder Email Summary

2017-01-17 Thread Kathleen Wilson
Forwarded Message Subject: Summary of January 2017 Audit Reminder Emails Date: Tue, 17 Jan 2017 20:02:07 + (GMT) Mozilla: Audit Reminder Root Certificates: ISRG Root X1 Standard Audit: https://cert.webtrust.org/SealFile?seal=1987=pdf Audit Statement Date: 2015-12-15 BR

Re: GoDaddy verification issue history appears incomplete: possible regression of bug in 2010

2017-01-17 Thread Jakob Bohm
Really? You were doing manual testing that quickly? Using the kind of randomized challenging normal associated with automated testing? On 17/01/2017 04:48, Wayne Thayer wrote: Back in 2010 all of our testing was manual. We've been investing in automated testing over the last three years. Now