Re: CA Problem Reporting Mechanisms

After skimming the responses and checking a few CAs, I'm starting to wonder: Wouldn't it be easier to just add another mandatory field to the CCADB (e.g. "revocation contact"), requiring $URL or $EMAIL via policy and just use that to provide a public list? It seems to me that most revocation

Re: April CA Communication: Results

On 15/05/2017 15:53, Doug Beattie wrote: ... Yes, it is certainly a bit dated. Outlook 2013 and 2016 are not listed along with more recent versions of iMail and Thunderbird. I believe the point of the document was only to list what was needed to get SHA256 compatibility. So for each

Re: Symantec: Update

On 15/05/2017 22:06, Michael Casadevall wrote: On 05/15/2017 09:32 AM, Jakob Bohm wrote: This won't work for the *millions* of legitimate, not-misissued, end certificates that were issued before Symantec began SCT embedding (hopefully in the past) and haven't expired before such an early

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

Greetings, I have reviewed your second BR self-assessment (https://bugzilla.mozilla.org/attachment.cgi?id=8860627) against your updated CP/CPS (CP V1.6, CPS V4.5, EV CP V1.4, and EV CPS V1.5) and provided the following comments and/or recommendations. 1. BR Section 3.2.2.5 Authentication for

RE: [EXT] Re: Draft further questions for Symantec

Replacement link: https://bugzilla.mozilla.org/attachment.cgi?id=8867892 Sorry, I had the PDF cached. > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > urijah--- via dev-security-policy >

Re: [EXT] Re: Draft further questions for Symantec

I took a stab at trying to grok this. I find I have more questions and a lot more concerns the more I read though. Please let me know if I'm not the only one having issues decoding the responses. Here's my first impressions: RA & EV: Were all the certificates issued by the RAs uploaded to a CT

Re: Symantec: Update

On 05/15/2017 09:32 AM, Jakob Bohm wrote: > This won't work for the *millions* of legitimate, not-misissued, > end certificates that were issued before Symantec began SCT > embedding (hopefully in the past) and haven't expired before such > an early deadline. > Sorry, I could have been more

Re: [EXT] Re: Draft further questions for Symantec

The link in footnote [1] https://www.idmanagement.gov/IDM/servlet/fileField?entityId=ka0t000Gmi3AAC=File__Body__s gives me a 404 error. On Monday, May 15, 2017 at 11:09:41 AM UTC-4, Steve Medin wrote: > Gerv, > > Our response to the recent questions is posted at: >

Re: Changing CCADB domains

Here are the changes we are requesting to be made on Friday, May 19, at 1pm PDT. 1) https://mozillacacommunity.force.com/ will be changed to https://ccadb.force.com/ (This is the CA login page, and the domain CAs see when they are logged into the CCADB) 2)

RE: [EXT] Symantec: Draft Proposal

Symantec logs TLS server certificates that are intended to be trusted by Chrome to Certificate Transparency logs. Symantec does not systematically log other certificate types to CT, including Class 1, Class 2 and other types of user certificates. The Adobe Approved Trust List intermediate CA

RE: [EXT] Re: Symantec Conclusions and Next Steps

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of Ryan > Sleevi via dev-security-policy > Sent: Tuesday, April 25, 2017 6:50 PM > To: Ryan Sleevi > Cc:

Re: Configuring Graduated Trust for Non-Browser Consumption

On Mon, May 15, 2017 at 10:18 AM, Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Once upon a time I would said "yes, we should totally encourage people to > lovingly craft their perfect trust store, to reduce their risk profile". > Now, not so much. > > As

RE: [EXT] Re: Draft further questions for Symantec

Gerv, Our response to the recent questions is posted at: https://bugzilla.mozilla.org/attachment.cgi?id=8867735 Kind regards, Steve > -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase

Re: April CA Communication: Results

It's useful to note that Outlook 2007 leaves extended support on October 10. (That deadline has been extended a few times, I believe, but this should be the final date.) https://support.microsoft.com/en-us/help/3198497/office-2007-approaching-end-of-extended-support On Monday, May 15, 2017 at

Re: Configuring Graduated Trust for Non-Browser Consumption

Once upon a time I would said "yes, we should totally encourage people to lovingly craft their perfect trust store, to reduce their risk profile". Now, not so much. As we've seen in numerous discussions, customers of CAs, particularly large enterprises and vendors (think payment terminals) love

RE: April CA Communication: Results

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of Kurt > Roeckx via dev-security-policy > Sent: Monday, May 15, 2017 9:41 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re:

Re: April CA Communication: Results

On 2017-05-15 15:38, Kurt Roeckx wrote: On 2017-05-15 15:26, Gervase Markham wrote: On 15/05/17 14:19, Doug Beattie wrote: https://support.globalsign.com/customer/portal/articles/1216323 Thanks, Doug. There's no date on that doc - are you able to say when it was written? It says: Last

Re: April CA Communication: Results

On 2017-05-15 15:26, Gervase Markham wrote: On 15/05/17 14:19, Doug Beattie wrote: https://support.globalsign.com/customer/portal/articles/1216323 Thanks, Doug. There's no date on that doc - are you able to say when it was written? It says: Last Updated: Aug 26, 2013 11:24AM EDT Kurt

Re: April CA Communication: Results

On 15/05/2017 15:26, Gervase Markham wrote: On 15/05/17 14:19, Doug Beattie wrote: https://support.globalsign.com/customer/portal/articles/1216323 Thanks, Doug. There's no date on that doc - are you able to say when it was written? Gerv I believe it is a "live" doc, that was regularly

Re: Configuring Graduated Trust for Non-Browser Consumption

On 15/05/2017 15:19, Gervase Markham wrote: On 12/05/17 09:18, Cory Benfield wrote: I try not to decide whether there is interest in features like this: if they’re easy I’d just implement them and let users decide if they want it. That’s what I’d be inclined to do here. If Mozilla added such a

Re: Symantec: Update

On 13/05/2017 12:27, Michael Casadevall wrote: On 05/11/2017 09:53 AM, Jonathan Rudenberg via dev-security-policy wrote: On May 10, 2017, at 11:52, Gervase Markham via dev-security-policy wrote: I would appreciate people's comments on the details of

Re: April CA Communication: Results

On 15/05/17 14:19, Doug Beattie wrote: > https://support.globalsign.com/customer/portal/articles/1216323 Thanks, Doug. There's no date on that doc - are you able to say when it was written? Gerv ___ dev-security-policy mailing list

Re: Configuring Graduated Trust for Non-Browser Consumption

On 12/05/17 09:18, Cory Benfield wrote: > I try not to decide whether there is interest in features like this: > if they’re easy I’d just implement them and let users decide if they > want it. That’s what I’d be inclined to do here. If Mozilla added > such a flag, I’d definitely be open to adding

RE: April CA Communication: Results

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Monday, May 15, 2017 9:16 AM > To: Jakob Bohm ;

Re: Aetna and UniCredit audits

On 15/05/17 12:54, Kurt Roeckx wrote: > At least it's technically constrained. Ah yes, you are right. Not nearly such an issue, then. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: April CA Communication: Results

On 15/05/17 14:07, Jakob Bohm wrote: > 1. Microsoft's e-mail clients were very late to accept stronger > signature algorithms for e-mails (including e-mails sent by users of > non-problematic e-mail clients). I believe Globalsign's page about > SHA256-transition for customers provides a

Re: Aetna and UniCredit audits

Right. Not very recently: in October 2016; it is technically-constrained, and expires this October. Il 15/05/2017 12:52, Gervase Markham via dev-security-policy ha scritto: Also, am I right in thinking that Actalis has recently cross-signed

Re: April CA Communication: Results

On 2017-05-15 13:40, Gervase Markham wrote: * (Q13) Many CAs plan to stop issuing SHA-1 S/MIME by the end of this year. CAs without a firm date are: Comodo, GlobalSign, SECOM, TWCA, and Visa. A couple of these CAs hint that an industry deadline to stop would help their customers see the need to

Re: Aetna and UniCredit audits

On 2017-05-15 12:52, Gervase Markham wrote: Symantec never received any formal audits from UniCredit; I am trying to get hold of the informal ones. Their participation in the GeoRoot program started in January 2012: https://crt.sh/?CN=UniCredit+Subordinate+External So both organizations had

April CA Communication: Results

With two exceptions (neither of which have the websites trust bit set), all answers are now in from the April 2017 CA Communication. You can find links to the answers here: https://wiki.mozilla.org/CA/Communications#April_2017_Responses Some highlights for the community's attention: * (Q1) It

CA Problem Reporting Mechanisms

Hi all, One of the CA Communication questions was about the Problem Reporting Mechanisms that CAs are supposed to have. The answers are here: https://mozillacaprogram.secure.force.com/Communications/CACommResponsesOnlyReport?CommunicationId=a05o03WrzBC=Q00028 I would love it if someone would

Aetna and UniCredit audits

Symantec have supplied the audits for their GeoRoot partner "Aetna": https://bug1334377.bmoattachments.org/attachment.cgi?id=8867397 https://bug1334377.bmoattachments.org/attachment.cgi?id=8867398 The community might find them interesting reading. These audits are the only ones Symantec received