RE: Violations of Baseline Requirements 4.9.10

Hi Ben, DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação Electrónica do Estado, C=PT Downloading the issuer (https://crt.sh/?id=8949008) and then running: openssl ocsp -issuer 8949008.crt -serial 101010101010101101010101010 -no_nonce -url

RE: Violations of Baseline Requirements 4.9.10

Could someone re-check Multicert and SCEE? (See below.) They have indicated to us that they have now patched their OCSP responder systems. DN: CN=Cartão de Cidadão 001, OU=ECEstado, O=SCEE - Sistema de Certificação Electrónica do Estado, C=PT Example cert: https://crt.sh/?id=12729446 OCSP

Forbidden Practices: Subscriber key generation

Hi Gerv and Kathleen, We're working on the Mozilla CA self-assessment checklist and referenced requirements you have placed on CAs. On your page of Forbidden or Problematic Practices [1], you state that CAs must not generate private keys for signer certificates. CAs must never generate the

Re: .tg Certificates Issued by Let's Encrypt

On Tuesday, November 14, 2017 at 8:31:34 AM UTC-8, Kathleen Wilson wrote: > On 11/14/17 4:34 AM, douglas...@gmail.com wrote: > > > > Do we believe that this issue has been resolved by the Registry and > > issuance an resume as normal, or are there ongoing concerns which CAs > > should be aware

Re: Swiss Government root inclusion request

Hello Wayne, At me the link on the pdf file is work correctly from Google Chrome ver. 49, but I cannot load this file in my post... ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: .tg Certificates Issued by Let's Encrypt

On 11/14/17 4:34 AM, douglas.beat...@gmail.com wrote: Do we believe that this issue has been resolved by the Registry and issuance an resume as normal, or are there ongoing concerns which CAs should be aware of when issuing certificates to .tg domains? Based on information from folks that

Re: .tg Certificates Issued by Let's Encrypt

On 11/13/17 7:22 PM, Jakob Bohm wrote: Wouldn't the .tg incident be equally relevant for the e-mail trust bit? (In which case the first 3 options should say TLS/SSL/e-mail) Good point. To make it easier, I removed "TLS/SSL", and changed text to "certificates containing .tg domains".

Re: .tg Certificates Issued by Let's Encrypt

On Monday, November 6, 2017 at 6:40:58 AM UTC-5, Ben Laurie wrote: > On 4 November 2017 at 19:54, Kathleen Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On 11/4/17 5:36 AM, Daniel Cater wrote: > > > > I think those CAs need to re-validate their recently