On Mon, Aug 20, 2018 at 05:28:15PM -0700, Michael Casadevall via
dev-security-policy wrote:
> On 08/19/2018 12:56 PM, Eric Mill via dev-security-policy wrote:
> > The trend is away from manual replacement, not towards it -- and that's
> > true for individual people, for large enterprises, and for
This request is for inclusion of the Google Trust Services R1, R2, R3, and
R4 roots as documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1325532
Google’s application states:
Google is a commercial CA that will provide certificates to customers from
around the world.
On Thu, Aug 23, 2018 at 8:50 AM, Andy Warner via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> * NOTE: The bug was due to an 'if/else' chain fall through. The code in
> question has been refactored to be simpler and more readable.
>
Andy,
It might be good for the
Google provides SCTs via embedding and during SSL handshaking depending on
the certificate and how it is served. In this case, all of the affected
certs used embedded SCTs and the issue was the selection of which SCTs to
include because we submit to more CT logs than required, but only embed the
On Thu, 23 Aug 2018 05:50:05 -0700 (PDT)
Andy Warner via dev-security-policy
wrote:
> May 21st 2018, a new tool for issuing certificates within Google was
> made available to internal customers. Within hours we started to
> receive reports that Chrome Canary (v67) with Certificate
> Transparency
Correct, we do not believe there was a policy violation, we're proactively
sharing in the interest of transparency and knowledge sharing.
I believe there is additional information we could share about how we've
modified testing to ensure compliance with Chrome and Safari's SCT
inclusion rules and
Hi Andy,
Just so I follow, this is something you're proactively sharing, right? As
far as I can tell, there's no violation of any Mozilla Root Program rules
here, just an issue that caused interstitials in Chrome.
Either way, I appreciate your sharing.
You mentioned the issue was do to some
Please note, Google wrote this report for internal use immediately after the
issue. We intended to post it to m.d.s.p at that time, but securing internal
approvals took a while and the posting ended-up on the back burner for a bit.
It was a minor issue, but we want the community to be aware of
Also curious what validation methods should be used for OU and E when Mozilla
policy 2.2.1 is...
"All information that is supplied by the certificate subscriber MUST be
verified by using an independent source of information"
...and you say that no potentially inaccurate information is allowed
9 matches
Mail list logo