Re: Identrust Commercial Root CA 1 EV Request

On February 21 2018, I reported an unexpired certificate to Identrust which contained SAN entries for several invalid .INT domains: https://crt.sh/?id=7852280 They acknowledged and revoked the certificate in a timely manner. However, I find this event particularly bothersome: - This

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On 10/15/18 11:01 AM, Kathleen Wilson wrote: I have added the following section to the Required Practices wiki page: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#BR_Commitment_to_Comply_statement_in_CP.2FCPS I will continue to appreciate feedback on this update. Thanks,

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On 15/10/2018 20:01, Kathleen Wilson wrote: I have added the following section to the Required Practices wiki page: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#BR_Commitment_to_Comply_statement_in_CP.2FCPS

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

I have added the following section to the Required Practices wiki page: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#BR_Commitment_to_Comply_statement_in_CP.2FCPS I will continue to appreciate feedback on this update. Thanks, Kathleen

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

On 10/15/18 12:48 AM, Pedro Fuentes wrote: Hello, I've a question closely related to this. I'd appreciate guidance. I'm refactoring our CP & CPS documents considering that a CA can issue different types of certificates, so there would be multiple CP and one CPS. My strategy is that if the

Re: Violation report - Comodo CA certificates revocation delays

On 12/10/2018 20:01, Rob Stradling wrote: On 12/10/18 16:40, Ryan Sleevi via dev-security-policy wrote: On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie wrote: This is one of the reasons we also need revocation transparency. As tempting as the buzzword is, and as much as we love motherhood and

undisclosed intermediate certificate

The following incident report regarding the item of undisclosed certificates has recently been posted to https://bugzilla.mozilla.org/show_bug.cgi?id=1455132 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a

Re: CCADB System Upgrades October 15, 8am-6pm Pacific Time

All, The CCADB system upgrades are in progress, so there will be limited functionality today. Best to avoid logging into CCADB today if you can. Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Mitigating DNS fragmentation attacks

On Mon, 15 Oct 2018 at 04:51, Paul Wouters via dev-security-policy wrote: > > On Oct 14, 2018, at 21:09, jsha--- via dev-security-policy > wrote: > > > > There’s a paper from 2013 outlining a fragmentation attack on DNS that > > allows an off-path attacker to poison certain DNS results using

Re: Incident Report - Misissuance of one certificate without DNS CAA authorization (Certigna)

Hello, The decision was taken at one of our security committees where all changes and developments that could impact the practices and compliance of our authority are validated. This is why all the actors of these security committees have been made aware of the incident and the fact that we

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

Hello, I've a question closely related to this. I'd appreciate guidance. I'm refactoring our CP & CPS documents considering that a CA can issue different types of certificates, so there would be multiple CP and one CPS. My strategy is that if the stipulation is defined in one of the document