On Fri, Nov 9, 2018 at 7:05 AM Nick Pope via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I am asking that we get a clear statement of what you would like to see
> from EU audits based on ETSI standards and so that we (European Auditors
> and ETSI) can come back with a
On Thu, Nov 8, 2018 at 8:51 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Over the years, there has been some variation among participants in how
> harshly individual mistakes by CAs should be judged, ranging from "just
> file a satisfactory incident
I'm not convinced there is an answer here. It seems that most would agree
with the premise that we should consider the circumstances and context for
an issue and make a balanced assessment. That leaves the matter of what
this means in practice up for debate. Often, it appears to be a debate
It might be helpful for me to provide a better explanation of the thinking
that went into my recommendation:
The timeline of the Internal Name incident is as follows:
* Identrust appears to have stopped issuing certificates containing .INT
names prior to the BR deadline.
* They then failed to
On 09/11/2018 15:52, Hanno Böck wrote:
On Fri, 9 Nov 2018 14:56:41 +0100
Jakob Bohm via dev-security-policy
wrote:
However there are also some very harsh punishments handed out, such as
distrusting some CAs (most notably happened to Symantec and WoSign,
but others are also teetering), and
I am asking that we get a clear statement of what you would like to see from EU
audits based on ETSI standards and so that we (European Auditors and ETSI) can
come back with a considered response on how we can meet you concerns. Rather
than saying what a particular individual person thinks, we
Jakob Bohm wrote "Each of these arguments for maximum punishment and/or
maximum inconvenience for innocent bystanders is backed by a formal/legal
interpretation of existing rules as making this the only possible outcome."
I'd agree - heavy-handed, strict enforcement of some rules unnecessarily
On Fri, 9 Nov 2018 14:56:41 +0100
Jakob Bohm via dev-security-policy
wrote:
> However there are also some very harsh punishments handed out, such as
> distrusting some CAs (most notably happened to Symantec and WoSign,
> but others are also teetering), and distrusting auditors (most notably
>
If Google had not started the process of Symantec distrust, Mozilla would never
have come to this step, I think.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On 09/11/2018 12:44, westmai...@gmail.com wrote:
I think that punishments of the CAs for already exists in Mozilla Root Store
are very mild, and some CAs often do not pay any attention to this...
However there are also some very harsh punishments handed out, such as
distrusting some CAs
I think that punishments of the CAs for already exists in Mozilla Root Store
are very mild, and some CAs often do not pay any attention to this...
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
11 matches
Mail list logo