Re: SSL.com root inclusion request

Greetings, I have reviewed SSLcom_CP_CPS_Version_1_2_1 and made the following notes: 1.3. CA diagrams are useful, thanks. 1.3.2 "SSL.com may delegate the performance of *all or any* part of these requirements to a Delegated Third Party" though the BRs preclude sections 3.2.2.4 and 3.2.2.5. -

Re: TrustCor root inclusion request

Thanks Neil, I've looked over the updated CP and CPS documents and have no further comments or questions. Cheers, Andrew On Tue, Aug 15, 2017 at 12:18 PM, Neil Dunbar via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Andrew, > > SHA-1 has been removed from the TrustCor

Re: TrustCor root inclusion request

Greetings, I have reviewed TrustCor's CP and CPS (both at version 1.3.1) and made the following notes: *CP* (http://www.trustcor.ca/resources/cp.pdf) 1.6.3 1.6.4 Nit: Section 1.1 says that "Sections which do not apply to TrustCor CA, or where TrustCor CA makes no authoritative statement, will

Re: Symantec: Update

On Wed, May 10, 2017 at 2:06 PM, mono.riot--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wednesday, May 10, 2017 at 7:59:37 PM UTC+2, Itzhak Daniel wrote: > > The next step, if Symantec wish to continue to use their current PKI in > the future, should be logging

Re: Include Renewed Kamu SM root certificate

Hello, I've read though the English language version of CP/CPS dated March 30, 2016 version 1 and made the following notes: No version history at the front of the document. This not required, but is evidence of good document change management and is a useful reference to see what's changed when

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

com> wrote: > 在 2016年9月27日星期二 UTC+8上午4:15:00，Andrew R. Whalley写道： > > Hello, > > > > I have completed a read through of the English translations of the CP > > (v1.2) and CPS (v4.1). Before I post my comments I wanted to see if there > > were any more recent translat

Re: Is Firefox SHA-1 Deprecation Policy configurable?

For Chrome, there's the EnableSha1ForLocalAnchors policy that was introduced in Chrome 54. That will operate as described here . Andrew On Sat, Sep 17, 2016 at 10:49 AM, wrote: > I think

Re: Amazon Root Inclusion Request

Here are the notes from my read-through. I commend Amazon for the clarity of their CP and CPS. Reviewed Amazon Trust Services Certificate Policy Version 1.0.3 "This [CP] is intended to communicate the minimum operating requirements for CAs in the Amazon PKI. By design, it closely follows the

Re: Japan GPKI Root Renewal Request

On Fri, Aug 5, 2016 at 5:39 AM, Peter Kurrasch wrote: > Kathleen-- > > As I understand it, the request is for only CA2(Root) to be included in > the trust store. Is that correct? > > The CP/CPS document submitted for the CA2(Root) hardly seems sufficient to > satisfy anyone for

TSYS Application for SHA-1 Issuance - Counter-cryptanalysis

Greetings, I have run the tool provided by dr.ir. Marc Stevens [1] on the tbsCertificates provided by Symantec [2] And see no evidence of collisions: $ ./sha1dcsum_partialcoll *.tbs 6ead26663275c388662dfdbc23ff0a76cdcf74dc ssl1.tsysacquiring.net.1.tbs 3365793f36c197047b2f595c0f85c67b807c765f

Re: DocuSign (OpenTrust/Keynectis/Certplus) root renewal request

Thank you Erwann. I have no other questions at this time. On Thu, Apr 28, 2016 at 7:13 AM, Erwann Abalea wrote: > Bonjour, > > Le vendredi 8 avril 2016 01:38:09 UTC+2, awha...@google.com a écrit : > > OpenTrust has requested EV treatment in Chrome, with bug: >

Re: ComSign Root Renewal Request

It looks like https://fedir.comsign.co.il/test.html is trusted by OS X, which for me meets the criteria for a Publicly‐Trusted Certificate. That certificate was issued on 2nd Feb, so I presume the 90 day clock is ticking. Andrew R. Whalley | Crypto Wrangler | Chrome Networking and Security

Re: SHA-1 S/MIME certificates

On Wed, Mar 30, 2016 at 2:23 PM, Kathleen Wilson wrote: > On 3/30/16 1:53 PM, Jeremy Rowley wrote: > >> I think a required move away from SHA1 client certs requires a bit more >> planning. >> >> 1) There hasn't been a formal deprecation of all SHA-1 certificates in >> any

Re: FNMT Root Inclusion Request

Hello Rafa, Thank you for your reply. The background to my question was really about ensuring ongoing compliance. I believe that an initial audit to verify that no TLS certificate has ever been issued by "AC FNMT Usuarios", and a recurring annual audit to confirm that remains so, is acceptable.