Re: 答复: Certificate Problem Report (9WG: CFCA certificate with invalid domain)

On 2/28/2019 7:45 PM, 孙圣男 wrote: > Dear Mozilla： > This problem had been confirmed. We contacted the customer and > confirmed this certificate haven't been deployed to production system, no > damage is caused. This certificate had been revoked in March 1, 2019. We had > fixed this bug in

Re: Request to Include Hongkong Post Root CA 3

On 1/14/2019 4:18 PM, Wayne Thayer wrote: > This request is for inclusion of the Government of Hong Kong, Hongkong > Post, Certizen Hongkong Post Root CA 3 trust anchor as documented in the > following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1464306 > > * BR Self Assessment is here: >

Re: Certigna Root Renewal Request

On 10/24/2018 1:07 PM, Wayne Thayer wrote: > On Tue, Oct 23, 2018 at 1:46 PM David E. Ross via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On 10/23/2018 11:45 AM, Wayne Thayer wrote: >>> I believe that the discussion over Certigna's r

Re: Certigna Root Renewal Request

On 10/23/2018 11:45 AM, Wayne Thayer wrote: > I believe that the discussion over Certigna's reported CAA misissuance > [1][2] has reached an end, even though some questions remain unanswered. If > anyone has additional comments or concerns about this inclusion request, > please respond by Friday

Re: InfoCert Acquisition of Camerfirma

On 9/26/2018 3:21 PM, Wayne Thayer wrote: > I've held this discussion open for much longer than 3 weeks due to the > qualified audit reports that were received from Camerfirma. Since no > objections to the acquisition have been raised and the audit issues are > being discussed separately [1][2], I

NSS Updates

When the NSS database is next updated, is it possible to get a copy of the resulting file and install it in my SeaMonkey 2.49.4 profile without waiting for a new version of SeaMonkey? Can the same file be installed in my Thunderbird 52.8.0 profile? Note that I am unlikely to update Thunderbird

Re: Request to Include SHECA UCA Global G2 Root and UCA Extended Validation Root

On 8/31/2018 4:19 PM, Wayne Thayer wrote [in part]: > * A few unrevoked certificates with IP Addresses encoded as DNSName type in > the SAN [4]. I reported these to SHECA in this bug and they said that they > would revoke them, but as of this writing they are still valid. This public comment

Re: Audits for new subCAs

On 3/23/2018 11:34 AM, Wayne Thayer wrote: > Recently I've received a few questions about audit requirements for > subordinate CAs newly issued from roots in our program. Mozilla policy > section 5.3.2 requires these to be disclosed "within a week of certificate > creation, and before any such

Re: AC Camerfirma Chambers of Commerce and Global Chambersign 2016 Root Inclusion Request

On 3/2/2018 2:05 PM, Wayne Thayer wrote [in part]: [snipped] NOTE: The fact that I have snipped some of the items under "==Bad==" does not mean I consider them unimportant. However, the items on which I comment I consider to be most important. > ==Bad== > * The inclusion request

Re: GlobalSign certificate with far-future notBefore

On 1/23/2018 2:55 PM, Jonathan Rudenberg wrote: > A certificate issued by GlobalSign showed up in CT today with a notBefore > date of March 21, 2018 and a notAfter date of April 23, 2021, a validity > period of ~1129 days (more than three years). > > https://crt.sh/?id=311477948=zlint > > CA/B

Re: Google OCSP service down

On 1/21/2018 9:50 AM, Ryan Sleevi wrote: > I couldn’t find that listed in the CP/CPS as where to report problems. > Instead, I see a different email listed. > > What made you decide to ignore the CP/CPS, which is where CAs list their > problem reporting mechanisms? > > Given that a CA’s CP/CPS

Re: Google OCSP service down

On 1/21/2018 7:47 AM, Paul Kehrer wrote: > Is there a known contact to report it (or is someone with a Google hat > reading this anyway)? On Friday (two days ago), I reported this to dns-ad...@google.com, the only E-mail address in the WhoIs record for google.com. I received an automated reply

Re: Serial number length

On 12/28/2017 10:33 PM, Peter Bowen wrote: > On Thu, Dec 28, 2017 at 10:24 PM, Jakob Bohm via dev-security-policy > wrote: >> After looking at some real certificates both in the browser and on crt.sh, I >> have some followup questions on certificate serial

Re: Draft Security Blog about v2.5 of Root Store Policy

On 9/6/2017 11:22 AM, Kathleen Wilson wrote [in part]: > * Our policy on root certificates being transferred from one > organization or location to another has been updated and included in > the main policy. Trust is not transferable; Mozilla will not > automatically trust the purchaser of a root

Let's Encrypt and Wildcard Domains

I just read mention that Let's Encrypt will be enabling wildcard domains, possibly by the end of this year. Is this not a violation of Mozilla policy? I saw this in the eternal-september.support newsgroup, which is available only via the news.eternal-september.org NNTP server. The thread

Re: Certificates with less than 64 bits of entropy

On 8/11/2017 7:26 AM, Ben Wilson wrote: > > With regard to Siemens, given the large number of certificates and > the disruption that massive revocations will have on their > infrastructure, what does this community expect them to do? > Each violation of published requirements for the operation

Re: Certificates with metadata-only subject fields

On 8/9/2017 2:54 PM, Jonathan Rudenberg wrote: > >> On Aug 9, 2017, at 17:50, Peter Bowen wrote: >> >> The point of certlint was to help identify issues. While I appreciate >> it getting broad usage, I don't think pushing for revocation of every >> certificate that trips any

Re: CA Problem Reporting Mechanisms

On 8/7/2017 8:09 PM, Jonathan Rudenberg wrote: > >> On May 17, 2017, at 07:24, Gervase Markham via dev-security-policy >> wrote: >> >> On 16/05/17 02:26, userwithuid wrote: >>> After skimming the responses and checking a few CAs, I'm starting to >>>

Re: Final Decision by Google on Symantec

On 7/28/2017 6:34 AM, Alex Gaynor wrote: > Frankly I was surprised to see Chromium reverse course on this -- they have > a history of aggressive leadership in their handling of CA failures, it's a > little disappointing to see them abandon that. > > I'd strongly advocate for us perusing an

Expired Certificates Listed by Certificate Manager

Under the Servers tab for Certificate Manager, I see several root certificates whose expiration dates have passed. I believe these were all marked untrusted at one time. For example, I see six DigiNotar certificates, CNNIC's MCSHOLDING TEST, Equifax's MD5 Collisions, among others. Is it safe to

Re: [EXT] Symantec Update on SubCA Proposal

On 7/19/2017 8:31 AM, Steve Medin wrote: >> -Original Message- >> From: dev-security-policy [mailto:dev-security-policy- >> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of >> Jakob Bohm via dev-security-policy >> Sent: Tuesday, July 18, 2017 4:39 PM >> To:

Re: Policy 2.5 Proposal: Make it clear that Mozilla policy has wider scope than the BRs

On 6/8/2017 2:38 AM, Gervase Markham wrote: > On 02/06/17 11:28, Gervase Markham wrote: >> Proposal: add a bullet to section 2.3, where we define BR exceptions: >> >> "Insofar as the Baseline Requirements attempt to define their own scope, >> the scope of this policy (section 1.1) overrides that.

Re: An alternate perspective on Symantec

On 6/6/2017 12:10 PM, Peter Kurrasch wrote: > Over the past months there has been much consternation over Symantec and > the idea of "too big to fail". That is a reasonable idea but makes > difficult the discussion of remedies for Symantec's past behavior: How > does one impose a meaningful

Re: Policy 2.5 Proposal: Make it clear that Mozilla policy has wider scope than the BRs

On 6/2/2017 3:28 AM, Gervase Markham wrote: > The scope of the BRs is ambiguous, and almost certainly smaller than the > scope of the Mozilla policy. It might be useful to explicitly draw > attention to that fact, for the avoidance of doubt. > > Proposal: add a bullet to section 2.3, where we

Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

The subject is the title of a Slashdot article posted today. The article can be accessed at . The article contains two links. One is to a Bleeping Computer article that gives

Re: Intermediates Supporting Many EE Certs

On 2/13/2017 8:17 AM, Steve Medin wrote: > Getting all user agents with interest is issuance limits to implement > the CA Issuers form of AIA for dynamic path discovery and educating > server operators to get out of the practice of static chain > installation on servers would make CA rollovers