Re: Old roots to new roots best practice?

2017-09-28 Thread Gervase Markham via dev-security-policy
On 20/09/17 03:49, userwithuid wrote: >> I agree, Gerv's remarks are a bit confusing with respect to the concern. Ryan is polite. :-) > Wrt to the StartCom bulletpoint, I guess this was a mistake on Mozilla's part > then and should probably be acknowledged as such, @Gerv. Yes, I acknowledge

Re: Old roots to new roots best practice?

2017-09-19 Thread userwithuid via dev-security-policy
On Monday, September 18, 2017 at 1:58:03 AM UTC, Ryan Sleevi wrote: > I agree, Gerv's remarks are a bit confusing with respect to the concern. > You are correct that the process of establishing a new root generally > involves the creation of a self-signed certificate, and then any > cross-signing

Re: Old roots to new roots best practice?

2017-09-18 Thread Ryan Sleevi via dev-security-policy
;mozilla-dev-security-pol...@lists.mozilla.org> > Subject: Re: Old roots to new roots best practice? > > Hi there, > > I agree, Gerv's remarks are a bit confusing with respect to the concern. > You are correct that the process of establishing a new root generally > involves t

RE: Old roots to new roots best practice?

2017-09-18 Thread Ben Wilson via dev-security-policy
To: userwithuid <userwith...@gmail.com> Cc: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Old roots to new roots best practice? Hi there, I agree, Gerv's remarks are a bit confusing with respect to the concern. You are correct that the process of

Re: Old roots to new roots best practice?

2017-09-17 Thread Ryan Sleevi via dev-security-policy
Hi there, I agree, Gerv's remarks are a bit confusing with respect to the concern. You are correct that the process of establishing a new root generally involves the creation of a self-signed certificate, and then any cross-signing that happens conceptually creates an 'intermediate' - so you have

Re: Old roots to new roots best practice?

2017-09-17 Thread userwithuid via dev-security-policy
Forgot the links: [1] https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/hNOJJrN6WfE [2] https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/RJHPWUd93xE/RqnC3brRBQAJ [3] https://crt.sh/?spkisha256=fbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2

Old roots to new roots best practice?

2017-09-17 Thread userwithuid via dev-security-policy
Quoting Gerv from the latest StartCom thread [1]: "* The key for their new root certificate was also used in a couple of intermediates (one revoked as it was done incorrectly - again, lack of testing!). While this is probably not a policy violation, it's not good practice." Everyone including