Re: Policy Update Proposal -- Specify audit criteria according to trust bit

2015-10-28 Thread Kathleen Wilson
On 10/19/15 4:34 PM, Kathleen Wilson wrote: Therefore, I also propose that we don't separate out the audit criteria according to trust bit in version 2.3 of the policy. Rather, the separation will be part of another effort to create a separate S/MIME policy in 2016. This means that the

Re: Policy Update Proposal -- Specify audit criteria according to trust bit

2015-10-19 Thread Kathleen Wilson
On 9/21/15 7:07 PM, Kathleen Wilson wrote: In https://wiki.mozilla.org/CA:CertificatePolicyV2.3 The proposal is: (D27) Clarify which audit criteria are required depending on which trust bits are set. In particular, root certs with only the S/MIME trust bit set will have different audit

Re: Policy Update Proposal -- Specify audit criteria according to trust bit

2015-10-12 Thread Gervase Markham
On 08/10/15 09:56, Gervase Markham wrote: > A major CA was kind enough to share their numbers with me. They said: > > "We issued 275,000 client/smime certificates in the last year as soft > certificates – i.e. not on smart-cards/tokens. And another one (not a root CA, but a sub-CA of a root in

Re: Policy Update Proposal -- Specify audit criteria according to trust bit

2015-10-08 Thread Gervase Markham
On 22/09/15 05:07, Kathleen Wilson wrote: > First, we need to determine if the Email trust bit should remain part of > Mozilla's CA Certificate Policy. One perhaps somewhat relevant piece of information in this discussion is whether anyone is using S/MIME. After all, if no-one is using it,

Re: Policy Update Proposal -- Specify audit criteria according to trust bit

2015-09-22 Thread Kathleen Wilson
On 9/22/15 11:37 AM, R Kent James wrote: On 9/21/2015 7:07 PM, Kathleen Wilson wrote: As we did with the discussion about the code signing trust bit, let's list the arguments for and against removing references to the Email trust bit from Mozilla's CA Certificate Policy. The main comment that

Re: Policy Update Proposal -- Specify audit criteria according to trust bit

2015-09-22 Thread Kurt Roeckx
On Mon, Sep 21, 2015 at 07:07:07PM -0700, Kathleen Wilson wrote: > > First, we need to determine if the Email trust bit should remain part of > Mozilla's CA Certificate Policy. I'm really concerned about this. S/MIME and PGP are the only (popular) ways to do encryption over email. The

Re: Policy Update Proposal -- Specify audit criteria according to trust bit

2015-09-22 Thread Phillip Hallam-Baker
On Tue, Sep 22, 2015 at 4:47 AM, Brian Smith wrote: > Kathleen Wilson wrote: > > > Arguments for removing the Email trust bit: > > - Mozilla's policies regarding Email certificates are not currently > > sufficient. > > - What else? > > > > > * It isn't

Re: Policy Update Proposal -- Specify audit criteria according to trust bit

2015-09-22 Thread Brian Smith
Kathleen Wilson wrote: > Arguments for removing the Email trust bit: > - Mozilla's policies regarding Email certificates are not currently > sufficient. > - What else? > > * It isn't clear that S/MIME using certificates from publicly-trusted CAs is a model of email security