Re: Email sub-CAs

Hi Doug, On 18/05/17 12:03, Doug Beattie wrote: > I'm still looking for audit guidance on subordinate CAs that have EKU > of Server auth and/or Secure Mail along with name constraints. Do > these need to be audited? > > I'm looking at this: >

RE: Email sub-CAs

-policy > Sent: Monday, May 8, 2017 12:47 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Email sub-CAs > > Hi Gerv, > > I wanted to get the latest Mozilla thoughts on the audit requirements for > TCSCs based on the discussion we started last month. I

RE: Email sub-CAs

On Behalf Of > douglas.beattie--- via dev-security-policy > Sent: Thursday, April 13, 2017 12:33 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Email sub-CAs > > On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote: > > On 13/04/17 14:23,

Re: Email sub-CAs

On 05/05/17 18:58, Peter Bowen wrote: >> Right now the policy does not require disclosure of CA-certificates >> that the CA deems are technically constrained. I believe this was made the case for some mix of the following reasons: a) the CA did not want to reveal every customer it had; b) this

Re: Email sub-CAs

(Resending as the attached file was too large) On Fri, May 5, 2017 at 10:46 AM, Peter Bowen wrote: > On Thu, Apr 20, 2017 at 3:01 AM, Gervase Markham via > dev-security-policy wrote: >> On 15/04/17 17:05, Peter Bowen wrote: >>> Should

Re: Email sub-CAs

On 15/04/17 17:05, Peter Bowen wrote: > Should the Mozilla policy change to require disclosure of all CA > certificates issued by an unconstrained CA (but not necessarily > require audits, CP/CPS, etc)? This would help identify unintentional > gaps in policy.

Re: Email sub-CAs

On 15/04/17 17:05, Peter Bowen via dev-security-policy wrote: On Thu, Apr 13, 2017 at 9:33 AM, douglas.beattie--- via dev-security-policy wrote: On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote: On 13/04/17 14:23, Doug Beattie

Re: Email sub-CAs

On Thu, Apr 13, 2017 at 9:33 AM, douglas.beattie--- via dev-security-policy wrote: > On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote: >> On 13/04/17 14:23, Doug Beattie wrote: >> > There is no statement back to scope or corresponding

Re: Email sub-CAs

On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote: > On 13/04/17 14:23, Doug Beattie wrote: > > In 3.2 the term Technically Constrained is not defined to be any > > different than the BRs (or perhaps even less restrictive). > > You mean 2.3, right? Yes, 2.3. > I would say

Re: Email sub-CAs

On Thu, Apr 13, 2017 at 10:48 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > Section 3.1.2.1 specifies that any CA capable of issuing secure email > > certificates must have a "WebTrust for CAs" audit (or corresponding > > ETSI audit). This is a

Re: Email sub-CAs

On 13/04/17 14:23, Doug Beattie wrote: > In 3.2 the term Technically Constrained is not defined to be any > different than the BRs (or perhaps even less restrictive). You mean 2.3, right? I would say Inclusion section, bullet 9 gives the definition of technically constrained. For email certs,