Hi Doug,
On 18/05/17 12:03, Doug Beattie wrote:
> I'm still looking for audit guidance on subordinate CAs that have EKU
> of Server auth and/or Secure Mail along with name constraints. Do
> these need to be audited?
>
> I'm looking at this:
>
-policy
> Sent: Monday, May 8, 2017 12:47 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: RE: Email sub-CAs
>
> Hi Gerv,
>
> I wanted to get the latest Mozilla thoughts on the audit requirements for
> TCSCs based on the discussion we started last month. I
On Behalf Of
> douglas.beattie--- via dev-security-policy
> Sent: Thursday, April 13, 2017 12:33 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Email sub-CAs
>
> On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote:
> > On 13/04/17 14:23,
On 05/05/17 18:58, Peter Bowen wrote:
>> Right now the policy does not require disclosure of CA-certificates
>> that the CA deems are technically constrained.
I believe this was made the case for some mix of the following reasons:
a) the CA did not want to reveal every customer it had;
b) this
(Resending as the attached file was too large)
On Fri, May 5, 2017 at 10:46 AM, Peter Bowen wrote:
> On Thu, Apr 20, 2017 at 3:01 AM, Gervase Markham via
> dev-security-policy wrote:
>> On 15/04/17 17:05, Peter Bowen wrote:
>>> Should
On 15/04/17 17:05, Peter Bowen wrote:
> Should the Mozilla policy change to require disclosure of all CA
> certificates issued by an unconstrained CA (but not necessarily
> require audits, CP/CPS, etc)? This would help identify unintentional
> gaps in policy.
On 15/04/17 17:05, Peter Bowen via dev-security-policy wrote:
On Thu, Apr 13, 2017 at 9:33 AM, douglas.beattie--- via
dev-security-policy wrote:
On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote:
On 13/04/17 14:23, Doug Beattie
On Thu, Apr 13, 2017 at 9:33 AM, douglas.beattie--- via
dev-security-policy wrote:
> On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote:
>> On 13/04/17 14:23, Doug Beattie wrote:
>> > There is no statement back to scope or corresponding
On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote:
> On 13/04/17 14:23, Doug Beattie wrote:
> > In 3.2 the term Technically Constrained is not defined to be any
> > different than the BRs (or perhaps even less restrictive).
>
> You mean 2.3, right?
Yes, 2.3.
> I would say
On Thu, Apr 13, 2017 at 10:48 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> > Section 3.1.2.1 specifies that any CA capable of issuing secure email
> > certificates must have a "WebTrust for CAs" audit (or corresponding
> > ETSI audit). This is a
On 13/04/17 14:23, Doug Beattie wrote:
> In 3.2 the term Technically Constrained is not defined to be any
> different than the BRs (or perhaps even less restrictive).
You mean 2.3, right?
I would say Inclusion section, bullet 9 gives the definition of
technically constrained. For email certs,
11 matches
Mail list logo