RE: Symantec Conclusions and Next Steps

> -Original Message- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of > Gervase Markham via dev-security-policy > Sent: Friday, April 21, 2017 6:17 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject:

Expanding Aaron Wu's role in CA Program

All, As many of you know, Aaron Wu has been doing the Information Verification[1] for root inclusion/update requests, has helped me organize the CA Program Bugzilla Bugs[2], and continues to expand in his role in helping with Mozilla's CA Certificates Module[3]. I have asked Aaron to begin

RE: CA Validation quality is failing

Status Update: We are still scanning our database to discover all certificates containing incorrect data. So far, the count is at 1510. The issues fall into two categories: 1) a failure to properly convey that BRs prohibit inclusion of meta data (BR 7.1.4.2.2.j) and 2) auto-population of

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

On Wed, Apr 26, 2017 at 5:17 PM, okaphone.elektronika--- via dev-security-policy wrote: > > If this is about the possible consequences of compromise, then I'd say you > should try to adres that. But please do come up with something that still > allows for

Re: Updating Bugzilla Product/Component groups for CA Program Bugs

The Bugzilla Product/Components for CA Program bugs have been changed. All of the CA Program bugs are now in the NSS Product group in Bugzilla. The NSS Product group in Bugzilla now has the following Components: Build CA Certificate Mis-Issuance CA Certificate Root Program CA Certificates Code

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

On Wednesday, 26 April 2017 22:43:19 UTC+2, Ryan Sleevi wrote: > On Wed, Apr 26, 2017 at 4:02 PM, okaphone.elektronika wrote: > > > I think this is getting weird. > > > > At first (some other thread) it get's explained that e.g. LetsEncrypt does > > not do anything beyond domain validation and

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

On Wed, Apr 26, 2017 at 4:02 PM, okaphone.elektronika--- via dev-security-policy wrote: > I think this is getting weird. > > At first (some other thread) it get's explained that e.g. LetsEncrypt does > not do anything beyond domain validation and possibly

Re: Symantec Conclusions and Next Steps

On 25/04/17 23:50, Ryan Sleevi via dev-security-policy wrote: Continuing to look through the audits, I happened to notice a few other things that stood out, some more pressing than others. More pressing: I can find no disclosure with Salesforce or crt.sh of at least two CAs that are listed 'in

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

I think this is getting weird. At first (some other thread) it get's explained that e.g. LetsEncrypt does not do anything beyond domain validation and possibly on notification take down a few certificates of phishing site. And that was "... all OK because we want SSL to be used everywhere, and

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

On Wed, Apr 26, 2017 at 3:17 PM, Peter Kurrasch wrote: > Hi Ryan-- > > To your first comment, I'm afraid I won't have the time to take a closer > look at the discussion on 3.2.2.4. Hopefully a path from single domain to > unlimited domains exists (or will). It makes sense to me

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

Hi Ryan--To your first comment, I'm afraid I won't have the time to take a closer look at the discussion on 3.2.2.4. Hopefully a path from single domain to unlimited domains exists (or will). It makes sense to me

Responses to April 2017 CA Communication

All, The responses to Mozilla's April 2017 CA Communication are being published here: https://wiki.mozilla.org/CA:Communications#April_2017_Responses Reminder: I have postponed the response deadline to May 5, and I made a note of that here: https://wiki.mozilla.org/CA:Communications#April_2017