CCADB System Upgrades October 15, 8am-6pm Pacific Time

2018-10-09 Thread Kathleen Wilson via dev-security-policy
All, We will be doing system upgrades to the CCADB on Monday, October 15, 8am-6pm Pacific Time. There will be limited functionality during that time. Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Yet more undisclosed intermediates

2018-10-09 Thread Wayne Thayer via dev-security-policy
Thank you Rob. On Tue, Oct 9, 2018 at 3:43 AM Rob Stradling via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > "ACTION 6" of Mozilla's September 2018 CA Communication [1] reminded CAs > of the Mozilla Root Store Policy requirement [2] that > non-technically-constrained

Re: Odp.: 46 Certificates issued with BR violations (KIR)

2018-10-09 Thread Wayne Thayer via dev-security-policy
On Tue, Oct 9, 2018 at 5:30 AM Grabowski Piotr wrote: > Hello Wayne, > > Please find our comments below: > > > So far the process for modifying policy templates was controlled by only > one person at the moment. Although these persons > have an extensive experience in PKI and preparing

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS

2018-10-09 Thread Wayne Thayer via dev-security-policy
On Tue, Oct 9, 2018 at 12:48 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Oh, so rather than trying to define what "No Stipulation" means and when > it can be used, we could take a different approach -- list the sections > that cannot contain "No

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS

2018-10-09 Thread Kathleen Wilson via dev-security-policy
Oh, so rather than trying to define what "No Stipulation" means and when it can be used, we could take a different approach -- list the sections that cannot contain "No Stipulation" in the CPS. On 10/9/18 12:31 PM, Brown, Wendy (10421) wrote: Tim - I think that statement leaves out the

RE: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS

2018-10-09 Thread Brown, Wendy (10421) via dev-security-policy
Tim - I think that statement leaves out the next paragraph of RFC3647: In a CP, it is possible to leave certain components, subcomponents, and/or elements unspecified, and to stipulate that the required information will be indicated in a policy qualifier, or the document to which a policy

RE: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

2018-10-09 Thread Tim Hollebeek via dev-security-policy
RFC 3647 disagrees: "Rather, a particular CP or CPS may state "no stipulation" for a component, subcomponent, or element on which the particular CP or CPS imposes no requirements or makes no disclosure." " It is recommended that each and every component and subcomponent be included in a CP

RE: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

2018-10-09 Thread Brown, Wendy (10421) via dev-security-policy
Kathleen - My interpretation of a "No Stipulation" in a CP is that the Policy has "No rules defined for this section" In these cases, I expect the CPS to state what is actually done in support of that section and therefore "No Stipulation" is not appropriate in a CPS. The CPS should instead

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

2018-10-09 Thread (RS) Tyler Schroder via dev-security-policy
The legal definition that I came acrosss is " In United States law, a stipulation is a formal legal acknowledgment and agreement made between opposing parties before a pending hearing or

What does "No Stipulation" mean, and when is it OK to use it in CP/CPS?

2018-10-09 Thread Kathleen Wilson via dev-security-policy
All, I would like to create some written rules about using "No Stipulation" in CP and CPS documents; e.g. what it means, and when it is OK to be used. First, I will appreciate your thoughts about what the term "No Stipulation" means. e.g. does it mean one or all of the following? "No rules

Odp.: 46 Certificates issued with BR violations (KIR)

2018-10-09 Thread Grabowski Piotr via dev-security-policy
Hello Wayne, Please find our comments below: So far the process for modifying policy templates was controlled by only one person at the moment. Although these persons have an extensive experience in PKI and preparing certificate templates and in common daily duties they work with serveral

Re: Yet more undisclosed intermediates [Telia]

2018-10-09 Thread Jakob Bohm via dev-security-policy
[ Please reply to list, Mozilla NNTP<->mail gateway seems to insert wrong Reply-To ] Telia is a notable case as this seems to be a brand new Intermediary created but not disclosed 1 month ago. On 09/10/2018 12:43, Rob Stradling wrote: "ACTION 6" of Mozilla's September 2018 CA Communication [1]

Re: Yet more undisclosed intermediates [SwissSign]

2018-10-09 Thread Jakob Bohm via dev-security-policy
[ Please reply to list, Mozilla NNTP<->mail gateway seems to insert wrong Reply-To ] It appears from the data that SwissSign has reacted to the requirement by starting to log some of their existing intermediaries in CT, instead of in CCADB. At least at a cursory glance. On 09/10/2018 12:43,

Yet more undisclosed intermediates

2018-10-09 Thread Rob Stradling via dev-security-policy
"ACTION 6" of Mozilla's September 2018 CA Communication [1] reminded CAs of the Mozilla Root Store Policy requirement [2] that non-technically-constrained intermediate CA certificates... "MUST be publicly disclosed in the CCADB by the CA that has their certificate included in Mozilla's