Re: New requirement: certlint testing

2016-02-08 Thread Matt Palmer
On Mon, Feb 08, 2016 at 12:42:46PM -0800, Kathleen Wilson wrote: > One topic currently under discussion in Bug #1201423 is regarding root > certificates with serial number of 0. The error being returned by > http://cert-checker.allizom.org/ is "Serial number must be positive". > > Arguments

Re: SSC Root Inclusion Request

2016-02-08 Thread Moudrick M. Dadashov
The updated CP/CPS are now under internal review and will be published before end of February. Thanks, M.D. On 2/8/2016 8:00 PM, Kathleen Wilson wrote: On 2/7/16 2:53 AM, winpackja...@gmail.com wrote: And how much more time is this going to take? Since no issues have been highlighted...

Re: A-Trust Root Renewal Request

2016-02-08 Thread Charles Reiss
On 02/09/16 01:22, Kathleen Wilson wrote: > This request is to include the ‘A-Trust-Root-05’ root certificate, turn > on the Websites trust bit, and enable EV treatment. This new root > certificate will replace the ‘A-Trust-nQual-03’ root certificate that > was included via Bugzilla Bug #530797.

Re: ComSign Root Renewal Request

2016-02-08 Thread Eli Spitzer
On Thursday, February 4, 2016 at 10:57:54 PM UTC+2, Ryan Sleevi wrote: > Reposting this, as Kathleen confirmed it made it to her, but not the list: > > On Thu, December 10, 2015 12:01 pm, Kathleen Wilson wrote: > > This request is to include the "ComSign Global Root CA" root > > certificate, and

SSC Root Inclusion Request

2016-02-08 Thread winpackjason
And how much more time is this going to take? Since no issues have been highlighted... ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: SSC Root Inclusion Request

2016-02-08 Thread Kathleen Wilson
On 2/7/16 2:53 AM, winpackja...@gmail.com wrote: And how much more time is this going to take? Since no issues have been highlighted... We're waiting for SSC to update their CP/CPS to resolve the issues that were raised here:

New requirement: certlint testing

2016-02-08 Thread Kathleen Wilson
All, We recently added two tests that CAs must perform and resolve errors for when they are requesting to enable the Websites trust bit for their root certificate. Test 1) Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for the root certificate. Then click on the 'Search' button.

Re: New requirement: certlint testing

2016-02-08 Thread Kathleen Wilson
On 2/8/16 12:22 PM, Kathleen Wilson wrote: On 2/8/16 12:18 PM, Kathleen Wilson wrote: All, We recently added two tests that CAs must perform and resolve errors for when they are requesting to enable the Websites trust bit for their root certificate. Test 1) Browse to https://crt.sh/ and enter

Re: New requirement: certlint testing

2016-02-08 Thread Kathleen Wilson
On 2/8/16 1:07 PM, Peter Bowen wrote: On Mon, Feb 8, 2016 at 12:18 PM, Kathleen Wilson wrote: We recently added two tests that CAs must perform and resolve errors for when they are requesting to enable the Websites trust bit for their root certificate. Test 1) Browse to

Re: New requirement: certlint testing

2016-02-08 Thread Kurt Roeckx
On Mon, Feb 08, 2016 at 12:18:12PM -0800, Kathleen Wilson wrote: > All, > > We recently added two tests that CAs must perform and resolve errors for > when they are requesting to enable the Websites trust bit for their root > certificate. > > Test 1) Browse to https://crt.sh/ and enter the SHA-1

Re: New requirement: certlint testing

2016-02-08 Thread Kathleen Wilson
On 2/8/16 12:18 PM, Kathleen Wilson wrote: All, We recently added two tests that CAs must perform and resolve errors for when they are requesting to enable the Websites trust bit for their root certificate. Test 1) Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for the root

RE: Policy revision proposal - transitive disclosure exception

2016-02-08 Thread Ben Wilson
That makes sense. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On Behalf Of Peter Bowen Sent: Monday, February 8, 2016 12:50 PM To: Kathleen Wilson Cc:

Re: New requirement: certlint testing

2016-02-08 Thread Kurt Roeckx
On Mon, Feb 08, 2016 at 02:30:05PM -0800, Kathleen Wilson wrote: > > Not much you can do about a currently-included root certificate other than > re-issue the root certificate which can cause many other problems. So I was under the impression that they needed to check their currently signed

Re: New requirement: certlint testing

2016-02-08 Thread Kathleen Wilson
On 2/8/16 2:36 PM, Kurt Roeckx wrote: On Mon, Feb 08, 2016 at 02:30:05PM -0800, Kathleen Wilson wrote: Not much you can do about a currently-included root certificate other than re-issue the root certificate which can cause many other problems. So I was under the impression that they needed

Re: New requirement: certlint testing

2016-02-08 Thread Peter Bowen
On Mon, Feb 8, 2016 at 2:46 PM, Kathleen Wilson wrote: > > Note that I think there are still some things with the certlint tests that > need to be ironed out, before filing bugs for every reported error. I am unaware of anything that is flagged as Fatal or Error on non-CA

Re: New requirement: certlint testing

2016-02-08 Thread Kathleen Wilson
On 2/8/16 1:36 PM, Kurt Roeckx wrote: On Mon, Feb 08, 2016 at 12:18:12PM -0800, Kathleen Wilson wrote: All, We recently added two tests that CAs must perform and resolve errors for when they are requesting to enable the Websites trust bit for their root certificate. Test 1) Browse to

A-Trust Root Renewal Request

2016-02-08 Thread Kathleen Wilson
This request is to include the ‘A-Trust-Root-05’ root certificate, turn on the Websites trust bit, and enable EV treatment. This new root certificate will replace the ‘A-Trust-nQual-03’ root certificate that was included via Bugzilla Bug #530797. The ‘A-Trust-nQual-03’ root certificate