Re: Incidents involving the CA WoSign

Kurt Roeckx writes: >This is why browsers have something like OneCRL, so that they actually do >know about it and why Rob added that information to the bug tracker ( >https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2). That still doesn't necessarily answer the question,

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

On Thu, Oct 6, 2016 at 7:33 AM, Peter Bowen wrote: > On Thu, Oct 6, 2016 at 7:29 AM, Rob Stradling > wrote: >> On 04/10/16 19:39, Peter Bowen wrote: >>> On Tue, Oct 4, 2016 at 6:29 AM, Rob Stradling >>> wrote: On

Re: Include Symantec-brand Class 1 and Class 2 Root Certs

On Thu, Oct 6, 2016 at 3:57 PM, Richard Barnes wrote: > I seem to recall we had some discussion a while back about what criteria > should be applied to email CAs. Where did we end up on that? I don't believe anything was settled. There is one small item in the CA policy:

Re: Include Symantec-brand Class 1 and Class 2 Root Certs

On Thu, Oct 6, 2016 at 12:09 PM, Kathleen Wilson wrote: > This request from Symantec is to include the following 4 root certificates > and enable the Email trust bit for them. > To be clear: The request is for *only* the email trust bit to be set? I seem to recall we had

Re: Include Symantec-brand Class 1 and Class 2 Root Certs

Thanks Kathleen. I have no substantive objections to this inclusion (with only the Email trust bit to be set) at this time but I do have a minor editorial nitpick which might as well go back to Symantec while we're here. On page 1 of the Introduction of the CP document, a footnote refers to

Re: WoSign and StartCom: next steps

On Tuesday, October 4, 2016 at 9:25:16 AM UTC-7, Gervase Markham wrote: > On 29/09/16 16:40, Gervase Markham wrote: > > Following the publication of the recent investigative report, > > representatives of Qihoo 360 and StartCom have requested a face-to-face > > meeting with Mozilla. We have

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

On 04/10/16 19:39, Peter Bowen wrote: > On Tue, Oct 4, 2016 at 6:29 AM, Rob Stradling > wrote: >> On 04/10/16 13:18, Nick Lamb wrote: >>> On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote: Neither. I'd like to run cablint over all certs pre-issuance,

Re: SHA-1 exception First Data

On 06/10/2016 15:58, Gervase Markham wrote: On 06/10/16 12:38, Jakob Bohm wrote: Which is why I have repeatedly suggested that maybe the rules should be changed to promote/demote some of the historic SHA-1 root certs into "SHA-1 forever" roots that can service older devices and browsers, even

Re: SHA-1 exception First Data

On 06/10/16 12:38, Jakob Bohm wrote: > Which is why I have repeatedly suggested that maybe the rules should be > changed to promote/demote some of the historic SHA-1 root certs into > "SHA-1 forever" roots that can service older devices and browsers, even > for regular websites concerned about

Re: SHA-1 exception First Data

On 06/10/2016 07:46, Peter Bowen wrote: On Wed, Oct 5, 2016 at 10:02 PM, Michael Ströder wrote: Dean Coclin wrote: First Data's customers don't use browsers so Firefox can disable SHA-1 tomorrow and not affect them. So why to have your CA certificate trusted in

Re: SHA-1 exception First Data

On Thu, Oct 06, 2016 at 08:22:20AM +0200, Hanno Böck wrote: > On Wed, 5 Oct 2016 22:46:24 -0700 > Peter Bowen wrote: > > > I think we can all look back with 20/20 hindsight and say that device > > vendors should not use the same roots as browsers and that maybe CAs > > should

Re: SHA-1 exception First Data

On Wed, 5 Oct 2016 22:46:24 -0700 Peter Bowen wrote: > I think we can all look back with 20/20 hindsight and say that device > vendors should not use the same roots as browsers and that maybe CAs > should have created "SHA-1 forever" roots for devices that never plan > to