Re: Proposal to define applicability of BRs and expectations of CAs

On 11/11/2016 02:42, Peter Bowen wrote: Given that there is a lack of clarity on when the CABF BRs apply, and that applicability of the BRs is outside the scope of the BRs, I propose the following text to clarify and help CAs understand the expectations of operating a publicly trusted CA.

Proposal to define applicability of BRs and expectations of CAs

Given that there is a lack of clarity on when the CABF BRs apply, and that applicability of the BRs is outside the scope of the BRs, I propose the following text to clarify and help CAs understand the expectations of operating a publicly trusted CA. Thanks, Peter Requirements for a CA in the

Re: Comodo issued a certificate for an extension

On Thursday, 10 November 2016 19:53:25 UTC, Robin Alden wrote: > I can't speak to your assumptions, but I concede that it is not explicit in > the CPS. > > It is now documented at > https://secure.comodo.com/api/pdf/latest/Domain%20Control%20Validation.pdf > and in the knowledgebase article at:

RE: Comodo issued a certificate for an extension

Nick Lamb, on 02 October 2016 17:50, said.. > The first thing that jumps out at me from their report is that they mistake .sb > for a gTLD when it is actually a ccTLD. That was a mistake in writing the report. The point is that it is a TLD. > The second thing obviously is that they do have

RE: Incident Report - certificate with 'sb' as a SAN:dnsName

Hi Hanno, Hanno Böck, on 04 October 2016 13:34, said.. > There seem to be more certificates of that kind that weren't mentioned > in the incident report. Here's a .re / www.re certificate (expired > 2015): > https://crt.sh/?id=4467456 > > Has comodo checked its systems for other certificates of

RE: Comodo issued a certificate for an extension

Eric Mill, on 03 October 2016 03:14, said.. > On Sun, Oct 2, 2016 at 9:23 PM, Nick Lamb wrote: > > On Sunday, 2 October 2016 20:53:15 UTC+1, Peter Bowen wrote: > > > There is some good news. The CA/Browser Forum has already addressed > > > this, even prior to the current

RE: Incident Report - certificate with 'sb' as a SAN:dnsName

Gervase Markham, on 04 October 2016 07:10, said.. > Thank you for this report. > > On 27/09/16 02:07, Robin Alden wrote: > > When we use an 'agreed-upon change to website' method to prove > domain > > control, we consider proof of control of 'www.' as also > > proving control of '' (except where

Re: Can we require id-kp-serverAuth now?

On 09/11/16 18:50, Peter Bowen wrote: > Here are some certs that appear to be for server authentication but > don't have that EKU: > > https://crt.sh/?id=10621190 This one also contains Internal Server Names. And it contains bogus info in the Certificate Policies field. But it's not trusted by