Re: Policy 2.4 Proposal: Define how quickly audit reports must be provided

Suggestion: "List of CA policy documents _and versions_" Having seen audits that simply say "CPS at [URL]" leaves it ambiguous as to which version was audited. It also raises concerns of a CA forgetting to update their public CP/CPS with whatever the auditor examined. On Thu, Jan 12, 2017 at

Re: Policy 2.4 Proposal: Update required version number of Baseline Requirements to 1.3.7

Gerv, I'd like to push a little and suggest that the IP issues are not a significant reason for Mozilla not to formalize on 1.4.1 (e.g. with 169 included) Notably, 1.3.7 also has IP encumbrances - and uncertainty - the same as 1.4.1, so presumably, Mozilla is OK with having encumbered methods

Re: Incident Report – Certificates issued without proper domain validation

On Wednesday, January 11, 2017 at 5:03:08 AM UTC+2, Wayne Thayer wrote: > ... and will also be logged to the Google Pilot CT log. Why not posting _ALL_ certificates issues via that method to CT log? ___ dev-security-policy mailing list

RE: Incident Report – Certificates issued without proper domain validation

> From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Thursday, January 12, 2017 3:07 AM > To: Wayne Thayer ; mozilla-dev-security- > pol...@lists.mozilla.org > Subject: Re: Incident Report – Certificates issued without proper domain > validation > > Hi Wayne, > > Thanks

RE: Policy 2.4 Proposal: Update required version number of Baseline Requirements to 1.3.7

I agree with this approach. Nothing of note was include after the domain validation passed so making 1.3.7 the effective version makes sense. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of

Information Verification for Root Inclusion/Change Requests

All, Many of you have noticed that I have transitioned the job of Information Verification[1] of root inclusion/change requests to Aaron Wu and Francis Lee, because I no longer have the bandwidth to do that work. Additionally, I hope to get a new process rolled out in Q1 that will enable CAs

Policy 2.4 Proposal: Define how quickly audit reports must be provided

The current CA policy does not specify when audit reports are due to Mozilla relative to the end date of the audit period. It only says that CAs much provide the reports to Mozilla within 30 days of receiving the report from their auditor. Peter Bowen proposed some revised and more specific

Policy 2.4 Proposal: Update required version number of Baseline Requirements to 1.3.7

Point 12 of the Inclusion section requires conformance to the Baseline Requirements version 1.3, released on 16th April 2015. The current version is 1.4.1. I propose changing to version 1.3.7. This is the one before the version which updated the domain validation requirements and which has had to

Policy 2.4 Proposal: Update version number of EV Guidelines to 1.6

Currently, Inclusion point 7 requires conformance to EV 1.4 or later. This was released in May 2012. The current version of EV (as of a week ago) was 1.6. We should update directly to 1.6, which was released in July 2016. This is: https://github.com/mozilla/pkipolicy/issues/29 --- This is

Re: Policy 2.4 Proposal: Update entropy requirements for EE certificates

On 16/12/16 15:18, Gervase Markham wrote: > Nevertheless, we should update our policy to also use this text, because > our policy also covers email certificates. We discussed this at the All > Hands recently and we did not think that there were any compelling > reasons to provide exemptions to

Re: Policy 2.4 Proposal: Define or remove the word "misused"

On 16/12/16 15:20, Gervase Markham wrote: > Kathleen's proposal is to change: > > "or that the certificate has otherwise been misused;" > > to > > "or that the certificate has been used for a purpose outside of that > indicated in the certificate or in the CA's subscriber agreement;"

Re: Policy 2.4 Proposal: Require OCSP responses to be signed by certs with lifetime longer than response

On 16/12/16 15:15, Gervase Markham wrote: > Proposal: add another sentence to the second bullet in point 3 of the > Maintenance section: > > "The nextUpdate of the OCSP response must be before or equal to the > notAfter date of the certificate which signs it, and all other > certificates in the

Re: Policy 2.4 Proposal: Use language of capability throughout

On 08/12/16 20:46, Gervase Markham wrote: > We want to change the policy to make it clear that whether a cert is > covered by our policy or not is dependent on whether it is technically > capable of issuing server certs, not whether it is intended by the CA > for issuing server certs. > > Until

Re: Incident Report – Certificates issued without proper domain validation

Hi Wayne, Thanks for these prompt and detailed responses. On 12/01/17 00:27, Wayne Thayer wrote: > Our initial response as reported yesterday was to fix the bug > introduced in July. Based on internal discussions and comments here, > as of 12 midnight PST last night (1/11) we stopped using this