Re: Include Additional D-TRUST root certificate

2017-03-03 Thread Kathleen Wilson via dev-security-policy
On Wednesday, December 21, 2016 at 11:03:18 AM UTC-8, Kathleen Wilson wrote: > This request from D-TRUST is to included the ‘D-TRUST Root CA 3 2013’ root > certificate and enable the Email trust bit. > > D-TRUST GmbH is a subsidiary of Bundesdruckerei GmbH and is fully owned by > the German

RE: Misissued/Suspicious Symantec Certificates

2017-03-03 Thread Steve Medin via dev-security-policy
Our fourth response to questions is posted at Bugzilla, https://bugzilla.mozilla.org/show_bug.cgi?id=1334377. It includes two attachments at that bug: https://bugzilla.mozilla.org/attachment.cgi?id=8843448 https://bugzilla.mozilla.org/attachment.cgi?id=8843449 From: Ryan Sleevi

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

2017-03-03 Thread douglas.beattie--- via dev-security-policy
I wanted to send out a short update of were we are on looking into the reported Incapusla/testslsslfeb20.me certificate and the thread of comments and questions above. In this specific case the domain was verified within 39 months of issuance/reissuance (no difference as Ryan pointed out). In

Re: Include Renewed Kamu SM root certificate

2017-03-03 Thread Andrew R. Whalley via dev-security-policy
Hello, I've read though the English language version of CP/CPS dated March 30, 2016 version 1 and made the following notes: No version history at the front of the document. This not required, but is evidence of good document change management and is a useful reference to see what's changed when

Re: SHA1 root CA

2017-03-03 Thread Gervase Markham via dev-security-policy
On 03/03/17 10:16, benjaminp...@gmail.com wrote: > Could RSASSA-PSS as the used signature algorithm be the Problem? Yes, we don't support that. Although we may at some point: https://bugzilla.mozilla.org/show_bug.cgi?id=1088140 Gerv ___

Re: A new US government CA for the web PKI

2017-03-03 Thread Gervase Markham via dev-security-policy
On 02/03/17 20:45, Eric Mill wrote: > Our goal is to start a new root and set of issuing CAs that is completely > disconnected and separate from the existing Federal PKI bridge network that > members of the web PKI community may be familiar with. Are you able to say whether you will be seeking a

Re: GlobalSign BR violation

2017-03-03 Thread Gervase Markham via dev-security-policy
On 28/02/17 20:02, douglas.beat...@gmail.com wrote: > Suspicious Test certificate > https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/-gaS1p3vrXc > > I provided a formal response in that thread that I believe closes > this issue. I still have an outstanding question. > And

Re: Suspicious test.com Cert Issued By GlobalSign

2017-03-03 Thread Gervase Markham via dev-security-policy
Hi Doug, On 28/02/17 12:44, douglas.beat...@gmail.com wrote: > Sorry, I missed the last request. As outlined above, this domain was > added to this account for only a very short period of time and then > it was removed, so it's no longer being used. Further, we've > educated the groups involved

Re: SHA1 root CA

2017-03-03 Thread benjaminpill--- via dev-security-policy
Am Mittwoch, 1. März 2017 18:18:55 UTC+1 schrieb Gervase Markham: > On 01/03/17 10:36, benjaminp...@gmail.com wrote: > > screenshot of the error message: http://imgur.com/a/BIQUm > > That error message will not occur if only the root CA is SHA-1 signed, > because Firefox does not check the

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

2017-03-03 Thread Nick Lamb via dev-security-policy
On Friday, 3 March 2017 07:49:28 UTC, Ryan Sleevi wrote: > It is not acceptable. It's explicitly prohibited multiple ways to allow > more than 24 hours when such situations are brought to the CAs' attention. I'm sympathetic to the idea, here and in all cases where we have no reason to suppose