Re: Policy 2.5 Proposal: Indicate direction of travel with respect to permitted domain validation methods

2017-05-03 Thread Nick Lamb via dev-security-policy
On Monday, 1 May 2017 22:02:58 UTC+1, Lee wrote: > Maybe it's because I've worked with some incredibly bad auditors, but > the way I read the proposal, doing anything other than one of those > exact 10 methods is risking an audit failure. > How would you word the policy to make it clear that

Policy 2.5 Proposal: Indicate direction of travel with respect to permitted domain validation methods

2017-05-03 Thread Han Yuwei via dev-security-policy
A question:How would a domain holder express denial for certain certificate requests? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Symantec: Draft Proposal

2017-05-03 Thread Han Yuwei via dev-security-policy
So Mozilla think Symantec's issues are on t serious enough to lose trust entirely? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Changing CCADB domains

2017-05-03 Thread Nick Lamb via dev-security-policy
Thanks for your notice Kathleen. One thought: Very often several CAs ask for more time to complete the Mozilla survey, either explicitly, or implicitly by just not filling it out in a timely fashion and saying they're very busy and will do it "soon" if they're asked. If you believe there are,

RE: StartCom continues to sell untrusted certificates

2017-05-03 Thread Inigo Barreira via dev-security-policy
Yes, thank you for letting us know. Best regards Iñigo Barreira CEO StartCom CA Limited -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] On Behalf Of Lewis Resmond via dev-security-policy Sent: miércoles, 3 de

Changing CCADB domains

2017-05-03 Thread Kathleen Wilson via dev-security-policy
All, I think it is time for us to change the domains that we are using for the CCADB as follows. Change the links for... 1) CAs to login to the CCADB from https://mozillacacommunity.force.com/ to https://ccadb.force.com/ 2) all published reports from

Re: StartCom continues to sell untrusted certificates

2017-05-03 Thread Lewis Resmond via dev-security-policy
Am Montag, 1. Mai 2017 16:49:32 UTC+2 schrieb Henri Sivonen: > On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > On 01/05/17 07:52, Percy wrote: > >> It seems that StartCom continues to sell untrusted certs. Neither their

Re: StartCom continues to sell untrusted certificates

2017-05-03 Thread Percy via dev-security-policy
On Monday, May 1, 2017 at 7:49:32 AM UTC-7, Henri Sivonen wrote: > On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > On 01/05/17 07:52, Percy wrote: > >> It seems that StartCom continues to sell untrusted certs. Neither

Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

2017-05-03 Thread Gervase Markham via dev-security-policy
On 03/05/17 16:45, Peter Kurrasch wrote: > Perhaps a different way to pose the questions here is whether Mozilla > wants to place any expectations on the CA's regarding fraud and the > prevention thereof. You need to be more specific, because there are lots of different ways a system can have

Re: Policy 2.5 Proposal: Remove the bullet about "fraudulent use"

2017-05-03 Thread Peter Kurrasch via dev-security-policy
Perhaps a different way to pose the questions here is whether Mozilla wants to place any expectations on the CA's regarding fraud and the prevention thereof. Expectations beyond what the BR's address, that is.

Re: Cert pinning mismatch investigation

2017-05-03 Thread Nick Lamb via dev-security-policy
On Tuesday, 2 May 2017 14:52:52 UTC+1, Gervase Markham wrote: > Group participants may be interested in David Keeler's analysis of why > Firefox seemed to be seeing cert pinning mismatches for Mozilla properties: > https://people-mozilla.org/~dkeeler/deployment-checker-analysis.html Indeed, that