Re: Policy 2.5 Proposal: Fix definition of constraints for id-kp-emailProtection

2017-05-09 Thread Jakob Bohm via dev-security-policy
On 08/05/2017 12:16, Gervase Markham wrote: On 05/05/17 22:21, Jakob Bohm wrote: The issue would be implementations that only check the EE cert for their desired EKU (such as ServerAuth checking for a TLS client or EmailProtection checking for a mail client). In other words, relying parties

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2017-05-09 Thread Andrew R. Whalley via dev-security-policy
Greetings, I've given the CP V1.6 and CPS V4.5 docs a quick looking through and have the following comments: * Please don't protect your PDFs for printing * https://SSLTEST-2.95105813.cn - which I believe should be revoked, has also expired. The revoked test cert should be otherwise valid and

Re: Symantec: Update

2017-05-09 Thread Kathleen Wilson via dev-security-policy
On Tuesday, May 9, 2017 at 10:03:53 AM UTC-7, Kurt Roeckx wrote: > > Do we somewhere have the official templates being used to send > reminders of the audit requirements? Unofficial templates: https://wiki.mozilla.org/CA:Email_templates The official templates are in Salesforce, but currently

RE: Policy 2.5 Proposal: Indicate direction of travel with respect to permitted domain validation methods

2017-05-09 Thread Doug Beattie via dev-security-policy
Gerv, I'm not clear on what you mean by CAs must use only the 10 Blessed Methods by 21st July 2017. I'm assuming this is the latest official draft: https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md Specifically, does this mean all new domain validations must conform to

Re: Symantec: Update

2017-05-09 Thread Kurt Roeckx via dev-security-policy
On Tue, May 09, 2017 at 04:51:12PM +0100, Gervase Markham via dev-security-policy wrote: > Despite the fact that there appear to be > numerous under-audited and unaudited publicly-trusted sub-CAs out there, > and this fact has been known for weeks now, Symantec has not said > anything about the

Re: Policy 2.5 Proposal: Indicate direction of travel with respect to permitted domain validation methods

2017-05-09 Thread Gervase Markham via dev-security-policy
On 01/05/17 10:13, Gervase Markham wrote: > This would involve replacing section 2.2.3 of the policy with: Incorporated as drafted. CAs should take note (from this change and from the CA Communication) that Mozilla's policy is moving in the direction of requiring the 10 Blessed Methods alone,

Re: Policy 2.5 Proposal: New version of WebTrust Criteria -- v2.2

2017-05-09 Thread Gervase Markham via dev-security-policy
On 01/05/17 10:09, Gervase Markham wrote: > This simply involves changing a "2.0" to "2.2" in section 3.1.1 and > updating the URL labelled "WebTrust-BRs" to be > http://www.webtrust.org/principles-and-criteria/docs/item83987.pdf . Done. Gerv ___

Re: Policy 2.5 Proposal: Incorporate Root Transfer Policy

2017-05-09 Thread Gervase Markham via dev-security-policy
On 01/05/17 10:02, Gervase Markham wrote: > Here is a diff of the proposed changes: > https://github.com/mozilla/pkipolicy/compare/issue-57 Incorporated. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Symantec: Update

2017-05-09 Thread Vincent Lynch via dev-security-policy
Hi Gervase, Thank you for the update on Mozilla's process. I have one question regarding your wording. You write"I am therefore *proposing *the following," and then you list your changes. Does this mean that the "alternative" option is officially, 100%, off the table? Or is this still an option

Re: Not disclosed as revoked intermediate certificates

2017-05-09 Thread Gervase Markham via dev-security-policy
On 08/05/17 16:50, Kurt Roeckx wrote: > So all of them except those from 2017-05-05 should have been marked in > the Common CA Database as revoked but haven't been marked as such. Thank you. I have drawn this to the attention of the 3 CAs concerned and asked them to post here to indicate when

Symantec: Update

2017-05-09 Thread Gervase Markham via dev-security-policy
Hi everyone, Yesterday was May 8th, which was the day I had said we would stop discussing my proposal of what to do about Symantec and hand it over to Kathleen for a decision. This didn't happen for two reasons: I had some personal things to deal with, and also I think the proposal needs some

Find a 5-year certificate

2017-05-09 Thread Han Yuwei via dev-security-policy
I have found this: https://crt.sh/?id=6885329 I don't know whether Mozilla had allowed the certificate valid more than 39 months, so I am here to verify it. I have searched on Github but found nothing. ___ dev-security-policy mailing list

RE: CA Validation quality is failing

2017-05-09 Thread Jeremy Rowley via dev-security-policy
Okay - all certs were added to the CT log. We're now working through revocation. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org] On Behalf Of Jeremy Rowley via dev-security-policy Sent: Tuesday, May 2, 2017