On Wed, May 10, 2017 at 2:06 PM, mono.riot--- via dev-security-policy <
> On Wednesday, May 10, 2017 at 7:59:37 PM UTC+2, Itzhak Daniel wrote:
> > The next step, if Symantec wish to continue to use their current PKI in
> the future, should be logging
On Tue, May 09, 2017 at 07:03:16PM +0200, Kurt Roeckx via dev-security-policy
> Instead of the removal of the roots, I suggest we either ask them
> to revoke all the intermediate CAs that do not have the required
> audits or that Mozilla adds them to OneCRL.
Just to clarify, I believe
On Wednesday, May 10, 2017 at 7:59:37 PM UTC+2, Itzhak Daniel wrote:
> The next step, if Symantec wish to continue to use their current PKI in the
> future, should be logging (ASAP) *all* of the certificates they issued to a
> CT log, then we'll know how deep is the rabbit hole.
On Wednesday, 10 May 2017 17:52:40 UTC+2, Gervase Markham wrote:
> On 09/05/17 16:51, Gervase Markham wrote:
> > * Editing the proposal to withdraw the "alternative" option, leaving
> > only the "new PKI" option.
> This has now been done:
In this context, I was wondering: Has there been a discussion yet on Firefox
enforcing cert lifetime in code not just via policy?
Most everything seems to be in place already due to EV, but DV doesn't have a
limit atm. 
Now in practice, thanks to killing sha1, most of those legacy certs are
On 08/05/17 13:24, Gervase Markham wrote:
> 8) Please explain how the Management Assertions for your December 2014
Strike this question; it's based on a misunderstanding of how audits are
10) Do you agree that, during the period of time that Symantec
cross-signed the Federal
On 09/05/17 18:25, Doug Beattie wrote:
> I'm not clear on what you mean by CAs must use only the 10 Blessed Methods by
> 21st July 2017.
> I'm assuming this is the latest official draft:
> Specifically, does
Mail list logo