Re: DigiCert-Symantec Announcement

2017-09-07 Thread Peter Kurrasch via dev-security-policy
I think the plan at the root level makes sense and is reasonable, at least as far as I think I understand it. (A diagram would be nice.)‎ At the intermediate level, however, I think more detail is needed. I'm

Re: Draft Security Blog about v2.5 of Root Store Policy

2017-09-07 Thread Kathleen Wilson via dev-security-policy
On Thursday, September 7, 2017 at 1:23:17 AM UTC-7, Buschart, Rufus wrote: > I have a question regarding the meaning of: > > > * The latest versions of the WebTrust and ETSI audit criteria are now > > required, and auditors are required to be appropriately qualified. I will delete that sentence

Re: Idea for a stricter name constraint interpretation

2017-09-07 Thread Ryan Sleevi via dev-security-policy
On Thu, Sep 7, 2017 at 5:22 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 07/09/2017 21:00, Ryan Sleevi wrote: > Then there is your suggestion of requiring technically constrained >> >>> SubCAs (that were constrained under a previous set of relevant

Re: PROCERT issues

2017-09-07 Thread Ryan Sleevi via dev-security-policy
On Thu, Sep 7, 2017 at 11:17 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Mozilla has decided that there is sufficient concern about the > activities and operations of the CA "PROCERT" to collect together our > list of current concerns. That list

Re: Idea for a stricter name constraint interpretation

2017-09-07 Thread Jakob Bohm via dev-security-policy
On 07/09/2017 21:00, Ryan Sleevi wrote: On Thu, Sep 7, 2017 at 1:20 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: All but one of your suggestions would require the revocation of existing SubCA certificates, essentially invalidating all existing uses of

Re: Idea for a stricter name constraint interpretation

2017-09-07 Thread Ryan Sleevi via dev-security-policy
On Thu, Sep 7, 2017 at 1:20 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > All but one of your suggestions would require the revocation of existing > SubCA certificates, essentially invalidating all existing uses of > certificates issued by those SubCAs

Re: Idea for a stricter name constraint interpretation

2017-09-07 Thread Jakob Bohm via dev-security-policy
On 01/09/2017 20:07, Ryan Sleevi wrote: On Fri, Sep 1, 2017 at 2:07 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: ... So, from the get-go with the standards, it was possible to name constrain DNS. Unless you were referencing certificates prior to them

PROCERT issues

2017-09-07 Thread Gervase Markham via dev-security-policy
Mozilla has decided that there is sufficient concern about the activities and operations of the CA "PROCERT" to collect together our list of current concerns. That list can be found here: https://wiki.mozilla.org/CA:PROCERT_Issues Note that this list may expand or reduce over time as issues are

RE: Draft Security Blog about v2.5 of Root Store Policy

2017-09-07 Thread Buschart, Rufus via dev-security-policy
Hello Kathleen! Thank you for sharing your draft version. I have a question regarding the meaning of: > * The latest versions of the WebTrust and ETSI audit criteria are now > required, and auditors are required to be appropriately qualified. Will you still accept ETSI TS 102 042 audits or