Re: DRAFT November 2017 CA Communication
Hi Kathleen, I suggest being explicit about which CAA errata Mozilla allows. For CNAME, it's erratum 5065. For DNAME, it's erratum 5097. Link to errata: https://www.rfc-editor.org/errata_search.php?rfc=6844 We don't want CAs to think they can follow any errata they like, or to come up with their own interpretation of what "natural" means :-) Regards, Andrew On Wed, 25 Oct 2017 12:46:40 -0700 (PDT) Kathleen Wilson via dev-security-policy wrote: > All, > > I will greatly appreciate your thoughtful and constructive feedback > on the DRAFT of Mozilla's next CA Communication, which I am hoping to > send in early November. > > https://wiki.mozilla.org/CA/Communications#November_2017_CA_Communication > > Direct link to the survey: > https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J3mogw7 > > Thanks, > Kathleen > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: DRAFT November 2017 CA Communication
Some initial thoughts 1. I'm a bit confused by bullet #2 in the survey. Wasn't it already the Mozilla policy that CAs could only use the blessed 10 methods of validation? I thought this was communicated in the previous letter? 2. On bullet #3, I'm reading the wording to mean either 1) disclosed and audited or 2) revoked, not disclosed and either a) revoked or b) audited, correct? Rewording the language to be "must be either audited and disclosed or revoked in the Common CA Database" might clarify between the two. 3. On bullet #3, should you specify what audits are required for s/MIME in the email? There might be confusion between the two audit questions that interprets s/MIME as requiring a BR audit. This might not be worth clarifying though as all CAs should understand the purpose of each audit. 4. On action 4, how often will Mozilla require BR Self assessments? Should you state that Mozilla may require them on a periodic basis going forward? 5. On action 7, I'm unaware of any CT discussions currently ongoing at the CAB Forum or Mozilla list. Could you provide a link or further intent on what we're watching for? -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kathleen Wilson via dev-security-policy Sent: Wednesday, October 25, 2017 1:47 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: DRAFT November 2017 CA Communication All, I will greatly appreciate your thoughtful and constructive feedback on the DRAFT of Mozilla's next CA Communication, which I am hoping to send in early November. https://wiki.mozilla.org/CA/Communications#November_2017_CA_Communication Direct link to the survey: https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationS urveySample?CACommunicationId=a051J3mogw7 Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
DRAFT November 2017 CA Communication
All, I will greatly appreciate your thoughtful and constructive feedback on the DRAFT of Mozilla's next CA Communication, which I am hoping to send in early November. https://wiki.mozilla.org/CA/Communications#November_2017_CA_Communication Direct link to the survey: https://ccadb-public.secure.force.com/mozillacommunications/CACommunicationSurveySample?CACommunicationId=a051J3mogw7 Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla’s Plan for Symantec Roots
On 16.10.2017 19:32, Gervase Markham via dev-security-policy wrote: > > Here is Mozilla’s planned timeline for the graduated distrust of > Symantec roots (subject to change): > > * January 2018 (Firefox 58): Notices in the Developer Console will warn > about Symantec certificates issued before 2016-06-01, to encourage site > owners to migrate their TLS certs. > > * May 2018 (Firefox 60): Websites will show an untrusted connection > error if they have a TLS cert issued before 2016-06-01 that chains up to > a Symantec root. > > * October 2018 (Firefox 63): Removal/distrust of Symantec roots, with > caveats described below. > > Mozilla’s release calendar is here: > https://wiki.mozilla.org/RapidRelease/Calendar Will these changes be implemented in the ESR 59.x releases, which will be released in parallel to the above releases? Thanks Kai ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
