Re: TURKTRUST Non-compliance

2018-03-19 Thread Jakob Bohm via dev-security-policy
On 17/03/2018 01:23, Wayne Thayer wrote: TURKTRUST has the "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" root included in the Mozilla program with the 'websites' trust bit enabled (not EV). Crt.sh identifies one unexpired and unrevoked subordinate CA [1], and 13 unexpired end-entity

RE: DigiCert .onion certificates without Tor Service Descriptor Hash extension

2018-03-19 Thread Jeremy Rowley via dev-security-policy
Interesting - this escaped our notice because it has a Tor descriptor. Unfortunately, it looks like the fetch function with v3 is not supported so we'll have to change how we pull and include the descriptor. Since the key is already in the cert, I agree there is nothing gain by including it,

Policy 2.6 Proposal: Update domain validation requirements

2018-03-19 Thread Wayne Thayer via dev-security-policy
Section 2.2(3) defines very specific requirements for use of the BR 3.2.2.4 domain validation methods. Now that 3.2.2.4.11 (“any other method”) has been removed from the BRs and ballot 218 [1] has passed, the Mozilla policy is out-of-date. I propose the following changes: * Remove the reference

Policy 2.6 Proposal: Move Compliance Date into policy

2018-03-19 Thread Wayne Thayer via dev-security-policy
Historically, the effective dates of new versions of the policy have been maintained separately from the policy itself [1]. In our November Communication, we learned that many CAs weren’t in compliance with policy version 2.5 despite it having been in effect since June [2]. This proposal is simply

Policy 2.6 Proposal: Updated criteria for including new CAs based on recent discussion

2018-03-19 Thread Wayne Thayer via dev-security-policy
A few months ago, we discussed our root inclusion criteria [1], and came to a conclusion that I summarized and proposed in policy as follows: I would like to thank everyone for your constructive input on this topic. > At the outset I stated a desire to ‘establish some objective criteria that >

Policy 2.6 Proposal: Remove temporary exception for unconstrained email subordinates

2018-03-19 Thread Wayne Thayer via dev-security-policy
This new version of the policy won’t be completed until after 15-April, which is the revised deadline for disclosure and auditing of unconstrained email subordinates. I propose removal of the following exception from section 5.3.1: Instead of complying with the above paragraph, intermediate

Re: Root Store Policy 2.6

2018-03-19 Thread Wayne Thayer via dev-security-policy
There are 17 proposed changes in total for version 2.6 of the policy, and I'm about to kick off discussions on the first batch. I expect some of these to be straightforward while others will hopefully generate good dialogues. As always, everyone's constructive input is appreciated. Thanks, Wayne