Both :)
Having a new audit per online CA is going to be very expensive and
cause TSPs heavily limit the number of online CAs they have.
Additionally all of these would be point-in-time audits, which only
report on design of controls. Assuming the design is consistent
between CAs, then there is
Mozilla policy section 3.1.2.2 states:
ETSI TS 102 042 and TS 101 456 audits are only acceptable for audit periods
> ending in July 2017 or earlier.
>
Now that we are past this deadline, I propose that we remove all references
to ETSI TS 102 042 and 101 456 from the policy.
This is:
I like this one.
It will be very useful as a starting point if we finally get a CABF S/MIME
working
group, which is likely to happen.
-Tim
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+tim.hollebeek=digicert@lists.mozilla.org] On Behalf Of
Entrust issued two certificates where the IP Address was indicated in the
dNSName form. Both certificates have been revoked. The bug has been resolved.
Details of the incident report can be found here,
https://bugzilla.mozilla.org/show_bug.cgi?id=1448986.
Thanks, Bruce.
When the Francisco Partners acquisition of Comodo was announced, it was
pointed out [1] that a strict reading of the current policy section 8.1
would have forced Comodo to stop issuing certificates for some period of
time:
If the receiving or acquiring company is new to the Mozilla root program,
Mozilla began requiring BR audits for roots in our program in 2013 [1], but
we have a vague policy statement in section 3.1 regarding audit
requirements prior to inclusion:
Before being included and periodically thereafter, CAs MUST obtain certain
> audits…
>
BR section 8.1 contains the
Mozilla policy section 2.2(2) requires validation of email addresses for
S/MIME certificates, but doesn't require disclosure of these practices as
it does for TLS certificates.
I propose adding the following language from 2.2 (3) (TLS) to 2.2(2)
(S/MIME):
The CA's CP/CPS must clearly specify the
We've done an automated analysis on 2018-03-13 of TSL/SSL certificates that
have been issued by our CAs:
- Camerfirma Corporate Server II - 2015
- Camerfirma Corporate Server - 2009
- AC CAMERFIRMA AAPP
We discovered 81 certificates that we didn't discover in our previous manual
analyzes of
Peter,
Are you advocating for option #2 (TSP self-attestation) because you think
that option #3 (audit) is unreasonable, or because you believe there is a
benefit to Mozilla's users in a self-attestation beyond what we get from
the existing requirement for CCADB disclosure?
On Fri, Mar 23, 2018
9 matches
Mail list logo