Re: Odp.: 46 Certificates issued with BR violations (KIR)

On Wed, Oct 10, 2018 at 4:58 PM Grabowski Piotr wrote: > Hello Ryan, > > > In the design of this template, one of the concerns was about > understanding *how* a problem happened, not just how a CA responded. This > is why it includes text such as "This may include events before the > incident was

Re: Odp.: Odp.: 46 Certificates issued with BR violations (KIR)

On Wed, Oct 10, 2018 at 4:33 PM Grabowski Piotr via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hello Wayne, > > - Is the new dual control process documented in a manner that will be > auditable by your external auditors? > > Yes, the new dual control process is already

Re: Violation report - Comodo CA certificates revocation delays

Any update behind the scenes about this issue? I've noticed that the soft limit to fill an Incident Report expired more than a week ago, and I'm starting to be a bit worried that some of the evidence in the CT logs might disappear if the investigation is not completed before December 6th, the ea

Odp.: 46 Certificates issued with BR violations (KIR)

Hello Ryan, In the design of this template, one of the concerns was about understanding *how* a problem happened, not just how a CA responded. This is why it includes text such as "This may include events before the incident was reported, such as when a particular requirement became applicable

Odp.: Odp.: 46 Certificates issued with BR violations (KIR)

Hello Wayne, - Is the new dual control process documented in a manner that will be auditable by your external auditors? Yes, the new dual control process is already included in the document called instruction of the security of system Szafir (internal name of the PKI system) and it is

Results of September 2018 CA Communication

The responses to our latest survey are posted on the wiki [1]. I would like to thank all the CAs that responded promptly to the survey. We have now received responses from all but two CAs: - Visa - as of Firefox 64 [2], Visa will no longer be a program member. - Certicamara - I have emailed and wi

Certum CA - Unallowed key usage for EC public key (Key Encipherment)

Please find our incident report below. 1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date. From Bugzilla bug 149

Re: What does "No Stipulation" mean, and when is it OK to use it in CP/CPS

On 09/10/2018 23:15, Wayne Thayer wrote: On Tue, Oct 9, 2018 at 12:48 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Oh, so rather than trying to define what "No Stipulation" means and when it can be used, we could take a different approach -- list th

Re: Yet more undisclosed intermediates

On 09/10/2018 23:53, Wayne Thayer wrote: >    - DigiCert > > Looks like DigiCert disclosed these within a few hours of your email. Yes, but I hope that DigiCert will provide an incident report so that we can understand why DigiCert's "processes in place to ensure that these requirements a