Re: Arabtec Holding public key?

2019-04-10 Thread Santhan Raj via dev-security-policy
On Wednesday, April 10, 2019 at 5:53:45 PM UTC-7, Corey Bonnell wrote: > On Wednesday, April 10, 2019 at 7:41:33 PM UTC-4, Nick Lamb wrote: > > (Resending after I typo'd the ML address) > > > > At the risk of further embarrassing myself in the same week, while > > working further on mimicking

Arabtec Holding public key?

2019-04-10 Thread Nick Lamb via dev-security-policy
(Resending after I typo'd the ML address) At the risk of further embarrassing myself in the same week, while working further on mimicking Firefox trust decisions I found this pre-certificate for Arabtec Holding PJSC: https://crt.sh/?id=926433948 Now there's nothing especially strange about this

Re: Extension KeyUsage in Subscriber's Certificate

2019-04-10 Thread Mirro via dev-security-policy
在 2019年4月10日星期三 UTC+8下午2:55:50,Lijun Liao写道: > Let us consider the case that the CA unsets the critical flag unintendedly, > e.g. using the default configuration. Which means there are no explizit > reasons. Is it required that the CA to create an incident report to mozilla? > > On Tue, 9 Apr

Re: Extension KeyUsage in Subscriber's Certificate

2019-04-10 Thread Ryan Sleevi via dev-security-policy
On Wed, Apr 10, 2019 at 12:23 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I'm either confused, or I disagree. We're talking about a certificate that > deviates from a "SHOULD" in RFC 5280, correct? Our guidance on incidents > [1] defines misissuance,

Re: Extension KeyUsage in Subscriber's Certificate

2019-04-10 Thread Wayne Thayer via dev-security-policy
I'm either confused, or I disagree. We're talking about a certificate that deviates from a "SHOULD" in RFC 5280, correct? Our guidance on incidents [1] defines misissuance, in part, as "RFC non-compliant". The certificate as described strictly complies with RFC 5280 (and presumably all other

Re: Extension KeyUsage in Subscriber's Certificate

2019-04-10 Thread Matt Palmer via dev-security-policy
On Wed, Apr 10, 2019 at 08:55:27AM +0200, Lijun Liao via dev-security-policy wrote: > Let us consider the case that the CA unsets the critical flag unintendedly, > e.g. using the default configuration. Which means there are no explizit > reasons. Is it required that the CA to create an incident

Re: Extension KeyUsage in Subscriber's Certificate

2019-04-10 Thread Lijun Liao via dev-security-policy
Let us consider the case that the CA unsets the critical flag unintendedly, e.g. using the default configuration. Which means there are no explizit reasons. Is it required that the CA to create an incident report to mozilla? On Tue, 9 Apr 2019, 19:14 Ryan Sleevi wrote: > > > On Tue, Apr 9, 2019