Re: Policy 2.7 Proposal: Clarify Meaning of "Technically Constrained"

Unless additional feedback is posted, I will include this change as originally proposed in version 2.7 of our policy. - Wayne On Fri, Mar 29, 2019 at 11:23 AM Wayne Thayer wrote: > On Fri, Mar 29, 2019 at 4:32 AM Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org>

Re: Policy 2.7 Proposal: Clarify Point-in-Time Audit Language

I will will include this change in policy version 2.7. - Wayne On Wed, Mar 27, 2019 at 8:04 PM Ryan Sleevi wrote: > I'm not sure whether it's necessary to indicate support, but since silence > can sometimes be ambiguously interpreted: I support these changes and > believe they achieve the

Re: Updated Revocation Best Practices

Ryan - Again, thank you for the feedback, and please forgive me for the delayed response. I've attempted to address your concerns on the wiki page (since this isn't official policy, I'm editing the live document):

RE: Arabtec Holding public key? [Weird Digicert issued cert]

A possibility. They could have pasted something in the root chain. Note that the required handshake would have caught that if it'd been implemented. Overall it doesn't matter too much if was malicious or innocent, the cert holder can't do anything without the private key. -Original

Blog: Common CA Database (CCADB) promotes Transparency and Collaboration

All, I posted the following to the Mozilla Security Blog to explain what the CCADB is and why it is important. https://blog.mozilla.org/security/2019/04/15/common-ca-database-ccadb/ Kathleen ___ dev-security-policy mailing list

Re: Arabtec Holding public key? [Weird Digicert issued cert]

According to Jeremy (see below), that was not the situation. On 15/04/2019 14:09, Man Ho wrote: I don't think that it's trivial for less-skilled user to obtain the CSR of "DigiCert Global Root G2" certificate and posting it in the request of another certificate, right? On 15-Apr-19 6:57 PM,

Re: Arabtec Holding public key? [Weird Digicert issued cert]

I don't think that it's trivial for less-skilled user to obtain the CSR of "DigiCert Global Root G2" certificate and posting it in the request of another certificate, right? On 15-Apr-19 6:57 PM, Jakob Bohm via dev-security-policy wrote: > Thanks for the explanation. > > Is it possible that a

Re: Arabtec Holding public key? [Weird Digicert issued cert]

Thanks for the explanation. Is it possible that a significant percentage of less-skilled users simply pasted in the wrong certificates by mistake, then wondered why their new certificates newer worked? Pasting in the wrong certificate from an installed certificate chain or semi-related support