Re: Policy 2.7 Proposal: Exclude Policy Certification Authorities from EKU Requirement

On Tue, Apr 30, 2019 at 1:10 PM Fotis Loukos wrote: > I am just arguing that there is no risk involved in having a single > certificate. I do agree that the model you proposed with the two > certificates is a model that can be used right now, but I do not see any > additional risks by having a

Re: Policy 2.7 Proposal: Exclude Policy Certification Authorities from EKU Requirement

Hello, On 30/4/19 6:59 μ.μ., Ryan Sleevi via dev-security-policy wrote: > On Tue, Apr 30, 2019 at 11:49 AM Fotis Loukos wrote: > >> On 30/4/19 6:34 μ.μ., Ryan Sleevi via dev-security-policy wrote: >>> On Tue, Apr 30, 2019 at 8:51 AM Fotis Loukos wrote: >>> Hello Ryan, On 29/4/19

Re: Policy 2.7 Proposal: Exclude Policy Certification Authorities from EKU Requirement

On Tue, Apr 30, 2019 at 11:49 AM Fotis Loukos wrote: > On 30/4/19 6:34 μ.μ., Ryan Sleevi via dev-security-policy wrote: > > On Tue, Apr 30, 2019 at 8:51 AM Fotis Loukos wrote: > > > >> Hello Ryan, > >> > >> On 29/4/19 5:20 μ.μ., Ryan Sleevi via dev-security-policy wrote: > >>> On Fri, Apr 26,

Re: Policy 2.7 Proposal: Exclude Policy Certification Authorities from EKU Requirement

On 30/4/19 6:34 μ.μ., Ryan Sleevi via dev-security-policy wrote: > On Tue, Apr 30, 2019 at 8:51 AM Fotis Loukos wrote: > >> Hello Ryan, >> >> On 29/4/19 5:20 μ.μ., Ryan Sleevi via dev-security-policy wrote: >>> On Fri, Apr 26, 2019 at 7:02 PM Wayne Thayer via dev-security-policy < >>>

Re: Policy 2.7 Proposal: Exclude Policy Certification Authorities from EKU Requirement

On Tue, Apr 30, 2019 at 8:51 AM Fotis Loukos wrote: > Hello Ryan, > > On 29/4/19 5:20 μ.μ., Ryan Sleevi via dev-security-policy wrote: > > On Fri, Apr 26, 2019 at 7:02 PM Wayne Thayer via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> In version 2.6 of our Root

RE: AT SSL certificates without the AIA extension

Hi Nick, That's a good idea if we were going to continue with supporting customers like this; however, we're in the final stages of terminating all customers running on-premise SSL CAs. Given the timing, setting up private CT logs wouldn't help because that would undoubtedly take longer than

Re: Policy 2.7 Proposal: Exclude Policy Certification Authorities from EKU Requirement

Hello Ryan, On 29/4/19 5:20 μ.μ., Ryan Sleevi via dev-security-policy wrote: > On Fri, Apr 26, 2019 at 7:02 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> In version 2.6 of our Root Store Policy, we added the requirement to >> section 5.3 that

Re: Policy 2.7 Proposal: Exclude Policy Certification Authorities from EKU Requirement

Hello, On 27/4/19 2:02 π.μ., Wayne Thayer via dev-security-policy wrote: > In version 2.6 of our Root Store Policy, we added the requirement to > section 5.3 that intermediate certificates contain an EKU and separate > serverAuth and emailProtection uses. Version 2.6.1 updated the requirement >

Re: AT SSL certificates without the AIA extension

On Mon, 29 Apr 2019 12:41:07 + Doug Beattie via dev-security-policy wrote: > It should be noted that these certificates are not posted to CT logs > nor are they accessed via browsers as they are used within closed > networks, but we'll get more details on their exact usage shortly. Hi Doug,