Re: Logotype extensions

2019-06-17 Thread Corey Bonnell via dev-security-policy 
On Friday, June 14, 2019 at 1:31:12 PM UTC-4, kirkhal...@gmail.com wrote:
> CAs already have rules allowing a Parent, Subsidiary, or Affiliate (all 
> defined terms) to obtain certs for domains owned by each other - so 
> Alphabet-Google, for example, can get certs for domains owned by each other.  
> So we would use the same rules to make certain the registered trademark owner 
> is a Parent, Subsidiary, or Affiliate of the EV cert Subject - we would use 
> information from the SEC or other government securities agencies (including 
> public filings), and/or other third party data that we have used for the past 
> 10 years to prove affiliation.  Also, remember, we only do trademark 
> registration validation after we have completed EV validation, so we know who 
> our certificate customer is.  Many companies put their IP assets in an 
> affiliated company for tax reasons - it should not be difficult to prove 
> affiliation.  If we can't prove it, the logo will not go into the EV cert.

Section 11 of the EV Guidelines has specific language for all cases where 
information for Parent/Subsidiary/Affiliate companies can be used for 
validation. Given that validation for trademarks/Logotype extensions is not 
specified anywhere in the BRs or EV Guidelines, there is no such language 
allowing the use of trademark data obtained from PSA companies in certificates.

Additionally, as Ryan alluded to, it is reasonable to interpret the definition 
of Subject Identity Information to also encompass any certificate extensions 
which contain identity information about the Subject. Given this, I believe 
that EV Guidelines section 9.2.9 is applicable as the intent of that section is 
clear: no identity information can be included in an EV certificate unless the 
steps for validation and encoding are thoroughly specified in the EV 
Guidelines. To assert otherwise is to assert that well defined, rigorous 
validation steps are not needed for EV certificates.

Thanks,
Corey
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

CCADB CA Task List on Homepage

2019-06-17 Thread Kathleen Wilson via dev-security-policy 

For those of you with access to the CCADB...

There is now a CCADB CA Task list on your homepage. This gets updated 
every time you go to your CCADB homepage, either upon login, or by 
clicking on the 'Home' tab.


Here is an example of what it looks like.
~~
Summary (Click on the arrows to see the details)
Root Certs with Outdated Audit Statements: 1
Intermediate Certs with Outdated Audit Statements: 2
Intermediate Certs with no audit information provided: 3
Intermediate Certs with no CP/CPS information provided: 4
Contacts who may be obsolete: 1

-> Provide updated Audit Statements for these Root Certs
 Instructions: Create an Audit Case to submit updated audits for root 
certs, as described here: https://ccadb.org/cas/updates



-> Provide updated Audit Statements for these Intermediate Certs
 Instructions: Directly edit each intermediate cert record to provide 
updated audit information.



-> Provide Audit Information for these Intermediate Certs
 Instructions: Directly edit each intermediate cert record to provide 
audit information or select the "Audits Same as Parent" box.



-> Provide Audit Information for these Intermediate Certs
 Instructions: Directly edit each intermediate cert record to provide 
CP/CPS information or select the "CP/CPS Same as Parent" box.



-> Determine which of these Contacts are Obsolete
 Instructions: Send email to supp...@ccadb.org to indicate obsolete 
users who no longer need access to the CCADB.


~~

When everything is zero, it looks like the following. Detailed 
sub-sections are only shown when non-zero.

~~
Summary
Root Certs with Outdated Audit Statements: 0
Intermediate Certs with Outdated Audit Statements: 0
Intermediate Certs with no audit information provided: 0
Intermediate Certs with no CP/CPS information provided: 0
Contacts who may be obsolete: 0
~~


Please check it out, and let me know if you have any questions or 
feedback about it.


Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy