RE: Public Discussion of GlobalSign's CA Inclusion Request for R46, E46, R45 and E45 Roots

Hi Nick We attached an updated version of the affected certificate overview to the bug on February 10, which does contain the date of order and date of issuance. Thanks Arvid > -Original Message- > From: dev-security-policy On > Behalf Of Nick Lamb via dev-security-policy > Sent:

Notice on SC31 and CAs using EJBCA

During gap analysis and impact assessment of the changes to the BR in the context of SC31 - Browser Alignment, we noted that our legacy platform, using EJBCA as issuance backend, did not fully support the changes related to not including the "Unspecified" reason code in OCSP responses for the

RE: Verifying Auditor Qualifications

ACAB'c is a group of a few eIDAS CABs working together for reasons, they do not represent all eIDAS CABs neither do they have any recognized or official function within the eIDAS ecosystem. Can the ACAB'c member list be relied upon as being accurate and providing correct and latest

RE: SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert

GlobalSign recognizes the reported security issue and associated risk, and is working on a plan to remediate the impacted CA hierarchies with first priority on terminating those branches that include issuing CA with private keys outside of GlobalSign's realm. We will soon share an initial plan on

RE: Verifying Auditor Qualifications

Hi Kathleen Related to the below it would be helpful if the WebTrust organization would disclose additional details on the licensed WebTrust practitioners: right now there is no data publicly available on historical WebTrust auditor licensing. We don't know as of when an auditor has been

RE: GlobalSign: Failure to revoke certificate with compromised private key within 24 hours

An incident report was created for this yesterday: https://bugzilla.mozilla.org/show_bug.cgi?id=1620922 > -Original Message- > From: dev-security-policy On > Behalf Of Matt Palmer via dev-security-policy > Sent: dinsdag 10 maart 2020 1:41 > To: dev-security-policy@lists.mozilla.org >

RE: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

When I initially raised the topic I had two things in mind: -What if a facility can’t be audited? -If main key management facilities are down can WebPKI CA meet SSLBR 4.9.1.2? As for the inability to audit, a few things come to mind based on the previous shared thoughts: -

Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

COVID-19 is going on and there currently is a quarantine of certain areas in China and also alert levels are further raising in other (mainly East-Asian) countries. How will the root programs approach CA facilities with key material that are in a lockdown or in a territory that is not

RE: Policy 2.7 Proposal: Clarify Section 5.1 ECDSA Curve-Hash Requirements

GlobalSign has revoked the respective certificates and is investigating root cause. Thanks. > -Original Message- > From: dev-security-policy On > Behalf Of Ryan Sleevi via dev-security-policy > Sent: dinsdag 21 mei 2019 6:06 > To: Brian Smith > Cc: Ryan Sleevi ;

Re: SSL private key for *.alipcsec.com embedded in PC client executables

Based on the information reported in this thread GlobalSign has started the necessary activities to investigate this potential misuse. Arvid On Tuesday, December 11, 2018 at 8:24:43 AM UTC+1, Mark Steward wrote: > This time it's just hanging around in memory, no need to do anything > about the