On Monday, July 10, 2017 at 12:47:31 PM UTC-7, Kathleen Wilson wrote:
> I also think we should remove the old WoSign root certs from NSS.
>
> Reference:
> https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign
> ~~
> Mozilla currently recommends not trusting any certificates issued by this CA
On Thursday, August 3, 2017 at 9:49:41 AM UTC-7, Jonathan Rudenberg wrote:
> Even absent the BR-violating certificates and disclosure timeline, I believe
> this cross-sign is problematic because it appears to circumvent the
> prerequisites and process described in
> https://bugzilla.mozilla.org/
All,
I have conflicting opinions about this situation:
On the one hand, I want to see better behavior, and am inclinded to add these
two intermediate certs to OneCRL, and tell StartCom and Certinomis to start
over and do things right.
On the other hand, I'm not convinced yet that the issued no
Jonathan, Thank you for bringing this to our attention.
I have filed two bugs...
1) https://bugzilla.mozilla.org/show_bug.cgi?id=1386891
Certinomis: Cross-signing of StartCom intermediate certs, and delay in
reporting it in CCADB
2) https://bugzilla.mozilla.org/show_bug.cgi?id=1386894
Add "Star
On Wednesday, August 2, 2017 at 2:13:40 PM UTC-7, Jeremy Rowley wrote:
> Today, DigiCert and Symantec announced that DigiCert is acquiring the
> Symantec CA assets, including the infrastructure, personnel, roots, and
> platforms. At the same time, DigiCert signed a Sub CA agreement wherein we
> wi
Thanks to all of you who reviewed and commented on this request from Guangdong
Certificate Authority (GDCA) to include the GDCA TrustAUTH R5 ROOT certificate,
turn on the Websites trust bit, and enabled EV treatment.
I believe that all of the concerns that were raised in this discussion have
b
The updated documents are also posted on the CA's website:
https://www.gdca.com.cn/customer_service/knowledge_universe/cp_cps/
Current audit statements are here:
WebTrust CA: https://cert.webtrust.org/ViewSeal?id=2231
WebTrust BR: https://cert.webtrust.org/ViewSeal?id=2232
WebTrust EV SSL: https:/
Forwarded Message
Subject: Summary of July 2017 Audit Reminder Emails
Date: Tue, 18 Jul 2017 19:00:05 + (GMT)
Mozilla: Audit Reminder
Root Certificates:
LuxTrust Global Root 2
Standard Audit: https://bugzilla.mozilla.org/attachment.cgi?id=8777887
Audit Statement Date: 2
On Monday, July 10, 2017 at 12:44:02 PM UTC-7, Kathleen Wilson wrote:
> All,
>
> I think we should remove the two old CNNIC root certificates from NSS that
> are not trusted for cert issuance after April 2015.
>
> Reference:
> https://wiki.mozilla.org/CA/Additional_Trust_Changes#CNNIC
> "Mozill
And I think we should remove the old StartCom root certs from NSS.
Reference:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#StartCom
~~
Mozilla currently recommends not trusting any certificates issued by this CA
after October 21st, 2016. That recommendation covers the following roots:
I also think we should remove the old WoSign root certs from NSS.
Reference:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign
~~
Mozilla currently recommends not trusting any certificates issued by this CA
after October 21st, 2016. That recommendation covers the following roots:
C
All,
I think we should remove the two old CNNIC root certificates from NSS that are
not trusted for cert issuance after April 2015.
Reference:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#CNNIC
"Mozilla currently recommends not trusting any certificates issued by this CA
after 1st Apri
All,
We've added new Auditor objects to the Common CA Database. Previously auditor
information was just in text fields, and the same auditor could be represented
different ways. Now we will have a master list of auditors that CAs can select
from when entering their Audit Cases to provide their
Forwarded Message
Subject: Summary of June 2017 Audit Reminder Emails
Date: Tue, 20 Jun 2017 19:00:06 + (GMT)
Mozilla: Audit Reminder
Root Certificates:
Atos TrustedRoot 2011
Standard Audit:
https://www.mydqs.com/kunden/kundendatenbank.html?aoemydqs%5BrequestId%5D=europev
On Monday, June 19, 2017 at 12:21:46 PM UTC-7, Peter Bowen wrote:
> It seems there is some confusion. The document presented would appear
> to be a Verified Accountant Letter (as defined in the EV Guidelines)
> and can used as part of the process to validate a request for an EV
> certificate. It i
I just filed https://bugzilla.mozilla.org/show_bug.cgi?id=1374381 about an
audit statement that I received for SwissSign. I have copied the bug
description below, because I am concerned that there still may be ETSI auditors
(and CAs?) who do not understand the audit requirements, see below.
~~~
On Friday, May 26, 2017 at 9:32:57 AM UTC-7, Kathleen Wilson wrote:
> On Wednesday, March 15, 2017 at 5:01:13 PM UTC-7, Kathleen Wilson wrote:
> All,
>
> I requested that this CA perform a BR Self Assessment, and they have attached
> their completed BR Self Assessment to the bug here:
> https://
On Friday, May 26, 2017 at 2:50:16 AM UTC-7, Gervase Markham wrote:
> On 26/05/17 01:01, Kathleen Wilson wrote:
> > Known problems: - Some CAs did not provide their CAA (Certification
> > Authority Authorization) information correctly, so that column is
> > empty for them. Note that some CAs do not
On Wednesday, March 15, 2017 at 5:01:13 PM UTC-7, Kathleen Wilson wrote:
>
> So, if there are no further questions or comments about this CA's request,
> then I will close this discussion and recommend approval in the bug.
>
All,
I requested that this CA perform a BR Self Assessment, and the
All,
We have added the following two reports to
https://wiki.mozilla.org/CA/Included_Certificates
1) CAs with Included Certificates
https://ccadb-public.secure.force.com/mozilla/CAInformationReport
2) CAs with Included Certificates (CSV)
https://ccadb-public.secure.force.com/mozilla/CAInformati
I've been receiving questions about this update, so hopefully the following
will clarify...
CAs now login to the CCADB at this URL:
https://ccadb.force.com
There is no login required to view the public-facing reports and the responses
to the CA Communications. The links to those have been upda
CAs,
I was testing some changes in my CCADB Sandbox, and accidentally sent out audit
reminder email from it. So, if you get an email with the subject "Sandbox:
Mozilla: Audit Reminder" you can ignore it. It's likely a duplicate of the
email you received last Tuesday.
I apologize for the spam.
On Thursday, May 18, 2017 at 10:08:32 AM UTC-7, Kathleen Wilson wrote:
>
> On May 19 the following three breaking changes are planned, meaning that the
> old URLs will no longer work. Any links or bookmarks to these URLs will need
> to be updated. ...
>
> 1) The CA login page and the domain CAs
On Friday, May 19, 2017 at 8:42:40 AM UTC-7, Gervase Markham wrote:
>
> I have passed that document to Kathleen, and I hope she will be
> endorsing this general direction soon, at which point it will no longer
> be a draft.
>
> Assuming she does, this will effectively turn into a 3-way conversati
On Thursday, May 18, 2017 at 10:08:32 AM UTC-7, Kathleen Wilson wrote:
> All,
>
> Below is the draft email that I plan to send later today, after we have final
> confirmation from Salesforce regarding these proposed changes.
>
We received confirmation from Salesforce that these changes to the U
All,
Below is the draft email that I plan to send later today, after we have final
confirmation from Salesforce regarding these proposed changes.
I will appreciate your feedback on this.
Thanks,
Kathleen
Subject: Common CA Database (CCADB) changes May 19-21, 2017
Dear Certification
Forwarded Message
Subject: Summary of May 2017 Audit Reminder Emails
Date: Tue, 16 May 2017 19:00:29 + (GMT)
Mozilla: Audit Reminder
Root Certificates:
Autoridad de Certificacion Firmaprofesional CIF A62634068
Standard Audit: https://cert.webtrust.org/SealFile?seal=2032&fi
Here are the changes we are requesting to be made on Friday, May 19, at 1pm PDT.
1) https://mozillacacommunity.force.com/
will be changed to
https://ccadb.force.com/
(This is the CA login page, and the domain CAs see when they are logged into
the CCADB)
2) https://mozillacaprogram.secure.force.c
On Tuesday, May 9, 2017 at 10:03:53 AM UTC-7, Kurt Roeckx wrote:
>
> Do we somewhere have the official templates being used to send
> reminders of the audit requirements?
Unofficial templates:
https://wiki.mozilla.org/CA:Email_templates
The official templates are in Salesforce, but currently m
On Wednesday, May 3, 2017 at 1:21:29 PM UTC-7, Nick Lamb wrote:
> If you believe there are, or are likely to be, CAs trying to fill out the
> survey a bit late, it may make sense to wait for that before triggering this
> change, so as to avoid the (it seems almost inevitable) response that they
All,
Gerv is leading the effort to clean up Mozilla's Root Store related wiki pages.
The contents of https://wiki.mozilla.org/CA:Overview have been moved to
https://wiki.mozilla.org/CA and cleaned up.
The previous contents of https://wiki.mozilla.org/CA have been moved to
https://wiki.mozilla.
All,
I think it is time for us to change the domains that we are using for the CCADB
as follows.
Change the links for...
1) CAs to login to the CCADB
from
https://mozillacacommunity.force.com/
to
https://ccadb.force.com/
2) all published reports
from
https://mozillacaprogram.secure.force.com/
All,
As many of you know, Aaron Wu has been doing the Information Verification[1]
for root inclusion/update requests, has helped me organize the CA Program
Bugzilla Bugs[2], and continues to expand in his role in helping with Mozilla's
CA Certificates Module[3].
I have asked Aaron to begin op
The Bugzilla Product/Components for CA Program bugs have been changed.
All of the CA Program bugs are now in the NSS Product group in Bugzilla.
The NSS Product group in Bugzilla now has the following Components:
Build
CA Certificate Mis-Issuance
CA Certificate Root Program
CA Certificates Code
Do
All,
The responses to Mozilla's April 2017 CA Communication are being published here:
https://wiki.mozilla.org/CA:Communications#April_2017_Responses
Reminder:
I have postponed the response deadline to May 5, and I made a note of that here:
https://wiki.mozilla.org/CA:Communications#April_2017
All,
This is just for informational purposes...
I have filed Bug #1359112 to update the Bugzilla Product/Components for the CA
Program Bugs.
The bugs asks:
~~
Current Product: NSS
Current Component Name: CA Certificates
change to
Product: NSS
Component Name: CA Certificate Code
Current Product
On Saturday, April 22, 2017 at 5:25:35 AM UTC-7, wangs...@gmail.com wrote:
> We have a question about completing the BR self assessment,
> is it necessary that all the BRs requirements appear in
> relevant sections of the CP/CPS?
It is OK if the information is in different sections in the CP/CP
I added a note about the extension to May 5 to
https://wiki.mozilla.org/CA:Communications#April_2017
Cheers,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
> might be able to capture freeform text (perhaps unattributed) as to why
Sure, below is a summary in my own words of why CAs are asking for an
extension. Note that the April 2017 survey has many more action items than
previous CA Communications, so I think it is reasonable that CAs might need
All,
I've been receiving requests from CAs for an extension to when they need to
respond to the April 2017 CA Communication.
https://wiki.mozilla.org/CA:Communications#April_2017
"To respond to this survey, login to the Common CA Database (CCADB), click on
the 'CA Communications (Page)' tab, an
All,
The Common CA Database has been updated with the new CCADB logos.
This means that when you go to login to the CA Community, at
https://mozillacacommunity.force.com
you will see the full "Common CA Database" logo.
(before it just had the old "mozilla" logo).
And when you are logged into the
Below is a summary of the audit reminder email that was sent today.
CA annual updates and audit statements should be provided via the CCADB, as
described here:
https://wiki.mozilla.org/CA:CommonCADatabase#How_To_Provide_Annual_Updates
Please note that I have not caught up from my vacation, and t
On Tuesday, April 4, 2017 at 10:38:28 AM UTC-7, Kathleen Wilson wrote:
>
> The email has been sent, and the survey is open.
>
Published a security blog about it:
https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/
Cheers,
Kathleen
__
On Monday, April 3, 2017 at 2:21:14 PM UTC-7, Kathleen Wilson wrote:
> All,
>
> I'm getting ready to send the April 2017 CA Communication email.
>
> I updated the wiki page to have the survey introduction text, and a
> (read-only) link to the full survey:
> https://wiki.mozilla.org/CA:Communicat
All,
I'm getting ready to send the April 2017 CA Communication email.
I updated the wiki page to have the survey introduction text, and a (read-only)
link to the full survey:
https://wiki.mozilla.org/CA:Communications#April_2017
The survey in the Common CA Database is now open, with an expirati
On Monday, April 3, 2017 at 10:13:22 AM UTC-7, Kathleen Wilson wrote:
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
> still shows version 2.4.
It's been updated to version 2.4.1.
Thanks,
Kathleen
___
dev-securi
Here's a summary of the automated email that was sent yesterday.
Forwarded Message
Subject: Summary of April 2017 Audit Reminder Emails For Intermediate Certs
Date: Sun, 2 Apr 2017 14:00:47 + (GMT)
From: Mozilla CA Program Manager
Need Audit or CP/CPS for Intermediate C
I updated https://wiki.mozilla.org/CA:BRs-Self-Assessment to add a section
called 'Annual BR Self Assessment', which states:
"CAs with included root certificates that have the Websites trust bit set must
do an annual self-assessment of their compliance with the BRs, and must update
their CP and
On Saturday, April 1, 2017 at 3:59:28 AM UTC-7, Gervase Markham wrote:
> On 31/03/17 22:20, Kathleen Wilson wrote:
> > Please let me know asap if you see any problems, typos, etc. in this
> > version.
>
> Now that policy 2.4.1 has been published, we should update Action 3 to
> say the following at
I have moved the draft of the April 2017 CA Communication to production, so the
link has changed to:
https://mozillacaprogram.secure.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a05o03WrzBC
It is also available here:
https://wiki.mozilla.org/CA:Communications#April_
On Thursday, March 30, 2017 at 10:35:37 AM UTC-7, Kathleen Wilson wrote:
> Within the next few days, we plan to start sending automated email reminders
> to CAs about their intermediate cert records in the Common CA Database that
> are missing audit or CP/CPS information.
>
> The email template
All,
Within the next few days, we plan to start sending automated email reminders to
CAs about their intermediate cert records in the Common CA Database that are
missing audit or CP/CPS information.
The email template is here:
https://wiki.mozilla.org/CA:Email_templates#Disclosure_Incomplete_Em
On Wednesday, March 29, 2017 at 2:00:05 PM UTC-7, Jeremy Rowley wrote:
> ...
> An extension on this could be to have CAs annually file an updated mapping
> with their WebTrust audit. That way it's a reminder that the CA needs to
> notify Mozilla of changes in their process and keeps the CAs thinkin
All,
As mentioned in the GDCA discussion[1], I would like to add a step to Mozilla's
CA Inclusion/Update Request Process[2] in which the CA performs a
self-assessment about their compliance with the CA/Browser Forum's Baseline
Requirements.
A draft of this new step is here:
https://wiki.mozill
All,
This request is to include the "GDCA TrustAUTH R5 ROOT" certificate, turn on
the Websites trust bit, and enabled EV treatment.
In order to help get this discussion moving again, I asked GDCA to provide a
side-by-side comparison of the latest version of the BRs with their CP/CPS
documents.
On Friday, March 24, 2017 at 3:11:17 AM UTC-7, Gervase Markham wrote:
> On 23/03/17 23:07, Kathleen Wilson wrote:
> > Second paragraph of Action 1 now says: ~~ Note that version 1.4.2 of
> > the BRs does not contain all 10 of these methods, but it does contain
> > section 3.2.2.4.11, "Other Methods
On Tuesday, March 21, 2017 at 11:34:30 AM UTC-7, Gervase Markham wrote:
> On 21/03/17 10:16, Gervase Markham wrote:
> > On 17/03/17 11:30, Gervase Markham wrote:
> >> The URL for the draft of the next CA Communication is here:
> >> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACo
On Tuesday, March 21, 2017 at 7:17:26 AM UTC-7, Gervase Markham wrote:
> On 17/03/17 11:30, Gervase Markham wrote:
> > The URL for the draft of the next CA Communication is here:
> > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00
On Tuesday, March 21, 2017 at 5:51:29 AM UTC-7, Kurt Roeckx wrote:
> On 2017-03-21 12:51, Jakob Bohm wrote:
> > On 21/03/2017 10:09, Kurt Roeckx wrote:
> >> Action 6 says:
I've updated action #6, but it still might not be clear.
Here's the new draft:
ACTION 6: QUALIFIED AUDIT STATEMENTS
When an
Here's a summary of the audit reminder email that was sent today.
Note that the email now tells CAs to provide their annual updates via the
Common CA Database, as follows.
"Please provide your annual updates via the Common CA Database (CCADB), as
described here:
https://wiki.mozilla.org/CA:Comm
On Monday, March 20, 2017 at 2:43:22 PM UTC-7, Gervase Markham wrote:
> On 20/03/17 15:33, Kathleen Wilson wrote:
> >> * Action 7: some of the BR Compliance bugs relate to CAs which are no
> >> longer trusted, like StartCom. If StartCom does become a trusted CA
> >> again, it will be with new syste
On Monday, March 20, 2017 at 1:37:32 PM UTC-7, Jeremy Rowley wrote:
> Something like: "Does your CA have any third-party Registration Authority
> (RA)s program that the CA relies on to perform the domain validation
> required under Section 3.2.2.4 of the Baseline Requirements."
Updated
_
On Monday, March 20, 2017 at 10:59:41 AM UTC-7, Peter Bowen wrote:
> On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via
> > [JR] This should be limited to SSL certs IMO. With client certs, you're
> > going
> > to get a lot more RAs that likely function under the standard or legal
> > framework de
On Monday, March 20, 2017 at 9:50:38 AM UTC-7, Gervase Markham wrote:
> On 17/03/17 15:30, Gervase Markham wrote:
> > The URL for the draft of the next CA Communication is here:
> > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S000
On Friday, March 17, 2017 at 9:17:07 AM UTC-7, Peter Bowen wrote:
> I would replace this with:
>
> + Distinguished name and SHA-256 hash of the SubjectPublicKeyInfo of
> each certificate issuer covered by the audit scope
> + Clear indication of which in-scope certificate issuers are Root CAs
>
On Wednesday, March 15, 2017 at 9:56:25 AM UTC-7, Kathleen Wilson wrote:
> Thanks to those of you who have reviewed and commented on this request from
> the Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM), to include
> the "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" root certificat
All,
My apologies for taking so long to get back to this discussion about the
Government of Taiwan's (GRCA's) request to include their Government Root
Certification Authority root certificate, and turn on the Websites and Email
trust bits.
Note that GRCA has suggested that this root be constr
Thanks to those of you who have reviewed and commented on this request from the
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM), to include the
"TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" root certificate, and enable
the Websites trust bit.
I believe that all of the questions and
Thank you to those of you who have reviewed this request, and to those of you
who have participated in this discussion.
I am now closing this discussion, and I will update the bug to recommend
approval of this request from D-TRUST to include the D-TRUST Root CA 3 2013
root certificate and enabl
Thank you Andrew and Ryan for your feedback on this request to include the
"TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" root certificate, and enable
the Websites trust bit.
Note that the new SHA-256 root certificate will replace the SHA1 “TÜBİTAK UEKAE
Kök Sertifika Hizmet Sağlayıcısı - Sürü
On Wednesday, December 21, 2016 at 11:03:18 AM UTC-8, Kathleen Wilson wrote:
> This request from D-TRUST is to included the ‘D-TRUST Root CA 3 2013’ root
> certificate and enable the Email trust bit.
>
> D-TRUST GmbH is a subsidiary of Bundesdruckerei GmbH and is fully owned by
> the German Sta
Forwarded Message
Subject: Summary of February 2017 Audit Reminder Emails
Date: Tue, 21 Feb 2017 20:00:51 + (GMT)
Mozilla: Audit Reminder
Root Certificates:
ISRG Root X1
Standard Audit: https://cert.webtrust.org/SealFile?seal=1987&file=pdf
Audit Statement Date: 2015-12-15
301 - 372 of 372 matches
Mail list logo
