Re: CAs not compliant with CAA CP/CPS requirement

2017-09-21 Thread richmoore44--- via dev-security-policy 
On Thursday, September 21, 2017 at 10:13:56 AM UTC+1, Rob Stradling wrote:
> Our CPS has now been updated.

Will you be ensuring that CAs like Gandi who are chaining back to your roots 
also update their CPS?

Regards

Rich.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: CAs not compliant with CAA CP/CPS requirement

2017-09-15 Thread richmoore44--- via dev-security-policy 
I suspect many smaller CAs are non-compliant too, for example gandi's CPS 
hasn't changed since 2009 according to its changelog.

https://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf

Cheers

Rich.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Responding to a misissuance

2017-08-18 Thread richmoore44--- via dev-security-policy 
Perhaps some explicit statements about sub-CAs would be helpful - detailing 
where responsibility lies and how a CA is required to deal with a sub-CA who is 
found to have misissued.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: New undisclosed intermediates

2017-06-08 Thread richmoore44--- via dev-security-policy 
This one is interesting since the domain name of the CRL resolves to an RFC 
1918 IP address. Surely that is a violation of the baseline requirements.

https://crt.sh/?sha256=b82210cde9ddea0e14be29af647e4b32f96ed2a9ef1aa5baa9cc64b38b6c01ca

Regards

Rich.


On Thursday, June 8, 2017 at 12:45:25 AM UTC+1, Jonathan Rudenberg wrote:
> > On Jun 5, 2017, at 09:29, Alex Gaynor via dev-security-policy 
> >  wrote:
> > 
> > Happy Monday!
> > 
> > Another week, another set of intermediate certs that have shown up in CT
> > without having been properly disclosed:
> > https://crt.sh/mozilla-disclosures#undisclosed
> 
> Yet another batch of undisclosed intermediates has shown up in CT:
> 
> - 
> https://crt.sh/?sha256=f01c1aca392882af152e9f01ecccd0afddd8aa35bf895b003198b1e8c752ddb8
> - 
> https://crt.sh/?sha256=29d8ac29f9007a6ad7923fdade32ef814ba3c6751551cf765416e8dbd8ff7619
> - 
> https://crt.sh/?sha256=c02739e63880368967bb27fedf0a5749aeaf62a2328c09a7a33e876b4f27adca
> - 
> https://crt.sh/?sha256=b82210cde9ddea0e14be29af647e4b32f96ed2a9ef1aa5baa9cc64b38b6c01ca
> - 
> https://crt.sh/?sha256=8e8c6ebf77dc73db3e38e93f4803e62b6b5933beb51ee4152f68d7aa14426b31
> - 
> https://crt.sh/?sha256=48db8801874e0e36b1b864603b31648b74e2322a8f9e4967a8f54bd1b8f594de
> - 
> https://crt.sh/?sha256=1bc400808ab07b775c811c631d75ab38fe7be7df6967f5b384bfe8dc9ef807c6
> - 
> https://crt.sh/?sha256=f1f072c64d69e573725533e83a601bb8b068f6699e59ba70eda2aecb28e06bfb

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Draft further questions for Symantec

2017-05-08 Thread richmoore44--- via dev-security-policy 
On Monday, May 8, 2017 at 1:24:28 PM UTC+1, Gervase Markham wrote:
> I think it might be appropriate to have a further round of questions to
> Symantec from Mozilla, to try and get some clarity on some outstanding
> and concerning issues. Here are some _proposed_ questions; feel free to
> suggest modifications or other questions, and I will decide what to send
> officially to Symantec in a few days. Please focus on formulating
> questions which would have an effect on Mozilla's view of Symantec or
> our response to the recent issues.

How about adding a catch all:

Are you aware of any information that might have an effect on Mozilla's view of 
Symantec, our response to the recent issues or any of any further issues that 
have not been disclosed to us so far?

Cheers

Rich.

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy