Re: CAs not compliant with CAA CP/CPS requirement
On Thursday, September 21, 2017 at 10:13:56 AM UTC+1, Rob Stradling wrote: > Our CPS has now been updated. Will you be ensuring that CAs like Gandi who are chaining back to your roots also update their CPS? Regards Rich. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: CAs not compliant with CAA CP/CPS requirement
I suspect many smaller CAs are non-compliant too, for example gandi's CPS hasn't changed since 2009 according to its changelog. https://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf Cheers Rich. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Responding to a misissuance
Perhaps some explicit statements about sub-CAs would be helpful - detailing where responsibility lies and how a CA is required to deal with a sub-CA who is found to have misissued. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: New undisclosed intermediates
This one is interesting since the domain name of the CRL resolves to an RFC 1918 IP address. Surely that is a violation of the baseline requirements. https://crt.sh/?sha256=b82210cde9ddea0e14be29af647e4b32f96ed2a9ef1aa5baa9cc64b38b6c01ca Regards Rich. On Thursday, June 8, 2017 at 12:45:25 AM UTC+1, Jonathan Rudenberg wrote: > > On Jun 5, 2017, at 09:29, Alex Gaynor via dev-security-policy > >wrote: > > > > Happy Monday! > > > > Another week, another set of intermediate certs that have shown up in CT > > without having been properly disclosed: > > https://crt.sh/mozilla-disclosures#undisclosed > > Yet another batch of undisclosed intermediates has shown up in CT: > > - > https://crt.sh/?sha256=f01c1aca392882af152e9f01ecccd0afddd8aa35bf895b003198b1e8c752ddb8 > - > https://crt.sh/?sha256=29d8ac29f9007a6ad7923fdade32ef814ba3c6751551cf765416e8dbd8ff7619 > - > https://crt.sh/?sha256=c02739e63880368967bb27fedf0a5749aeaf62a2328c09a7a33e876b4f27adca > - > https://crt.sh/?sha256=b82210cde9ddea0e14be29af647e4b32f96ed2a9ef1aa5baa9cc64b38b6c01ca > - > https://crt.sh/?sha256=8e8c6ebf77dc73db3e38e93f4803e62b6b5933beb51ee4152f68d7aa14426b31 > - > https://crt.sh/?sha256=48db8801874e0e36b1b864603b31648b74e2322a8f9e4967a8f54bd1b8f594de > - > https://crt.sh/?sha256=1bc400808ab07b775c811c631d75ab38fe7be7df6967f5b384bfe8dc9ef807c6 > - > https://crt.sh/?sha256=f1f072c64d69e573725533e83a601bb8b068f6699e59ba70eda2aecb28e06bfb ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Draft further questions for Symantec
On Monday, May 8, 2017 at 1:24:28 PM UTC+1, Gervase Markham wrote: > I think it might be appropriate to have a further round of questions to > Symantec from Mozilla, to try and get some clarity on some outstanding > and concerning issues. Here are some _proposed_ questions; feel free to > suggest modifications or other questions, and I will decide what to send > officially to Symantec in a few days. Please focus on formulating > questions which would have an effect on Mozilla's view of Symantec or > our response to the recent issues. How about adding a catch all: Are you aware of any information that might have an effect on Mozilla's view of Symantec, our response to the recent issues or any of any further issues that have not been disclosed to us so far? Cheers Rich. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy