Re: Google Trust Services roots

2017-02-09 Thread Peter Bowen via dev-security-policy
On Thu, Feb 9, 2017 at 9:56 PM, Richard Wang via dev-security-policy wrote: > I can't see this sentence > " I highlight this because we (the community) see the occasional remark like > this; most commonly, it's directed at organizations in particular

RE: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

2017-02-09 Thread Richard Wang via dev-security-policy
-security-policy Sent: Friday, February 10, 2017 1:10 PM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots) On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham v

RE: Google Trust Services roots

2017-02-09 Thread Richard Wang via dev-security-policy
@lists.mozilla.org] On Behalf Of Ryan Sleevi via dev-security-policy Sent: Friday, February 10, 2017 12:43 PM To: Jakob Bohm <jb-mozi...@wisemo.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Google Trust Services roots On Thu, Feb 9, 2017 at 3:39 PM, Jakob Bohm via dev-se

Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

2017-02-09 Thread Peter Bowen via dev-security-policy
On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham via dev-security-policy wrote: > On 09/02/17 14:32, Gijs Kruitbosch wrote: >> Would Mozilla's root program consider changing this requirement so that >> it *does* require public disclosure, or are there

Re: Google Trust Services roots

2017-02-09 Thread Ryan Sleevi via dev-security-policy
On Thu, Feb 9, 2017 at 3:39 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Additional issue #2: The information at https://pki.goog/ about how to > report misissuance directs visitors to a generic reporting page for > code vulnerabilities, which (by

Re: Google Trust Services roots

2017-02-09 Thread Jakob Bohm via dev-security-policy
On 09/02/2017 20:55, Ryan Hurst wrote: Peter, Thank you very much for your, as always, thorough review. Let me start by saying I agree there is an opportunity for improving the policies around how key transfers such your recent transfer and Google's are handled. It is my hope we can,

Re: Google Trust Services roots

2017-02-09 Thread Peter Bowen via dev-security-policy
Ryan, Thank you for the quick reply. My comments and questions are inline. On Thu, Feb 9, 2017 at 11:55 AM, Ryan Hurst via dev-security-policy wrote: > Peter, > > Thank you very much for your, as always, thorough review. > > Let me start by saying I agree

Re: Google Trust Services roots

2017-02-09 Thread Ryan Hurst via dev-security-policy
Peter, Thank you very much for your, as always, thorough review. Let me start by saying I agree there is an opportunity for improving the policies around how key transfers such your recent transfer and Google's are handled. It is my hope we can, through our respective recent experiences

Re: Google Trust Services roots

2017-02-09 Thread Ryan Hurst via dev-security-policy
Peter, Thank you very much for your, as always, thorough review. Let me start by saying I agree there is an opportunity for improving the policies around how key transfers such your recent transfer and Google's are handled. It is my hope we can, through our respective recent experiences

Re: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

2017-02-09 Thread Gervase Markham via dev-security-policy
On 09/02/17 14:32, Gijs Kruitbosch wrote: > Would Mozilla's root program consider changing this requirement so that > it *does* require public disclosure, or are there convincing reasons not > to? At first glance, it seems like 'guiding' CAs towards additional > transparency in the CA

<    1   2