subject:"Ambiguous wording or the Mozilla CA security reporting requirement"

Re: Ambiguous wording or the Mozilla CA security reporting requirement

2016-09-16 Thread Kathleen Wilson

Added to the list here: https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Accountability And, yes, I am fully aware that a policy update is way overdue. :-( Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Ambiguous wording or the Mozilla CA security reporting requirement

2016-09-12 Thread Percy

I agree with Jakob. This is similar to case laws vs statutory law. Even though we can get the same understandings from various cases, I believe in this situation, it will be clearer to codify such requirements clearly. On Monday, September 12, 2016 at 10:38:48 AM UTC-7, Jakob Bohm wrote: > On

Re: Ambiguous wording or the Mozilla CA security reporting requirement

2016-09-12 Thread Jakob Bohm

On 10/09/2016 14:39, Gervase Markham wrote: On 09/09/16 11:59, Jakob Bohm wrote: Since a major root compromise is generally considered the worst possible security event for a trusted CA, this wording could easily be (mis?)understood not to require reporting of lesser security failures, such as

Re: Ambiguous wording or the Mozilla CA security reporting requirement

2016-09-10 Thread Gervase Markham

On 09/09/16 11:59, Jakob Bohm wrote: > Since a major root compromise is generally considered the worst > possible security event for a trusted CA, this wording could easily be > (mis?)understood not to require reporting of lesser security failures, > such as issuing millions (or just hundreds) of

Re: Ambiguous wording or the Mozilla CA security reporting requirement

2016-09-10 Thread Peter Gutmann

Jakob Bohm writes: >Am I reading something wrong, or is their an unintended loophole in the >Mozilla Policy, as written, in this regard? A cynic would say that that's the exact intent of the policy, to ensure that anything but a catastrophe-scale event that's so big that

Ambiguous wording or the Mozilla CA security reporting requirement

2016-09-09 Thread Jakob Bohm

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/ Only lists the following rule requiring disclosure of CA security issues: 1. When a serious security concern is noticed, such as a major root compromise, it should be treated as a

Re: Ambiguous wording or the Mozilla CA security reporting requirement

Re: Ambiguous wording or the Mozilla CA security reporting requirement

Re: Ambiguous wording or the Mozilla CA security reporting requirement

Re: Ambiguous wording or the Mozilla CA security reporting requirement

Re: Ambiguous wording or the Mozilla CA security reporting requirement

Ambiguous wording or the Mozilla CA security reporting requirement

6 matches

Site Navigation

Mail list logo

Footer information