Re: Next CA Communication

Hi Doug, Kathleen is unavailable this week, so I'll try and answer. (This might have been better as a new top-level post, though...) On 11/04/17 21:14, Doug Beattie wrote: > This is my understanding: > > - Under policy 2.3 a CA that is technically > constrained with EKU set to only secure email

RE: Next CA Communication

.org > Subject: Re: Next CA Communication > > On Tuesday, April 4, 2017 at 10:38:28 AM UTC-7, Kathleen Wilson wrote: > > > > The email has been sent, and the survey is open. > > > > > Published a security blog about it: > https://blog.mozilla.org/security/

Re: Next CA Communication

On Tuesday, April 4, 2017 at 10:38:28 AM UTC-7, Kathleen Wilson wrote: > > The email has been sent, and the survey is open. > Published a security blog about it: https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/ Cheers, Kathleen

Re: Next CA Communication

On Monday, April 3, 2017 at 2:21:14 PM UTC-7, Kathleen Wilson wrote: > All, > > I'm getting ready to send the April 2017 CA Communication email. > > I updated the wiki page to have the survey introduction text, and a > (read-only) link to the full survey: >

Re: Next CA Communication

On Monday, April 3, 2017 at 10:13:22 AM UTC-7, Kathleen Wilson wrote: > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ > still shows version 2.4. It's been updated to version 2.4.1. Thanks, Kathleen ___

Re: Next CA Communication

On Saturday, April 1, 2017 at 3:59:28 AM UTC-7, Gervase Markham wrote: > On 31/03/17 22:20, Kathleen Wilson wrote: > > Please let me know asap if you see any problems, typos, etc. in this > > version. > > Now that policy 2.4.1 has been published, we should update Action 3 to > say the following

Re: Next CA Communication

On 31/03/17 22:20, Kathleen Wilson wrote: > Please let me know asap if you see any problems, typos, etc. in this > version. Now that policy 2.4.1 has been published, we should update Action 3 to say the following at the top: Versions 2.4 and 2.4.1 of Mozilla's CA Certificate Policy have been

Re: Next CA Communication

I have moved the draft of the April 2017 CA Communication to production, so the link has changed to: https://mozillacaprogram.secure.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a05o03WrzBC It is also available here:

Re: Next CA Communication

On 28/03/2017 16:13, Ryan Sleevi wrote: On Tue, Mar 28, 2017 at 10:00 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: In principle any source of information could change just one minute later. A domain could be sold, a company could declare bankruptcy, a

Re: Next CA Communication

On Tue, Mar 28, 2017 at 10:00 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > In principle any source of information could change just one minute > later. A domain could be sold, a company could declare bankruptcy, a > personal domain owner could die. >

Re: Next CA Communication

On 27/03/2017 11:10, Gervase Markham wrote: On 17/03/17 15:30, Gervase Markham wrote: The URL for the draft of the next CA Communication is here: https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 Note

Re: Next CA Communication

On 27/03/17 16:22, Ryan Sleevi wrote: > Would it be useful to thus also query whether there would be impact in > Mozilla applications failing to trust such certificates, but otherwise to > continue permitting their issuance. That is a good idea. How about: If you are unable to support a

Re: Next CA Communication

On Mon, Mar 27, 2017 at 10:18 AM, Ryan Sleevi wrote: > Gerv, > > I'm curious whether you would consider 18 months an appropriate target for > a deprecation to 1 year certificates. That is, do you believe a transition > to 1 year certificates requires 24 months or 18 months, or

Re: Next CA Communication

rts, 2 years -> 1 year certs) On Mon, Mar 27, 2017 at 5:10 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 17/03/17 15:30, Gervase Markham wrote: > > The URL for the draft of the next CA Communication is here: > > https://mo

Re: Next CA Communication

On 17/03/17 15:30, Gervase Markham wrote: > The URL for the draft of the next CA Communication is here: > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 > > Note that this is a _draft_ - the form parts w

Re: Next CA Communication

On Friday, March 24, 2017 at 3:11:17 AM UTC-7, Gervase Markham wrote: > On 23/03/17 23:07, Kathleen Wilson wrote: > > Second paragraph of Action 1 now says: ~~ Note that version 1.4.2 of > > the BRs does not contain all 10 of these methods, but it does contain > > section 3.2.2.4.11, "Other

Re: Next CA Communication

On 23/03/17 23:07, Kathleen Wilson wrote: > Second paragraph of Action 1 now says: ~~ Note that version 1.4.2 of > the BRs does not contain all 10 of these methods, but it does contain > section 3.2.2.4.11, "Other Methods", so the subsections of version > 3.2.2.4 that are marked "Reserved" in

Re: Next CA Communication

On Tuesday, March 21, 2017 at 11:34:30 AM UTC-7, Gervase Markham wrote: > On 21/03/17 10:16, Gervase Markham wrote: > > On 17/03/17 11:30, Gervase Markham wrote: > >> The URL for the draft of the next CA Communication is here: > >> https://mozilla-mozillacaprogram.cs

Re: Next CA Communication

On Tuesday, March 21, 2017 at 7:17:26 AM UTC-7, Gervase Markham wrote: > On 17/03/17 11:30, Gervase Markham wrote: > > The URL for the draft of the next CA Communication is here: > > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CA

Re: Next CA Communication

On Tuesday, March 21, 2017 at 5:51:29 AM UTC-7, Kurt Roeckx wrote: > On 2017-03-21 12:51, Jakob Bohm wrote: > > On 21/03/2017 10:09, Kurt Roeckx wrote: > >> Action 6 says: I've updated action #6, but it still might not be clear. Here's the new draft: ACTION 6: QUALIFIED AUDIT STATEMENTS When

Re: Next CA Communication

On 21/03/17 10:16, Gervase Markham wrote: > On 17/03/17 11:30, Gervase Markham wrote: >> The URL for the draft of the next CA Communication is here: >> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2

Re: Next CA Communication

On 17/03/17 11:30, Gervase Markham wrote: > The URL for the draft of the next CA Communication is here: > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 A few more wording tweaks on the current version: * Action

Re: Next CA Communication

On 2017-03-21 12:51, Jakob Bohm wrote: On 21/03/2017 10:09, Kurt Roeckx wrote: On 2017-03-17 16:30, Gervase Markham wrote: The URL for the draft of the next CA Communication is here: https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId

Re: Next CA Communication

On 21/03/2017 10:09, Kurt Roeckx wrote: On 2017-03-17 16:30, Gervase Markham wrote: The URL for the draft of the next CA Communication is here: https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 Action 6 says: However

Re: Next CA Communication

On Monday, March 20, 2017 at 2:43:22 PM UTC-7, Gervase Markham wrote: > On 20/03/17 15:33, Kathleen Wilson wrote: > >> * Action 7: some of the BR Compliance bugs relate to CAs which are no > >> longer trusted, like StartCom. If StartCom does become a trusted CA > >> again, it will be with new

Re: Next CA Communication

On 20/03/17 13:07, Peter Bowen wrote: >> E) SHA-1 and S/MIME >> >> Does your CA issue SHA-1 S/MIME certificates? If so, please explain your >> plans for ceasing to do so, and any self-imposed or external deadlines >> you are planning to meet. Mozilla plans to make policy in this area in >> the

Re: Next CA Communication

On 20/03/17 15:33, Kathleen Wilson wrote: >> * Action 7: some of the BR Compliance bugs relate to CAs which are no >> longer trusted, like StartCom. If StartCom does become a trusted CA >> again, it will be with new systems which most likely do not have the >> same bugs. Should we close the

Re: Next CA Communication

On Mon, Mar 20, 2017 at 4:52 PM Rob Stradling wrote: > On 20/03/17 17:07, Peter Bowen via dev-security-policy wrote: > > >> B) Your attention is drawn to the cablint and x509lint tools, which you > >> may wish to incorporate into your certificate issuance pipeline to

Re: Next CA Communication

On Monday, March 20, 2017 at 1:37:32 PM UTC-7, Jeremy Rowley wrote: > Something like: "Does your CA have any third-party Registration Authority > (RA)s program that the CA relies on to perform the domain validation > required under Section 3.2.2.4 of the Baseline Requirements." Updated

RE: Next CA Communication

-policy Sent: Monday, March 20, 2017 2:29 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Next CA Communication On Monday, March 20, 2017 at 10:59:41 AM UTC-7, Peter Bowen wrote: > On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via > > [JR] This should be limited to SSL

Re: Next CA Communication

On Monday, March 20, 2017 at 10:59:41 AM UTC-7, Peter Bowen wrote: > On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via > > [JR] This should be limited to SSL certs IMO. With client certs, you're > > going > > to get a lot more RAs that likely function under the standard or legal > > framework

Re: Next CA Communication

On Friday, March 17, 2017 at 9:17:07 AM UTC-7, Peter Bowen wrote: > I would replace this with: > > + Distinguished name and SHA-256 hash of the SubjectPublicKeyInfo of > each certificate issuer covered by the audit scope > + Clear indication of which in-scope certificate issuers are Root CAs >

Re: Next CA Communication

On Mon, Mar 20, 2017 at 10:43 AM, Jeremy Rowley via dev-security-policy wrote: > A) Does your CA have an RA program, whereby non-Affiliates of your company > perform aspects of certificate validation on your behalf under contract? If > so, please tell us

Re: Next CA Communication

On 17/03/17 15:30, Gervase Markham wrote: > The URL for the draft of the next CA Communication is here: > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 * Action 1 should say that if in future additional sp

Re: Next CA Communication

On Fri, Mar 17, 2017 at 8:30 AM, Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > The URL for the draft of the next CA Communication is here: > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACom

Next CA Communication

The URL for the draft of the next CA Communication is here: https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 Note that this is a _draft_ - the form parts will not work, and no CA should attempt to use this URL or the form

Re: Next CA Communication -- September?

On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote: > Are there any other topics that I should include in this upcoming CA > Communication? Also, I think that the SHA-1 topic should be brought up again. Some CA folks will be tired of reading about this, having managed the issue

Re: Next CA Communication -- September?

On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote: > Are there any other topics that I should include in this upcoming CA > Communication? It can be worth following-up on date-in-time commitments from those CAs in replies to the previous communication this year. Each CA should

Re: DRAFT of next CA Communication

On 5/7/15 10:47 AM, Kathleen Wilson wrote: On 5/6/15 1:52 AM, Gervase Markham wrote: On 05/05/15 21:54, Kathleen Wilson wrote: EXAMPLE/DRAFT Survey Link: https://community-mozillacaprogram.cs21.force.com/Communications/TakeSurvey?id=a04q004jpXoAAIcId=caId=none LGTM. Gerv Thanks, I'm

Re: DRAFT of next CA Communication

On 5/6/15 1:52 AM, Gervase Markham wrote: On 05/05/15 21:54, Kathleen Wilson wrote: EXAMPLE/DRAFT Survey Link: https://community-mozillacaprogram.cs21.force.com/Communications/TakeSurvey?id=a04q004jpXoAAIcId=caId=none LGTM. Gerv Thanks, I'm planning to send the communication early

Re: DRAFT of next CA Communication

On 05/05/15 21:54, Kathleen Wilson wrote: EXAMPLE/DRAFT Survey Link: https://community-mozillacaprogram.cs21.force.com/Communications/TakeSurvey?id=a04q004jpXoAAIcId=caId=none LGTM. Gerv ___ dev-security-policy mailing list

Re: DRAFT of next CA Communication

On 29/04/15 17:23, Kathleen Wilson wrote: I will appreciate your feedback on the email and the survey (use link below). All looks good to me. Although it's a shame Salesforce seems not to be able to embed links. Gerv ___ dev-security-policy mailing

Re: DRAFT of next CA Communication

All, I have entered the draft CA Communication into the sandbox area of SalesForce, so we can see how it will look. Below is an example of the email that will be sent to the Primary Point of Contact (POC) for each CA with a root included in Mozilla's program. The survey link in each email

Re: DRAFT of next CA Communication

On 4/9/15 9:32 AM, Kathleen Wilson wrote: All, I would like to send the next CA Communication in late April or early May, and request CAs to respond to it within one month. For this communication I plan to use SalesForce to email a customized survey link to the Primary Point of Contact for each

Re: DRAFT of next CA Communication

On 4/13/15 1:15 PM, Brian Smith wrote: Kathleen Wilson kwil...@mozilla.com wrote: ACTION #4 Workarounds were implemented to allow mozilla::pkix to handle the things listed here: https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix Hi Kathleen, Thanks for

Re: DRAFT of next CA Communication

Kathleen Wilson kwil...@mozilla.com wrote: ACTION #4 Workarounds were implemented to allow mozilla::pkix to handle the things listed here: https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix Hi Kathleen, Thanks for including this in the CA communication. That

Re: DRAFT of next CA Communication

On 09/04/15 21:12, yuhongbao_...@hotmail.com wrote: What about Mozilla's own aus3.mozilla.org certificate for which the SHA-1 intermediate was pinned? I'm afraid I don't understand the question, or how it relates to the CA Communication. Can you clarify? Gerv