Re: CAs cross-signing roots whose subjects don't comply with the BRs

On Tue, Oct 8, 2019 at 10:04 AM Corey Bonnell via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Unless I found a root that Ryan isn’t referring to, Mozilla Policy 2.1 ( > https://wiki.mozilla.org/CA:CertificatePolicyV2.1) would have been in > force when the root was first

Re: CAs cross-signing roots whose subjects don't comply with the BRs

On 08/10/2019 13:41, Corey Bonnell wrote: On Monday, October 7, 2019 at 10:52:36 AM UTC-4, Ryan Sleevi wrote: I'm curious how folks feel about the following practice: Imagine a CA, "Foo", that creates a new Root Certificate ("Root 1"). They create this Root Certificate after the effective date

Re: CAs cross-signing roots whose subjects don't comply with the BRs

On Monday, October 7, 2019 at 10:52:36 AM UTC-4, Ryan Sleevi wrote: > I'm curious how folks feel about the following practice: > > Imagine a CA, "Foo", that creates a new Root Certificate ("Root 1"). They > create this Root Certificate after the effective date of the Baseline > Requirements, but

Re: CAs cross-signing roots whose subjects don't comply with the BRs

On Mon, Oct 7, 2019 at 12:20 PM Jeremy Rowley wrote: > For example, suppose a root was created before a rule went into place and > the root needs to be renewed for some reason. If the root was compliant > before creation and modifying the profile would break something with the > root, then

RE: CAs cross-signing roots whose subjects don't comply with the BRs

-policy On Behalf Of Jeremy Rowley via dev-security-policy Sent: Monday, October 7, 2019 10:21 AM To: r...@sleevi.com Cc: mozilla-dev-security-policy Subject: RE: CAs cross-signing roots whose subjects don't comply with the BRs Yeah - I like the visibility here since I know I often forget to post

RE: CAs cross-signing roots whose subjects don't comply with the BRs

don't scan, it's like a terrible version of Christmas.) -Original Message- From: dev-security-policy On Behalf Of Ryan Sleevi via dev-security-policy Sent: Monday, October 7, 2019 10:07 AM To: Jeremy Rowley Cc: mozilla-dev-security-policy Subject: Re: CAs cross-signing roots whose

Re: CAs cross-signing roots whose subjects don't comply with the BRs

On 07/10/2019 17:35, Ryan Sleevi wrote: > On Mon, Oct 7, 2019 at 11:26 AM Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On 07/10/2019 16:52, Ryan Sleevi wrote: >>> I'm curious how folks feel about the following practice: >>> >>> Imagine a CA, "Foo",

Re: CAs cross-signing roots whose subjects don't comply with the BRs

On Mon, Oct 7, 2019 at 11:54 AM Jeremy Rowley wrote: > Are both roots trusted in the Mozilla root store? If so, could you say > that Mozilla has approved of the root not-withstanding the non-compliance? > If root 2 did go through the public review process and had the public look > at the

RE: CAs cross-signing roots whose subjects don't comply with the BRs

: Monday, October 7, 2019 9:35 AM To: Jakob Bohm Cc: mozilla-dev-security-policy Subject: Re: CAs cross-signing roots whose subjects don't comply with the BRs On Mon, Oct 7, 2019 at 11:26 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 07/10/2

Re: CAs cross-signing roots whose subjects don't comply with the BRs

On Mon, Oct 7, 2019 at 11:26 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 07/10/2019 16:52, Ryan Sleevi wrote: > > I'm curious how folks feel about the following practice: > > > > Imagine a CA, "Foo", that creates a new Root Certificate ("Root 1").

Re: CAs cross-signing roots whose subjects don't comply with the BRs

On 07/10/2019 16:52, Ryan Sleevi wrote: I'm curious how folks feel about the following practice: Imagine a CA, "Foo", that creates a new Root Certificate ("Root 1"). They create this Root Certificate after the effective date of the Baseline Requirements, but prior to Root Programs consistently