Having received no further comments, I am recommending approval of Hongkong
Post's inclusion request.
As Matt suggested earlier in this thread, I would not typically approve a
request for a CA with an open compliance bug, but in this case the bug is
open awaiting implementation of pre-issuance
I have confirmed that the problems identified with the CPS have been
corrected. [1]
Regarding the comments from Ian on the BR violations in 2016 that resulted
in adding an intermediate to OneCRL [2], this appears to have been the
result of the belief that was held by many CAs at that time that
We have applied the changes in the current CPS, please see
https://www.ecert.gov.hk/product/cps/ecert/img/server_cps_en4.pdf
So, the "Pre-production" CPS will be advanced to version 5, that will replace
the current CPS after Mozilla community discussion.
If any member has other comments,
Concern is that the incident report was submitted only when it required the
inclusion of the new root certificate in Mozilla Root Store...
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
I've just fill in the incident report [1],
https://bugzilla.mozilla.org/show_bug.cgi?id=1520299
On 16-Jan-19 5:30 AM, Wayne Thayer via dev-security-policy wrote:
There were no unresolved incidents, but I just created one to document the
misissued certificates that were revoked in August
Thanks for all the comments. I'm preparing now to apply the relevant
changes from the "Pre-production" CPS in the current CPS to clarify
these concerns. Specifically,
1. correct the description of revocation process to fix the suspension
and revocation issue.
2. make a statement in PREAMBLE
On Mon, Jan 14, 2019 at 11:43 PM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Mon, Jan 14, 2019 at 05:18:18PM -0700, Wayne Thayer via
> dev-security-policy wrote:
> > * Fairly recent misissuance under the currently included Hong Kong Post
> > Root CA 1:
On Mon, Jan 14, 2019 at 05:18:18PM -0700, Wayne Thayer via dev-security-policy
wrote:
> * Fairly recent misissuance under the currently included Hong Kong Post
> Root CA 1: O and OU fields too long [4]. These certificates have all been
> revoked, but no incident report was ever filed.
I think
On 15-Jan-19 12:31 PM, Ian Carroll via dev-security-policy wrote:
> from looking at [3] I think it should be a
> very negative mark against a CA to have to OneCRL one of their
> intermediates.
[3] was reported and discussed three years ago. When I look at it
positively today, it does remind me
I do not usually comment on new CA applications, so take this with whatever
grain of salt you'd like, but from looking at [3] I think it should be a
very negative mark against a CA to have to OneCRL one of their
intermediates. If the CA is not committed to closely following web PKI
standards, it's
在 2019年1月15日星期二 UTC+8上午8:58:30,David E. Ross写道:
> On 1/14/2019 4:18 PM, Wayne Thayer wrote:
> > This request is for inclusion of the Government of Hong Kong, Hongkong
> > Post, Certizen Hongkong Post Root CA 3 trust anchor as documented in the
> > following bug:
On Mon, Jan 14, 2019 at 5:58 PM David E. Ross via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I would think that lack of a CP alone would disqualify this root.
>
> Does it? I'm not saying that there is missing information, only that the
document is called a "CPS" rather
On 1/14/2019 4:18 PM, Wayne Thayer wrote:
> This request is for inclusion of the Government of Hong Kong, Hongkong
> Post, Certizen Hongkong Post Root CA 3 trust anchor as documented in the
> following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1464306
>
> * BR Self Assessment is here:
>
This request is for inclusion of the Government of Hong Kong, Hongkong
Post, Certizen Hongkong Post Root CA 3 trust anchor as documented in the
following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1464306
* BR Self Assessment is here:
14 matches
Mail list logo