On 06/07/17 16:31, Doug Beattie wrote:
> Moving to a new CA within 6 months is certain reasonable, but having
> enterprise customers also replace all certificates so the CA can be revoked
> within 6 months might be a bit short, especially since several of those
> months are over the holidays. W
Behalf Of
> Gervase Markham via dev-security-policy
> Sent: Thursday, June 22, 2017 8:50 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Root Store Policy 2.5: Call For Review and Phase-In Periods
>
> On 21/06/17 16:58, Doug Beattie wrote:
> >> It's wo
On 21/06/17 16:58, Doug Beattie wrote:
>> It's worth noting that if we had discovered this situation for SSL - that an
>> unconstrained intermediate or uncontrolled power of issuance had been
>> given to a company with no audit - we would be requiring the intermediate
>> be revoked today, and proba
On Wed, Jun 21, 2017 at 7:15 AM, Gervase Markham via
dev-security-policy wrote:
> On 21/06/17 13:13, Doug Beattie wrote:
>>> Do they have audits of any sort?
>>
>> There had not been any audit requirements for EKU technically
>> constrained CAs, so no, there are no audits.
>
> In your view, having
@lists.mozilla.org
> Subject: Re: Root Store Policy 2.5: Call For Review and Phase-In Periods
> In your view, having an EKU limiting the intermediate to just SSL or to just
> email makes it a technically constrained CA, and therefore not subject to
> audit under any root program?
The BRs c
On 21/06/17 13:13, Doug Beattie wrote:
>> Do they have audits of any sort?
>
> There had not been any audit requirements for EKU technically
> constrained CAs, so no, there are no audits.
In your view, having an EKU limiting the intermediate to just SSL or to
just email makes it a technically co
> -Original Message-
> From: Gervase Markham [mailto:g...@mozilla.org]
> Sent: Tuesday, June 20, 2017 9:12 PM
> To: Doug Beattie ; mozilla-dev-security-
> pol...@lists.mozilla.org
> Subject: Re: Root Store Policy 2.5: Call For Review and Phase-In Periods
> > We h
Hi Doug,
On 20/06/17 16:31, Doug Beattie wrote:
> I'd like to recommend a phase in of the requirement for technically
> constrained CAs that issue Secure email certificates.
For those following along at home, that is this change:
https://github.com/mozilla/pkipolicy/issues/69
https://github.com/
dev-security-policy [mailto:dev-security-policy-
> bounces+doug.beattie=globalsign@lists.mozilla.org] On Behalf Of
> Gervase Markham via dev-security-policy
> Sent: Thursday, June 8, 2017 11:43 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Root Store Policy 2.
Hi everyone,
I've made the last change I currently intend to make for version 2.5 of
Mozilla's Root Store Policy. The last task before shipping it is to
assess whether any of the changes require a phase-in period, i.e. for
some reason, they can't be applicable immediately.
CAs and others are requ
10 matches
Mail list logo
