Certificate issues

Hi everyone, On Friday at 1:00 pm, we accidently introduced a bug into our issuance system that resulted in five serverAuth-code signing certificates that did not comply with the Baseline Requirements. The change modified a handful of code signing certificates into a pseudo- SSL profile.

Re: Certificate issues

On 18/04/17 17:22, Ryan Sleevi wrote: > On Tue, Apr 18, 2017 at 12:09 PM, Jeremy Rowley via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: >> code signing certificates into a pseudo- SSL profile. Because they were >> intended to be code signing certificates, the certificates

RE: Certificate issues

Okay - they are all logged to both Google's CT log and DigiCert's CT log. I can also send the PEM files shortly. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Gervase Markham via

Re: Certificate issues

On 18/04/2017 18:47, Nick Lamb wrote: Hi Jeremy Given the small number of certificates involved, it might make sense to just convert them to text and mention them inline, or put them somewhere we can all see them - if it's inconvenient to put them into the CT logs. I think this situation

Re: Certificate issues

On Tue, Apr 18, 2017 at 12:09 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi everyone, > > > > On Friday at 1:00 pm, we accidently introduced a bug into our issuance > system that resulted in five serverAuth-code signing certificates that did > not

RE: Certificate issues

They are not currently logged to CT (because they were supposed to be code signing certificates). We can add them to our log though. Jeremy From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Tuesday, April 18, 2017 10:22 AM To: Jeremy Rowley Cc:

Re: Certificate issues

Hi Jeremy Given the small number of certificates involved, it might make sense to just convert them to text and mention them inline, or put them somewhere we can all see them - if it's inconvenient to put them into the CT logs. I think this situation will be useful as evidence of the value of

Re: Certificate issues

On Tue, Apr 18, 2017 at 1:32 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I believe the point was to check the prospective contents of the > TBSCertificate *before* CT logging (noting that Ryan Sleevi has been > violently insisting that failing to do

Re: Policy 2.5 Proposal: Fix definition of constraints for id-kp-emailProtection

On 13/04/2017 15:46, Gervase Markham wrote: Hi Rob, You either have a great memory or good search-fu; well done for digging this out! On 12/04/17 22:14, Rob Stradling wrote: Gerv, FYI what you're proposing here (https://github.com/mozilla/pkipolicy/issues/69) was slated to appear in v2.1 of

Common CA Database updated with new logos

All, The Common CA Database has been updated with the new CCADB logos. This means that when you go to login to the CA Community, at https://mozillacacommunity.force.com you will see the full "Common CA Database" logo. (before it just had the old "mozilla" logo). And when you are logged into