On 08/05/17 16:50, Kurt Roeckx wrote:
> So all of them except those from 2017-05-05 should have been marked in
> the Common CA Database as revoked but haven't been marked as such.
Thank you. I have drawn this to the attention of the 3 CAs concerned and
asked them to post here to indicate when
On Tue, May 09, 2017 at 04:51:12PM +0100, Gervase Markham via
dev-security-policy wrote:
> Despite the fact that there appear to be
> numerous under-audited and unaudited publicly-trusted sub-CAs out there,
> and this fact has been known for weeks now, Symantec has not said
> anything about the
Hi everyone,
Yesterday was May 8th, which was the day I had said we would stop
discussing my proposal of what to do about Symantec and hand it over to
Kathleen for a decision. This didn't happen for two reasons: I had some
personal things to deal with, and also I think the proposal needs some
On 01/05/17 10:09, Gervase Markham wrote:
> This simply involves changing a "2.0" to "2.2" in section 3.1.1 and
> updating the URL labelled "WebTrust-BRs" to be
> http://www.webtrust.org/principles-and-criteria/docs/item83987.pdf .
Done.
Gerv
___
On 01/05/17 10:02, Gervase Markham wrote:
> Here is a diff of the proposed changes:
> https://github.com/mozilla/pkipolicy/compare/issue-57
Incorporated.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
On Tuesday, May 9, 2017 at 10:03:53 AM UTC-7, Kurt Roeckx wrote:
>
> Do we somewhere have the official templates being used to send
> reminders of the audit requirements?
Unofficial templates:
https://wiki.mozilla.org/CA:Email_templates
The official templates are in Salesforce, but currently
On 08/05/2017 12:16, Gervase Markham wrote:
On 05/05/17 22:21, Jakob Bohm wrote:
The issue would be implementations that only check the EE cert for
their desired EKU (such as ServerAuth checking for a TLS client or
EmailProtection checking for a mail client). In other words, relying
parties
Gerv,
I'm not clear on what you mean by CAs must use only the 10 Blessed Methods by
21st July 2017.
I'm assuming this is the latest official draft:
https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md
Specifically, does this mean all new domain validations must conform to
Okay - all certs were added to the CT log. We're now working through
revocation.
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org]
On Behalf Of Jeremy Rowley via dev-security-policy
Sent: Tuesday, May 2, 2017
I have found this:
https://crt.sh/?id=6885329
I don't know whether Mozilla had allowed the certificate valid more than 39
months, so I am here to verify it.
I have searched on Github but found nothing.
___
dev-security-policy mailing list
Hi Gervase,
Thank you for the update on Mozilla's process.
I have one question regarding your wording. You write"I am therefore *proposing
*the following," and then you list your changes.
Does this mean that the "alternative" option is officially, 100%, off the
table? Or is this still an option
On 01/05/17 10:13, Gervase Markham wrote:
> This would involve replacing section 2.2.3 of the policy with:
Incorporated as drafted. CAs should take note (from this change and from
the CA Communication) that Mozilla's policy is moving in the direction
of requiring the 10 Blessed Methods alone,
12 matches
Mail list logo