Re: Not disclosed as revoked intermediate certificates

2017-05-09 Thread Gervase Markham via dev-security-policy
On 08/05/17 16:50, Kurt Roeckx wrote: > So all of them except those from 2017-05-05 should have been marked in > the Common CA Database as revoked but haven't been marked as such. Thank you. I have drawn this to the attention of the 3 CAs concerned and asked them to post here to indicate when

Re: Symantec: Update

2017-05-09 Thread Kurt Roeckx via dev-security-policy
On Tue, May 09, 2017 at 04:51:12PM +0100, Gervase Markham via dev-security-policy wrote: > Despite the fact that there appear to be > numerous under-audited and unaudited publicly-trusted sub-CAs out there, > and this fact has been known for weeks now, Symantec has not said > anything about the

Symantec: Update

2017-05-09 Thread Gervase Markham via dev-security-policy
Hi everyone, Yesterday was May 8th, which was the day I had said we would stop discussing my proposal of what to do about Symantec and hand it over to Kathleen for a decision. This didn't happen for two reasons: I had some personal things to deal with, and also I think the proposal needs some

Re: Policy 2.5 Proposal: New version of WebTrust Criteria -- v2.2

2017-05-09 Thread Gervase Markham via dev-security-policy
On 01/05/17 10:09, Gervase Markham wrote: > This simply involves changing a "2.0" to "2.2" in section 3.1.1 and > updating the URL labelled "WebTrust-BRs" to be > http://www.webtrust.org/principles-and-criteria/docs/item83987.pdf . Done. Gerv ___

Re: Policy 2.5 Proposal: Incorporate Root Transfer Policy

2017-05-09 Thread Gervase Markham via dev-security-policy
On 01/05/17 10:02, Gervase Markham wrote: > Here is a diff of the proposed changes: > https://github.com/mozilla/pkipolicy/compare/issue-57 Incorporated. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Symantec: Update

2017-05-09 Thread Kathleen Wilson via dev-security-policy
On Tuesday, May 9, 2017 at 10:03:53 AM UTC-7, Kurt Roeckx wrote: > > Do we somewhere have the official templates being used to send > reminders of the audit requirements? Unofficial templates: https://wiki.mozilla.org/CA:Email_templates The official templates are in Salesforce, but currently

Re: Policy 2.5 Proposal: Fix definition of constraints for id-kp-emailProtection

2017-05-09 Thread Jakob Bohm via dev-security-policy
On 08/05/2017 12:16, Gervase Markham wrote: On 05/05/17 22:21, Jakob Bohm wrote: The issue would be implementations that only check the EE cert for their desired EKU (such as ServerAuth checking for a TLS client or EmailProtection checking for a mail client). In other words, relying parties

RE: Policy 2.5 Proposal: Indicate direction of travel with respect to permitted domain validation methods

2017-05-09 Thread Doug Beattie via dev-security-policy
Gerv, I'm not clear on what you mean by CAs must use only the 10 Blessed Methods by 21st July 2017. I'm assuming this is the latest official draft: https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md Specifically, does this mean all new domain validations must conform to

RE: CA Validation quality is failing

2017-05-09 Thread Jeremy Rowley via dev-security-policy
Okay - all certs were added to the CT log. We're now working through revocation. -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org] On Behalf Of Jeremy Rowley via dev-security-policy Sent: Tuesday, May 2, 2017

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2017-05-09 Thread Andrew R. Whalley via dev-security-policy
Greetings, I've given the CP V1.6 and CPS V4.5 docs a quick looking through and have the following comments: * Please don't protect your PDFs for printing * https://SSLTEST-2.95105813.cn - which I believe should be revoked, has also expired. The revoked test cert should be otherwise valid and

Find a 5-year certificate

2017-05-09 Thread Han Yuwei via dev-security-policy
I have found this: https://crt.sh/?id=6885329 I don't know whether Mozilla had allowed the certificate valid more than 39 months, so I am here to verify it. I have searched on Github but found nothing. ___ dev-security-policy mailing list

Re: Symantec: Update

2017-05-09 Thread Vincent Lynch via dev-security-policy
Hi Gervase, Thank you for the update on Mozilla's process. I have one question regarding your wording. You write"I am therefore *proposing *the following," and then you list your changes. Does this mean that the "alternative" option is officially, 100%, off the table? Or is this still an option

Re: Policy 2.5 Proposal: Indicate direction of travel with respect to permitted domain validation methods

2017-05-09 Thread Gervase Markham via dev-security-policy
On 01/05/17 10:13, Gervase Markham wrote: > This would involve replacing section 2.2.3 of the policy with: Incorporated as drafted. CAs should take note (from this change and from the CA Communication) that Mozilla's policy is moving in the direction of requiring the 10 Blessed Methods alone,