Re: Policy 2.5 Proposal: Indicate direction of travel with respect to permitted domain validation methods

2017-05-10 Thread Gervase Markham via dev-security-policy
On 09/05/17 18:25, Doug Beattie wrote: > I'm not clear on what you mean by CAs must use only the 10 Blessed Methods by > 21st July 2017. > > I'm assuming this is the latest official draft: > > https://github.com/mozilla/pkipolicy/blob/master/rootstore/policy.md Yes :-) > Specifically, does

Re: Draft further questions for Symantec

2017-05-10 Thread Gervase Markham via dev-security-policy
On 08/05/17 13:24, Gervase Markham wrote: > 8) Please explain how the Management Assertions for your December 2014 Strike this question; it's based on a misunderstanding of how audits are done. Let's add: 10) Do you agree that, during the period of time that Symantec cross-signed the Federal

Re: Symantec: Update

2017-05-10 Thread Andrew R. Whalley via dev-security-policy
On Wed, May 10, 2017 at 2:06 PM, mono.riot--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wednesday, May 10, 2017 at 7:59:37 PM UTC+2, Itzhak Daniel wrote: > > The next step, if Symantec wish to continue to use their current PKI in > the future, should be logging

Re: Symantec: Update

2017-05-10 Thread okaphone.elektronika--- via dev-security-policy
On Wednesday, 10 May 2017 17:52:40 UTC+2, Gervase Markham wrote: > On 09/05/17 16:51, Gervase Markham wrote: > > * Editing the proposal to withdraw the "alternative" option, leaving > > only the "new PKI" option. > > This has now been done: > >

Re: Find a 5-year certificate

2017-05-10 Thread userwithuid via dev-security-policy
In this context, I was wondering: Has there been a discussion yet on Firefox enforcing cert lifetime in code not just via policy? Most everything seems to be in place already due to EV, but DV doesn't have a limit atm. [0] Now in practice, thanks to killing sha1, most of those legacy certs are

Re: Symantec: Update

2017-05-10 Thread mono.riot--- via dev-security-policy
On Wednesday, May 10, 2017 at 7:59:37 PM UTC+2, Itzhak Daniel wrote: > The next step, if Symantec wish to continue to use their current PKI in the > future, should be logging (ASAP) *all* of the certificates they issued to a > CT log, then we'll know how deep is the rabbit hole. already the

Re: Symantec: Update

2017-05-10 Thread Kurt Roeckx via dev-security-policy
On Tue, May 09, 2017 at 07:03:16PM +0200, Kurt Roeckx via dev-security-policy wrote: > > Instead of the removal of the roots, I suggest we either ask them > to revoke all the intermediate CAs that do not have the required > audits or that Mozilla adds them to OneCRL. Just to clarify, I believe