Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-07 Thread Jakob Bohm via dev-security-policy
On 07/06/2017 12:55, Rob Stradling wrote: On 06/06/17 22:26, Jakob Bohm wrote: On 06/06/2017 22:08, Ryan Sleevi wrote: Signing data is heavily reliant on CA competency, and that's in unfortunately short supply, as the economics of the CA market make it easy to fire all the engineers, while

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-07 Thread Jakob Bohm via dev-security-policy
On 07/06/2017 16:43, Nick Lamb wrote: On Tuesday, 6 June 2017 21:08:54 UTC+1, Ryan Sleevi wrote: Standards defining organization. More usually a Standards _Development_ Organization. I wouldn't usually feel the need to offer this correction but in this context we care a good deal about the

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-07 Thread Ryan Sleevi via dev-security-policy
On Wed, Jun 7, 2017 at 11:25 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Note that I also had a second, related, point: The possibility that such > a new piece of infrastructure was, for other reasons, not endorsed by > Mozilla, but of great interest

Mozilla requirements of Symantec

2017-06-07 Thread Gervase Markham via dev-security-policy
Hi Steve, I'm writing to you in your role as the Primary Point of Contact for Symantec with regard to the Mozilla Root Program. I am writing with a list of Mozilla-specific additions to the consensus remediation proposal for Symantec, as documented by Google. We note that you have raised a

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-07 Thread Jakob Bohm via dev-security-policy
On 07/06/2017 17:41, Ryan Sleevi wrote: On Wed, Jun 7, 2017 at 11:25 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Note that I also had a second, related, point: The possibility that such a new piece of infrastructure was, for other reasons, not

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-07 Thread Rob Stradling via dev-security-policy
On 06/06/17 22:26, Jakob Bohm wrote: On 06/06/2017 22:08, Ryan Sleevi wrote: Signing data is heavily reliant on CA competency, and that's in unfortunately short supply, as the economics of the CA market make it easy to fire all the engineers, while keeping the sales team, and outsourcing

Re: Mozilla requirements of Symantec

2017-06-07 Thread Jakob Bohm via dev-security-policy
Hi Gervase, there seems to be a slight inconsistency between the terminology in the plan posted at https://groups.google.com/a/chromium.org/d/msg/blink-dev/eUAKwjihhBs/ovLalSBRBQAJ And the official letter quoted below. I have added potential clarifications to fix this, please indicate, for

Re: New undisclosed intermediates

2017-06-07 Thread Jonathan Rudenberg via dev-security-policy
> On Jun 5, 2017, at 09:29, Alex Gaynor via dev-security-policy > wrote: > > Happy Monday! > > Another week, another set of intermediate certs that have shown up in CT > without having been properly disclosed: >

Re: New undisclosed intermediates

2017-06-07 Thread Matthew Hardeman via dev-security-policy
On Wednesday, June 7, 2017 at 6:45:25 PM UTC-5, Jonathan Rudenberg wrote: > Yet another batch of undisclosed intermediates has shown up in CT: > > - > https://crt.sh/?sha256=f01c1aca392882af152e9f01ecccd0afddd8aa35bf895b003198b1e8c752ddb8 > - >

Re: New undisclosed intermediates

2017-06-07 Thread Jonathan Rudenberg via dev-security-policy
> On Jun 7, 2017, at 21:56, Matthew Hardeman via dev-security-policy > wrote: > > On Wednesday, June 7, 2017 at 6:45:25 PM UTC-5, Jonathan Rudenberg wrote: > >> Yet another batch of undisclosed intermediates has shown up in CT: >> >> - >>

Re: Policy 2.5 Proposal: Add definition of "mis-issuance"

2017-06-07 Thread Nick Lamb via dev-security-policy
On Tuesday, 6 June 2017 21:08:54 UTC+1, Ryan Sleevi wrote: > Standards defining organization. More usually a Standards _Development_ Organization. I wouldn't usually feel the need to offer this correction but in this context we care a good deal about the fact that SDOs are where the actual