Re: TunRootCA2 root inclusion request

2017-07-31 Thread Olfa Kaddachi via dev-security-policy
Hi Jonathan, Please find below the description of the technical and organizational controls required: 1) The currently process of certificates issuance is composed by 4 steps: step 1: Registration process: This step consists of the verification of the following items: •the subscriber identify

Thank you, we received your email #M10366628

2017-07-31 Thread Avas Flowers via dev-security-policy
Thank you for your emailThis is an automatic message confirming that we received your email.Email responses typically occur within 8 business hours during normal operating times.During Holiday Seasons Mothers Day and Valentines Day responses to emails may take up to 5 business days. We appreciate

Re: TunRootCA2 root inclusion request

2017-07-31 Thread Gervase Markham via dev-security-policy
Hi Olfa, On 31/07/17 11:55, Olfa Kaddachi wrote: > 2) The deficiencies identified in those controls after the misissuance of > each of these certificates are essentially: > •controls on the field subject alternative names : > o this field must not contains private addresses > o this

Re: Final Decision by Google on Symantec

2017-07-31 Thread Gervase Markham via dev-security-policy
On 29/07/17 23:45, Peter Bowen wrote: > First, when the server authentication trust will bits be removed from > the existing roots. This is of notable importance for non-Firefox > users of NSS. Based on the Chrome email, it looks like they will > remove trust bits in their git repo around August

Re: Final Decision by Google on Symantec

2017-07-31 Thread Jakob Bohm via dev-security-policy
On 31/07/2017 16:06, Gervase Markham wrote: On 31/07/17 15:00, Jakob Bohm wrote: It was previously stated in this newsgroup that non-SSLServer trust would not be terminated, at least for now. It was? Reference, please? That was my general impression, I don't have a good way to search the

Re: Miss-issuance: URI in dNSName SAN

2017-07-31 Thread Gervase Markham via dev-security-policy
On 25/07/17 18:13, Jeremy Rowley wrote: > I would also love to see a more standardized notice mechanism that is > universal to all CAs. Right now, notifying CAs is a pain as some have > different webforms, some use email, and some don't readily tell you how to > contact them about certificate

Re: Final Decision by Google on Symantec

2017-07-31 Thread Peter Bowen via dev-security-policy
On Mon, Jul 31, 2017 at 7:17 AM, Jakob Bohm via dev-security-policy wrote: > On 31/07/2017 16:06, Gervase Markham wrote: >> >> On 31/07/17 15:00, Jakob Bohm wrote: >>> >>> - Due to current Mozilla implementation bugs, >> >> >> Reference, please? >> > > I am

Re: Final Decision by Google on Symantec

2017-07-31 Thread Jakob Bohm via dev-security-policy
On 28/07/2017 18:36, David E. Ross wrote: On 7/28/2017 6:34 AM, Alex Gaynor wrote: Frankly I was surprised to see Chromium reverse course on this -- they have a history of aggressive leadership in their handling of CA failures, it's a little disappointing to see them abandon that. I'd strongly

Re: Final Decision by Google on Symantec

2017-07-31 Thread Jakob Bohm via dev-security-policy
On 30/07/2017 00:45, Peter Bowen wrote: On Thu, Jul 27, 2017 at 11:14 PM, Gervase Markham via dev-security-policy wrote: Google have made a final decision on the various dates they plan to implement as part of the consensus plan in the Symantec matter.

Re: Final Decision by Google on Symantec

2017-07-31 Thread Eric Mill via dev-security-policy
Given that we're past the 7/31 deadline and the comments in support of following Chrome's lead, it sounds likely that that's what's happening. And I think that's an understandable conclusion for Mozilla to draw, given the compatibility risk Mozilla would be leading on for at least several months.