Re: Public trust of VISA's CA

2017-09-20 Thread Martin Rublik via dev-security-policy
On Tue, Sep 19, 2017 at 5:22 PM, Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > https://crt.sh/mozilla-certvalidations?group=version=896972 is a very > informative graph for me -- this is the number of validations performed by > Firefox for certs under this

RE: DigiCert-Symantec Announcement

2017-09-20 Thread Jeremy Rowley via dev-security-policy
Thanks a ton, Ryan! This was very helpful, and we really appreciate the feedback and suggestions. Here’s what we currently use as publicly-trusted roots and how we use them: 1. Baltimore CyberTrust Root – Expires in 2025. Currently only used to support Verizon customers who have not

Re: Audit Reminder Email Summary

2017-09-20 Thread Kathleen Wilson via dev-security-policy
On Wednesday, September 20, 2017 at 6:34:04 AM UTC-7, Kurt Roeckx wrote: > On 2017-09-20 01:09, Kathleen Wilson wrote: > > Forwarded Message > > Subject: Summary of September 2017 Audit Reminder Emails > > Date: Tue, 19 Sep 2017 19:00:08 + (GMT) > > > > Mozilla: Overdue

Re: DigiCert-Symantec Announcement

2017-09-20 Thread Peter Bowen via dev-security-policy
On Tue, Sep 19, 2017 at 8:39 PM, Jeremy Rowley via dev-security-policy wrote: > > The current end-state plan for root cross-signing is provided at > https://bugzilla.mozilla.org/show_bug.cgi?id=1401384. The diagrams there show > all of the existing sub CAs

RE: DigiCert-Symantec Announcement

2017-09-20 Thread Jeremy Rowley via dev-security-policy
The original Mozilla plan was to distrust around Sep 2018. We're still planning for that date, but would appreciate it if trust was permitted around a single intermediate (say the DigiCert Global Trust G2 root?). If we need to use a separate root with no other certs as the transition, we

SHA-1 OCSP responder certificates

2017-09-20 Thread Frank Corday via dev-security-policy
On September 8, 2017, a member our team discovered that one of our OCSP responder certificates had been signed with SHA-1 with a notBefore date of May 23, 2017. We initiated an investigation and discovered that there were a total of 4 such certificates, all issued on May 23 as annual renewals

Re: Public trust of VISA's CA

2017-09-20 Thread Jakob Bohm via dev-security-policy
On 20/09/2017 09:37, Martin Rublik wrote: On Tue, Sep 19, 2017 at 5:22 PM, Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: https://crt.sh/mozilla-certvalidations?group=version=896972 is a very informative graph for me -- this is the number of validations

Re: [saag] Fwd: New Version Notification for draft-belyavskiy-certificate-limitation-policy-04.txt

2017-09-20 Thread Dmitry Belyavsky via dev-security-policy
Dear Nikos On Wed, Sep 13, 2017 at 9:39 AM, Nikos Mavrogiannopoulos wrote: > > 4. How do you handle extensions to this format? > > Overall, why not use X.509 extensions to store such additional > constraints? We already (in the p11-kit trust store in Fedora/RHEL > systems) use

Re: Public trust of VISA's CA

2017-09-20 Thread Peter Bowen via dev-security-policy
On Wed, Sep 20, 2017 at 12:37 AM, Martin Rublik via dev-security-policy wrote: > On Tue, Sep 19, 2017 at 5:22 PM, Alex Gaynor via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >>

Re: DigiCert-Symantec Announcement

2017-09-20 Thread James Burton via dev-security-policy
Hi Jeremy, Is DigiCert planning on continuing selling DV certificates after the transition? As DigiCert has previously been vocal on the fact that the drawbacks of issuing DV certificates outweigh the benefits as stated here: https://www.digicert.com/dv-ssl-certificate.htm. If DigiCert is