Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

On 13/04/2018 19:18, Ryan Sleevi wrote: On Fri, Apr 13, 2018 at 1:13 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: Possible outcomes of such an investigation: 1. That CA does not consider paypal to be a high risk name. This is within their right, th

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

I'm saying it's the most reasonable interpretation of what happened, as it assumes that no party acted maliciously. On 13/04/2018 18:41, Alex Gaynor wrote: Are you saying that's what actually happened, or that we should all pretend that's what happened? Because I don't believe anyone from GoDad

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

On Mon, Apr 16, 2018 at 3:22 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > If that CA has a practice that they actually do something about high > risk names, it would still be expected (in the normal, not legal, > sense of the word) for that CA to includ

Re: Policy 2.6 Proposal: Require English Language Audit Reports

To close out this discussion, I've gone ahead with the proposed change, including the addition of the requirement that the English language version of the audit statement be an authoritative version: https://github.com/mozilla/pkipolicy/commit/e4cc785367350a46fc839639a28a92bd17d542e3 - Wayne On

Re: Policy 2.6 Proposal: Require audits back to first issuance

The proposed language includes the requirement for compliance with both the BRs and Mozilla policy, so it's a better fit for the section of our policy titled "Inclusions" than the section titled "Baseline Requirements Conformance". To close out this discussion, I added the proposed language to sect

Re: Policy 2.6 Proposal: For new inclusions, require all existing unexpired unrevoked certs in hierarchy to be BR compliant

I will consider this issue to be resolved by the change I made for issue 113: https://github.com/mozilla/pkipolicy/commit/55929f58da98a7af08fbf4bc2eb4537991de481b - Wayne On Wed, Apr 4, 2018 at 2:31 PM, Wayne Thayer wrote: > Last year we held a discussion on this topic [1] that concluded as fo

Re: Policy 2.6 Proposal: Audit requirements for new subCA certificates

On Wed, Apr 11, 2018 at 3:49 PM, Wayne Thayer wrote: > As an alternative to requiring newly-issued subCA Certificates to be > listed in the relevant CP/CPS prior to issuing certificates, would it be > reasonable for Mozilla to require the Certificate Policies extension in > these certificates to

Re: Policy 2.6 Proposal: Add prohibition on CA key generation to policy

On Tue, Apr 10, 2018 at 7:22 AM, Jürgen Brauckmann via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > > Am 10.04.2018 um 01:10 schrieb Wayne Thayer via dev-security-policy: > >> Getting back to the earlier question about email certificates, I am now of >> the opinion that

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

On 17/04/2018 00:13, Ryan Sleevi wrote: On Mon, Apr 16, 2018 at 3:22 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: If that CA has a practice that they actually do something about high risk names, it would still be expected (in the normal, not legal, sens