On Fri, Apr 6, 2018 at 3:09 PM, Peter Bowen wrote:
>
> A CP is an optional document and may be maintained by an entity other
> than the CA. For example there may be a common policy that applies to
> all CAs that have a path to a certain anchor. So including the CA
> list in a CP is not useful.
On Mon, Apr 2, 2018 at 5:15 PM, Wayne Thayer via dev-security-policy
wrote:
> On Mon, Apr 2, 2018 at 4:36 PM, Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>>
>> While Entrust happens to do this, as a relying party, I dislike frequent
>> updates to CP/CPS d
On Thu, Apr 5, 2018 at 4:08 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 04/04/2018 16:01, Ryan Sleevi wrote:
>
>> On Tue, Apr 3, 2018 at 11:42 AM, Jakob Bohm via dev-security-policy <
>>
>> dev-security-policy@lists.mozilla.org> wrote:
>>
>> On 03/04
On 04/04/2018 16:01, Ryan Sleevi wrote:
On Tue, Apr 3, 2018 at 11:42 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 03/04/2018 14:57, Ryan Sleevi wrote:
On Mon, Apr 2, 2018 at 9:03 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mo
On Tue, Apr 3, 2018 at 11:42 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 03/04/2018 14:57, Ryan Sleevi wrote:
>
>> On Mon, Apr 2, 2018 at 9:03 PM, Jakob Bohm via dev-security-policy <
>> dev-security-policy@lists.mozilla.org> wrote:
>>
>> On 03/04/20
On 03/04/2018 14:57, Ryan Sleevi wrote:
On Mon, Apr 2, 2018 at 9:03 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 03/04/2018 02:15, Wayne Thayer wrote:
On Mon, Apr 2, 2018 at 4:36 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mo
On Mon, Apr 2, 2018 at 9:03 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 03/04/2018 02:15, Wayne Thayer wrote:
>
>> On Mon, Apr 2, 2018 at 4:36 PM, Jakob Bohm via dev-security-policy <
>> dev-security-policy@lists.mozilla.org> wrote:
>>
>>
>>> While E
On 03/04/2018 02:15, Wayne Thayer wrote:
On Mon, Apr 2, 2018 at 4:36 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
While Entrust happens to do this, as a relying party, I dislike frequent
updates to CP/CPS documents just for such formal changes.
This c
On Mon, Apr 2, 2018 at 4:36 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> While Entrust happens to do this, as a relying party, I dislike frequent
> updates to CP/CPS documents just for such formal changes.
>
> This creates a huge loophole. The CP/CPS i
On 29/03/2018 20:46, Wayne Thayer wrote:
Thanks everyone for your input on this topic. I'm hearing consensus that we
should not require a newly issued subordinate CA certificate to appear on
an audit statement prior to being used to sign end-entity certificates.
This is something that could be cl
On 02/04/2018 17:12, Julian Inza wrote:
El sábado, 31 de marzo de 2018, 3:01:29 (UTC+2), Wayne Thayer escribió:
On Thu, Mar 29, 2018 at 12:55 PM, Ryan Sleevi wrote:
I think, for new CAs, the KGC report and the stated CP/CPS, combined with
ensuring that the next audit that covers the period
El sábado, 31 de marzo de 2018, 3:01:29 (UTC+2), Wayne Thayer escribió:
> On Thu, Mar 29, 2018 at 12:55 PM, Ryan Sleevi wrote:
>
> >
> > I think, for new CAs, the KGC report and the stated CP/CPS, combined with
> > ensuring that the next audit that covers the period of time stated on the
> > KGC
On Thu, Mar 29, 2018 at 12:55 PM, Ryan Sleevi wrote:
>
> I think, for new CAs, the KGC report and the stated CP/CPS, combined with
> ensuring that the next audit that covers the period of time stated on the
> KGC report includes that certificate, seems like a reasonable balance.
>
I'll add this
Tim,
On Fri, Mar 30, 2018 at 7:00 AM, crawfordtimj--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thursday, March 29, 2018 at 2:56:17 PM UTC-5, Ryan Sleevi wrote:
> > On Thu, Mar 29, 2018 at 2:46 PM, Wayne Thayer via dev-security-policy <
> > dev-security-policy@l
On Thursday, March 29, 2018 at 2:56:17 PM UTC-5, Ryan Sleevi wrote:
> On Thu, Mar 29, 2018 at 2:46 PM, Wayne Thayer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> I think, for new CAs, the KGC report and the stated CP/CPS, combined with
> ensuring that the next audi
On Thu, Mar 29, 2018 at 2:46 PM, Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Thanks everyone for your input on this topic. I'm hearing consensus that we
> should not require a newly issued subordinate CA certificate to appear on
> an audit statement prior
rufus.buschart=siemens@lists.mozilla.org] On Behalf Of Bruce
> via dev-security-policy
> Sent: Mittwoch, 28. März 2018 23:38
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Audits for new subCAs
>
> Entrust does the following:
> - Each subCA certificate is created throu
-policy
Sent: Mittwoch, 28. März 2018 23:38
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Audits for new subCAs
Entrust does the following:
- Each subCA certificate is created through a audited ceremony. The auditor
creates a report indicating the key ID and the CPS which was used
Entrust does the following:
- Each subCA certificate is created through a audited ceremony. The auditor
creates a report indicating the key ID and the CPS which was used for key
generation.
- When it is time for the subCA to go into production, an intermediate
certificate is issued from a root.
Both :)
Having a new audit per online CA is going to be very expensive and
cause TSPs heavily limit the number of online CAs they have.
Additionally all of these would be point-in-time audits, which only
report on design of controls. Assuming the design is consistent
between CAs, then there is no
Peter,
Are you advocating for option #2 (TSP self-attestation) because you think
that option #3 (audit) is unreasonable, or because you believe there is a
benefit to Mozilla's users in a self-attestation beyond what we get from
the existing requirement for CCADB disclosure?
On Fri, Mar 23, 2018 a
On Fri, Mar 23, 2018 at 11:34 AM, Wayne Thayer via dev-security-policy
wrote:
> Recently I've received a few questions about audit requirements for
> subordinate CAs newly issued from roots in our program. Mozilla policy
> section 5.3.2 requires these to be disclosed "within a week of certificate
Apologies. By choosing to use the term TSP when referring to an
organization operating a PKI, I thought I had made my meaning clear. I now
realize I inferred "certificate" when I used the term "subordinate CA". I
meant "subordinate CA certificate" in all cases where I wrote "subordinate
CA" or "sub
On 3/23/2018 11:34 AM, Wayne Thayer wrote:
> Recently I've received a few questions about audit requirements for
> subordinate CAs newly issued from roots in our program. Mozilla policy
> section 5.3.2 requires these to be disclosed "within a week of certificate
> creation, and before any such subC
On 23/03/2018 19:34, Wayne Thayer wrote:
Recently I've received a few questions about audit requirements for
subordinate CAs newly issued from roots in our program. Mozilla policy
section 5.3.2 requires these to be disclosed "within a week of certificate
creation, and before any such subCA is all
25 matches
Mail list logo