RE: Updated Mozilla CA Certificate Policy Version 2.0
Varga Viktor
Just looked back my emails,
My question is:
I found the thirty-nine (twenty-four) in the Inlcusion policy, but, not int he Maintenance policy. Is this ok?
Üdvözlettel/Regards,
Varga Viktor
Üzemeltetési és Vevőszolgálati Vezető
IT Service and Customer Service Executive
Netlock Kft.
> -----Original Message-----
> From: dev-security-policy-
> bounces+varga.viktor=netlo...@lists.mozilla.org [mailto:dev-security-
> policy-bounces+varga.viktor=netlo...@lists.mozilla.org] On Behalf Of
> Kathleen Wilson
> Sent: Thursday, January 20, 2011 7:16 PM
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Updated Mozilla CA Certificate Policy Version 2.0
>
> All,
>
> Thank you for the thoughtful input that you have contributed to the
> discussions about updating the Mozilla CA Certificate Policy. Here
> follows a description of the resulting changes.
>
> These changes are still open for discussion.
>
> In addition to increasing the time for CAs to comply with Version 2.0
> of
> the Mozilla CA Certificate Policy from 3 months to 6 months, I have
> made
> the following changes.
>
> http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/In
> clusionPolicy.html
>
> Section 6:
>
> Removed
> > limit the validity period of end-entity certificates to
> > thirty-nine months or less;
>
> Added
> < verify that all of the information that is included in SSL
> < certificates is current and correct at time intervals of
> < twenty-four months or less;
>
> Section 7:
> Changed the "and" to "or" in the first bullet.
>
> > all information that is supplied by the certificate subscriber must
> > be verified by using an independent source of information and an
> > alternative communication channel before it is included in the
> > certificate;
>
> < all information that is supplied by the certificate subscriber must
> < be verified by using an independent source of information or an
> < alternative communication channel before it is included in the
> < certificate;
>
> Section 9:
>
> Removed
> > Clause 7, "Requirements on CA practice", in ETSI TS 102 042 V1.1.1
> > (2002-04) or later version, Policy requirements for certification
> > authorities issuing public key certificates (as applicable to any of
> > the "NCP", "NCP+", or "LCP" certificate policies);
>
> Moved this item up in the list, taking the place of the removed item.
> < Clause 7, "Requirements on CA practice", in ETSI TS 102 042 V2.1.2
> < (2010-04) or later version, Policy requirements for certification
> < authorities issuing public key certificates (as applicable to the
> < "EVCP" and "EVCP+" certificate policies, and any of
> < the "NCP", "NCP+", or "LCP" certificate policies);
>
>
> http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/Ma
> intenancePolicy.html
>
> Section 2:
>
> Removed
> > the CA receives notice or otherwise becomes aware that a wildcard
> > certificate has been used to authenticate a subdomain name that
> > appears to be intended to mislead users as to the identity of
> > the site's operator;
>
> Section 9:
>
> Changed
> > all new certificates must contain at least 20 bits of
> > cryptographically secure randomness (preferably in the serial
> number)
> > generated from a random number generator using an algorithm that is
> > eligible for FIPS 140-2 validation at the time the certificate is
> > generated, especially when using the SHA-1 hash function or an RSA
> > key size smaller than 2048 bits.
>
> To
> < all new end-entity certificates must contain at least 20 bits of
> < unpredictable random data (preferably in the serial number).
>
>
> These changes and all of Version 2.0 of the Mozilla CA Certificate
> Policy are still open for discussion.
>
> Kathleen
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
> _______________________________________________________________________
> Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail
> MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu
>
> This email has been scanned for viruses and SPAM by the filter:mail
> MessageLabs System. More information: http://www.filtermax.hu
> _______________________________________________________________________
> _
_______________________________________________________________________
Ezt az e-mailt virus- es SPAM-szuresnek vetettuk ala a filter:mail MessageLabs rendszerrel. Tovabbi informacio: http://www.filtermax.hu
This email has been scanned for viruses and SPAM by the filter:mail MessageLabs System. More information: http://www.filtermax.hu ________________________________________________________________________________________
Varga Viktor
Shousl i do the consolidation between these on the wiki myself? :)
Regards, Viktor Varga
> Just looked back my emails,
> My question is:
> I found the thirty-nine (twenty-four) in the Inlcusion policy, but, not int he Maintenance policy. Is this ok?
>
> Üdvözlettel/Regards,
>
> Varga Viktor
> Üzemeltetési és Vevõszolgálati Vezetõ
> IT Service and Customer Service Executive
> Netlock Kft.
>
>
>
>
>
>
>
>
>
> > -----Original Message-----
> > From: dev-security-policy-
> > bounces+varga.viktor=netlock...@lists.mozilla.org [mailto:dev-security-
> > policy-bounces+varga.viktor=netlock...@lists.mozilla.org] On Behalf Of
> > Kathleen Wilson
> > Sent: Thursday, January 20, 2011 7:16 PM
> > To:mozilla-dev-security-pol...@lists.mozilla.org
> > Subject:UpdatedMozillaCACertificate Policy Version 2.0
>
> > All,
>
> > Thank you for the thoughtful input that you have contributed to the
> > discussions about updating theMozillaCACertificate Policy. Here
> > follows a description of the resulting changes.
>
> > These changes are still open for discussion.
>
> > In addition to increasing the time for CAs to comply with Version 2.0
> > of
> > theMozillaCACertificate Policy from 3 months to 6 months, I have
> > made
> > the following changes.
>
> >http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/In
> > clusionPolicy.html
>
> > Section 6:
>
> > Removed
> > > limit the validity period of end-entity certificates to
> > > thirty-nine months or less;
>
> > Added
> > < verify that all of the information that is included in SSL
> > < certificates is current and correct at time intervals of
> > < twenty-four months or less;
>
> > Section 7:
> > Changed the "and" to "or" in the first bullet.
>
> > > all information that is supplied by the certificate subscriber must
> > > be verified by using an independent source of information and an
> > > alternative communication channel before it is included in the
> > > certificate;
>
> > < all information that is supplied by the certificate subscriber must
> > < be verified by using an independent source of information or an
> > < alternative communication channel before it is included in the
> > < certificate;
>
> > Section 9:
>
> > Removed
> > > Clause 7, "Requirements onCApractice", in ETSI TS 102 042 V1.1.1
> > > (2002-04) or later version, Policy requirements for certification
> > > authorities issuing public key certificates (as applicable to any of
> > > the "NCP", "NCP+", or "LCP" certificate policies);
>
> > Moved this item up in the list, taking the place of the removed item.
> > < Clause 7, "Requirements onCApractice", in ETSI TS 102 042 V2.1.2
> > < (2010-04) or later version, Policy requirements for certification
> > < authorities issuing public key certificates (as applicable to the
> > < "EVCP" and "EVCP+" certificate policies, and any of
> > < the "NCP", "NCP+", or "LCP" certificate policies);
>
> >http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/Ma
> > intenancePolicy.html
>
> > Section 2:
>
> > Removed
> > > theCAreceives notice or otherwise becomes aware that a wildcard
> > > certificate has been used to authenticate a subdomain name that
> > > appears to be intended to mislead users as to the identity of
> > > the site's operator;
>
> > Section 9:
>
> > Changed
> > > all new certificates must contain at least 20 bits of
> > > cryptographically secure randomness (preferably in the serial
> > number)
> > > generated from a random number generator using an algorithm that is
> > > eligible for FIPS 140-2 validation at the time the certificate is
> > > generated, especially when using the SHA-1 hash function or an RSA
> > > key size smaller than 2048 bits.
>
> > To
> > < all new end-entity certificates must contain at least 20 bits of
> > < unpredictable random data (preferably in the serial number).
>
> > These changes and all of Version 2.0 of theMozillaCACertificate
> > Policy are still open for discussion.
>
> > Kathleen
> > _______________________________________________
> > dev-security-policy mailing list
> > dev-security-pol...@lists.mozilla.org
Kathleen Wilson
Which wiki pages need to be updated?
Kathleen
On 4/13/11 8:56 AM, Varga Viktor wrote:
> I didn't get any reply about this.
>
> Shousl i do the consolidation between these on the wiki myself? :)
>
> Regards, Viktor Varga
>
>
>> Just looked back my emails,
>> My question is:
>> I found the thirty-nine (twenty-four) in the Inlcusion policy, but, not int he Maintenance policy. Is this ok?
>>
>> Üdvözlettel/Regards,
>>
>> Varga Viktor
>> Üzemeltetési és Vevőszolgálati Vezető