Search
Clear search
Close search
Main menu
Google apps
Groups
Sign in
Groups
dev-security-policy@mozilla.org
Conversations
About
Send feedback
Help
dev-security-policy@mozilla.org
Contact owners and managers
1–30 of 307
Welcome to the dev-security-policy group in which we discuss security-related policies, governance, and related topics; including discussion of
Mozilla’s Root Store Policy
and the
NSS root certificate store
.
Mailing List:
dev-security-policy@mozilla.or
g
Web:
https://groups.google.com/a/mo
zilla.org/g/dev-security-polic
y
Subscribe by using the button "Ask to join group" and complete the box "Reason for joining".
Membership requests must provide context for your interest in joining the group. Requests without this information will be rejected.
Participation Guidelines:
https://www.mozilla.org/about/
governance/policies/participat
ion/
Participants:
https://wiki.mozilla.org/CA/Po
licy_Participants
Unsubscribe by sending email to:
dev-security-policy+unsubscrib
e@mozilla.org
Previous archives (2009-2021):
https://groups.google.com/g/mo
zilla.dev.security.policy
RSS feed:
https://www.mail-archive.com/d
ev-security-policy@mozilla.org
/maillist.xml
Mark all as read
Report group
0 selected
Ben Wilson
Feb 24
MRSP 3.0: Published
Greetings all, The final version of MRSP v.3.0 is now published with an effective date of March 15,
unread,
MRSP 3.0: Published
Greetings all, The final version of MRSP v.3.0 is now published with an effective date of March 15,
Feb 24
Ben Wilson
Feb 20
Results of the Mozilla February 2025 CA Communication and Survey
All, Here are the responses to the Mozilla February 2025 CA Communication and Survey. The responses
unread,
Results of the Mozilla February 2025 CA Communication and Survey
All, Here are the responses to the Mozilla February 2025 CA Communication and Survey. The responses
Feb 20
Ben Wilson
, …
Jeremy Rowley
7
Feb 19
MRSP 3.0: Survey Results and Status Update
All, I have renamed the previously-mentioned branch to Final Updates 3.0 (https://github.com/mozilla/
unread,
MRSP 3.0: Survey Results and Status Update
All, I have renamed the previously-mentioned branch to Final Updates 3.0 (https://github.com/mozilla/
Feb 19
Ben Wilson
Feb 18
Mass Revocation Incident Preparation and Testing Plan
Here is a non-normative template based on requests from CAs for guidance on the upcoming MRSP section
unread,
Mass Revocation Incident Preparation and Testing Plan
Here is a non-normative template based on requests from CAs for guidance on the upcoming MRSP section
Feb 18
Hanno Böck
, …
Pierre Barre
17
Feb 16
Concerns about very-short-lived certificates
Subject: Professionalism and Constructive Discussion Matt, Your response crosses the line from
unread,
Concerns about very-short-lived certificates
Subject: Professionalism and Constructive Discussion Matt, Your response crosses the line from
Feb 16
Arabella Barks
,
Matt Palmer
4
Feb 15
Discussions on mechanism to enhance the Use of Digital Certificate Private Keys Similar to PwnedKeys
On Thu, Feb 06, 2025 at 10:48:28PM -0800, Arabella Barks wrote: > In my opinion, currently each
unread,
Discussions on mechanism to enhance the Use of Digital Certificate Private Keys Similar to PwnedKeys
On Thu, Feb 06, 2025 at 10:48:28PM -0800, Arabella Barks wrote: > In my opinion, currently each
Feb 15
Amir Omidi (aaomidi)
, …
Entschew, Enrico
4
Feb 12
d-trust data protection incident
Hi Hanno, I have inserted my answers further down in the text --> <-- and hope to contribute to
unread,
d-trust data protection incident
Hi Hanno, I have inserted my answers further down in the text --> <-- and hope to contribute to
Feb 12
Ben Wilson
, …
Tim Callan
13
Feb 11
Proposal to Close Delayed Revocation Incidents
Here are the results of my triage: CA Bugzilla Status HARICA https://bugzilla.mozilla.org/show_bug.
unread,
Proposal to Close Delayed Revocation Incidents
Here are the results of my triage: CA Bugzilla Status HARICA https://bugzilla.mozilla.org/show_bug.
Feb 11
Jeremy Rowley
, …
Rob Stradling
24
Feb 7
Sectigo acquires Entrust business
> The fact that Linux distributions and other software like Alpine and curl are "copying
unread,
Sectigo acquires Entrust business
> The fact that Linux distributions and other software like Alpine and curl are "copying
Feb 7
Ben Wilson
Feb 7
Root Program Guidance/Issue Classfication
On Fri, Feb 7, 2025 at 8:41 AM Mike Shaver <mike....@gmail.com> wrote https://groups.google.
unread,
Root Program Guidance/Issue Classfication
On Fri, Feb 7, 2025 at 8:41 AM Mike Shaver <mike....@gmail.com> wrote https://groups.google.
Feb 7
Dana Keeler
, …
Jeremy Rowley
9
Feb 4
Certificate Transparency is now enforced in Firefox on desktop platforms starting with version 135
Personally, I don't think I fundamentally disagree with anything in that blog post. Much of the
unread,
Certificate Transparency is now enforced in Firefox on desktop platforms starting with version 135
Personally, I don't think I fundamentally disagree with anything in that blog post. Much of the
Feb 4
Ben Wilson
, …
Rob Stradling
49
Feb 3
MRSP 3.0: Issue #276: Delayed Revocation
All, I have edited proposed section 6.1.3 of the MRSP to add/allow "annual plan testing through
unread,
MRSP 3.0: Issue #276: Delayed Revocation
All, I have edited proposed section 6.1.3 of the MRSP to add/allow "annual plan testing through
Feb 3
Jeremy Rowley
Jan 30
Legal transfer of ownership and MDSP
I've been looking at Section 8.1 of the Mozilla CA policy, and I think you could easily game the
unread,
Legal transfer of ownership and MDSP
I've been looking at Section 8.1 of the Mozilla CA policy, and I think you could easily game the
Jan 30
Ben Wilson
Jan 27
MRSP 3.0: Request for Feedback: Draft CA Communication and Survey
Greetings All, I am finalizing a mass email communication and survey to be sent to CA operators that
unread,
MRSP 3.0: Request for Feedback: Draft CA Communication and Survey
Greetings All, I am finalizing a mass email communication and survey to be sent to CA operators that
Jan 27
Hanno Böck
Jan 24
Fortinet incident
Hi, As many will likely have heard, there has been a leak of fortinet configuration files posted to
unread,
Fortinet incident
Hi, As many will likely have heard, there has been a leak of fortinet configuration files posted to
Jan 24
Hanno Böck
Jan 24
Certificate problem reporting undermined by Microsoft spam filters
Hi, I have recently reported a number of certificates with compromised private keys to CAs due to the
unread,
Certificate problem reporting undermined by Microsoft spam filters
Hi, I have recently reported a number of certificates with compromised private keys to CAs due to the
Jan 24
Ben Wilson
2
Jan 22
MRSP 3.0: Issue #s 270 and 271: Incident Reporting
All, I am proposing that we reduce the language in MRSP section 2.4 (Incidents) even more, and rely
unread,
MRSP 3.0: Issue #s 270 and 271: Incident Reporting
All, I am proposing that we reduce the language in MRSP section 2.4 (Incidents) even more, and rely
Jan 22
Ben Wilson
, …
Doug Beattie
12
Jan 16
MRSP 3.0: Issue #279: TLS-specific and S/MIME-specific Root CAs
Hi Doug, I can make changes in section 7.5 to explicitly exempt OCSP Signing Certificates by adding
unread,
MRSP 3.0: Issue #279: TLS-specific and S/MIME-specific Root CAs
Hi Doug, I can make changes in section 7.5 to explicitly exempt OCSP Signing Certificates by adding
Jan 16
Ben Wilson
Jan 14
Approval of SECOM Request for Cybertrust Japan SureMail CA G5
All, Public discussion of the SECOM request regarding issuance of a CA certificate for the Cybertrust
unread,
Approval of SECOM Request for Cybertrust Japan SureMail CA G5
All, Public discussion of the SECOM request regarding issuance of a CA certificate for the Cybertrust
Jan 14
Mike Benza
, …
Jeffrey Walton
4
Jan 10
GLOBALTRUST 2020's reinclusion in Mozilla's trusted certificates
On Friday, January 10, 2025 at 12:13:51 PM UTC-5 Andrew Ayer wrote: Hi Mike, GLOBALTRUST was never
unread,
GLOBALTRUST 2020's reinclusion in Mozilla's trusted certificates
On Friday, January 10, 2025 at 12:13:51 PM UTC-5 Andrew Ayer wrote: Hi Mike, GLOBALTRUST was never
Jan 10
Ben Wilson
, …
Rob Stradling
8
Jan 9
MRSP 3.0: Issue #283: Automation of certificate issuance and renewal
Hi Adriano, If needed, we can clarify the language to communicate better our expectation that renewal
unread,
MRSP 3.0: Issue #283: Automation of certificate issuance and renewal
Hi Adriano, If needed, we can clarify the language to communicate better our expectation that renewal
Jan 9
Ben Wilson
2
12/18/24
Timing of Public Discussion of S/MIME External Sub CA
All, I intend to start public discussion of this matter using the CCADB Public list (https://groups.
unread,
Timing of Public Discussion of S/MIME External Sub CA
All, I intend to start public discussion of this matter using the CCADB Public list (https://groups.
12/18/24
Ben Wilson
,
Roman Fischer
3
12/11/24
MRSP 3.0: Issue #275: CA Key Protection
Thanks, Roman, for your questions. With respect to CA key protection, gaps in audit reports raise a
unread,
MRSP 3.0: Issue #275: CA Key Protection
Thanks, Roman, for your questions. With respect to CA key protection, gaps in audit reports raise a
12/11/24
Ben Wilson
12/3/24
Approval of D-Trust's 2023 Root CAs
Greetings, Public discussion regarding inclusion of the following D-Trust root CA certificates
unread,
Approval of D-Trust's 2023 Root CAs
Greetings, Public discussion regarding inclusion of the following D-Trust root CA certificates
12/3/24
Ben Wilson
, …
Dimitris Zacharopoulos
3
11/27/24
MRSP 3.0: Issue #263: Clarify sentence prohibiting blank sections that also contain no Subsections in CPs and CPSes
Ben, Could you please propose this exact language to the CABF SCWG in response to the failed SC-74?
unread,
MRSP 3.0: Issue #263: Clarify sentence prohibiting blank sections that also contain no Subsections in CPs and CPSes
Ben, Could you please propose this exact language to the CABF SCWG in response to the failed SC-74?
11/27/24
Hanno Böck
, …
Mike Shaver
3
11/26/24
Certificate with compromised key / *.digicert-demo.com
Possibly of interest in blocking keys is Matt Palmer's great work in this space: https://
unread,
Certificate with compromised key / *.digicert-demo.com
Possibly of interest in blocking keys is Matt Palmer's great work in this space: https://
11/26/24
Ben Wilson
11/20/24
Fwd: Further Improving the CCADB Incident Reporting Guidelines (FEEDBACK REQUESTED)
All, Forwarding here - please see below. Comments can be provided preferably on GitHub or on the
unread,
Fwd: Further Improving the CCADB Incident Reporting Guidelines (FEEDBACK REQUESTED)
All, Forwarding here - please see below. Comments can be provided preferably on GitHub or on the
11/20/24
M THUG
, …
Dana Keeler
7
11/18/24
Reg : Inquiry Regarding Removal of Certificates with Specific SHA1 Fingerprints
Note that that certificate was not removed from NSS, but rather had its trust bits edited so that it
unread,
Reg : Inquiry Regarding Removal of Certificates with Specific SHA1 Fingerprints
Note that that certificate was not removed from NSS, but rather had its trust bits edited so that it
11/18/24
Matt Palmer
, …
Amir Omidi
6
11/10/24
The Pwnedkeys Revokinator is back!
On Sun, Nov 10, 2024 at 06:19:50PM -0500, Amir Omidi wrote: > Trying to understand why signing
unread,
The Pwnedkeys Revokinator is back!
On Sun, Nov 10, 2024 at 06:19:50PM -0500, Amir Omidi wrote: > Trying to understand why signing
11/10/24
Aaron Gable
, …
Matt Palmer
12
11/2/24
Assuming keyCompromise for unspecified-reason revocations
On Fri, Nov 01, 2024 at 06:47:54PM -0500, Jaime Hablutzel wrote: > > On 1 Nov 2024, at 7:28 AM,
unread,
Assuming keyCompromise for unspecified-reason revocations
On Fri, Nov 01, 2024 at 06:47:54PM -0500, Jaime Hablutzel wrote: > > On 1 Nov 2024, at 7:28 AM,
11/2/24