Groups

dev-security-policy@mozilla.org

1–30 of 329

Welcome to the dev-security-policy group in which we discuss security-related policies, governance, and related topics; including discussion of Mozilla’s Root Store Policy and the NSS root certificate store.

Mailing List: dev-security-policy@mozilla.org
Web: https://groups.google.com/a/mozilla.org/g/dev-security-policy
Subscribe by using the button "Ask to join group" and complete the box "Reason for joining". Membership requests must provide context for your interest in joining the group. Requests without this information will be rejected.
Participation Guidelines: https://www.mozilla.org/about/governance/policies/participation/
Participants: https://wiki.mozilla.org/CA/Policy_Participants
Unsubscribe by sending email to: dev-security-policy+unsubscribe@mozilla.org
Previous archives (2009-2021): https://groups.google.com/g/mozilla.dev.security.policy
RSS feed: https://www.mail-archive.com/dev-security-policy@mozilla.org/maillist.xml

0 selected

Youfu Zhang, … Wayne7

Sep 4

Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020

A glance through censys with the following query and a report checking parsed.extensions.

unread,

Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020

A glance through censys with the following query and a report checking parsed.extensions.

Sep 4

Aug 22

Approval of OISTE Root CA Certificate Request

All, The Mozilla root inclusion process is outlined here: https://wiki.mozilla.org/CA/

unread,

Approval of OISTE Root CA Certificate Request

All, The Mozilla root inclusion process is outlined here: https://wiki.mozilla.org/CA/

Aug 22

Ivan, Ben Wilson4

Aug 8

Inquiry on "Acceptable" CA criteria, after remove of non-discrimination clause

Just realized that I've sent a previous message using a Google Groups web form, and it's most

unread,

Inquiry on "Acceptable" CA criteria, after remove of non-discrimination clause

Just realized that I've sent a previous message using a Google Groups web form, and it's most

Aug 8

Jul 23

Preview of Let's Encrypt's upcoming Root Ceremony

Hi Sándor, Good question! The first interpretation is correct. The authorityKeyIdentifier extension

unread,

Preview of Let's Encrypt's upcoming Root Ceremony

Hi Sándor, Good question! The first interpretation is correct. The authorityKeyIdentifier extension

Jul 23

Jul 14

Fwd: [Smcwg-public] Deprecation of Legacy

Forwarding for additional visibility and notice to SMIME-issuing CAs. ---------- Forwarded message --

unread,

Fwd: [Smcwg-public] Deprecation of Legacy

Forwarding for additional visibility and notice to SMIME-issuing CAs. ---------- Forwarded message --

Jul 14

Hanno Böck, … John Schanck4

Jun 20

Limitations of aggreated CRL revocation checks

Right, Mozilla root store policy [1] requires CAs to disclose their CRLs in CCADB. Mozilla's

unread,

Limitations of aggreated CRL revocation checks

Right, Mozilla root store policy [1] requires CAs to disclose their CRLs in CCADB. Mozilla's

Jun 20

Ben Wilson, … Jeremy Rowley64

Jun 18

Results of 2025 Roundtable Discussion

Sounds good. The 50k number sounds about right based on those bugs too. Most CPS errors do not

unread,

Results of 2025 Roundtable Discussion

Sounds good. The 50k number sounds about right based on those bugs too. Most CPS errors do not

Jun 18

Dana Keeler, … Pierre Barre10

Jun 18

Certificate Transparency is now enforced in Firefox on desktop platforms starting with version 135

Hello, I am quite late to the party on this thread, but having recently implemented a CT log (https:/

unread,

Certificate Transparency is now enforced in Firefox on desktop platforms starting with version 135

Hello, I am quite late to the party on this thread, but having recently implemented a CT log (https:/

Jun 18

Jun 17

Approval of SwissSign's Root Inclusion Requests

All, The Mozilla root inclusion process is outlined here: https://wiki.mozilla.org/CA/

unread,

Approval of SwissSign's Root Inclusion Requests

All, The Mozilla root inclusion process is outlined here: https://wiki.mozilla.org/CA/

Jun 17

Amir Omidi, … Watson Ladd6

Jun 15

Email I've received regarding Digicert

Dear Digicert and other dev sec policy people, I think this email and the response raises a lot of

unread,

Email I've received regarding Digicert

Dear Digicert and other dev sec policy people, I think this email and the response raises a lot of

Jun 15

Matt Palmer, … Mike Shaver13

Jun 10

Mitigations needed for legal action imposing delayed revocation

On Tue, Jun 10, 2025 at 08:38:44AM -0400, Mike Shaver wrote: > (In the history of distrust events,

unread,

Mitigations needed for legal action imposing delayed revocation

On Tue, Jun 10, 2025 at 08:38:44AM -0400, Mike Shaver wrote: > (In the history of distrust events,

Jun 10

Ben Wilson, Arabella Barks3

Jun 6

Approval of TrustAsia's root inclusion request

Thanks for letting me know. I think it was a clip-and-paste error. Here are the correct links:

unread,

Approval of TrustAsia's root inclusion request

Thanks for letting me know. I think it was a clip-and-paste error. Here are the correct links:

Jun 6

Hanno Böck, … Suchan Seo4

May 18

Unusual / unparseable internediate certificate in CT log (cPanel)

https://github.com/golang/go/commit/51ff3a6965b3fc40aceebe90eaf15a8a1a00a452 looks like it fixed in

unread,

Unusual / unparseable internediate certificate in CT log (cPanel)

https://github.com/golang/go/commit/51ff3a6965b3fc40aceebe90eaf15a8a1a00a452 looks like it fixed in

May 18

Xiaohui Lam, … Matt Palmer16

May 16

Extended discuss of ACME DNS Labeled With ACME Account ID Challenge

Hi Matt, Thanks for your participation in the discussion. I think rare is just my personal habit of

unread,

Extended discuss of ACME DNS Labeled With ACME Account ID Challenge

Hi Matt, Thanks for your participation in the discussion. I think rare is just my personal habit of

May 16

Aaron Gable, Corey Bonnell2

May 15

New Bugzilla Report regarding issuance for Internationalized Domain Names

Hi Aaron, Thanks for raising this. Regarding the callout on P-labels in the bug: > By these

unread,

New Bugzilla Report regarding issuance for Internationalized Domain Names

Hi Aaron, Thanks for raising this. Regarding the callout on P-labels in the bug: > By these

May 15

May 12

Draft Agenda for Roundtable Discussion

Here is a draft agenda: Mozilla Root Program Roundtable – Draft Agenda (90 minutes) Welcome and

unread,

Draft Agenda for Roundtable Discussion

Here is a draft agenda: Mozilla Root Program Roundtable – Draft Agenda (90 minutes) Welcome and

May 12

Ben Wilson, … Mike Shaver10

May 12

Mozilla CA Program Roundtable Discussion

All, Listed below are some of the survey results and the top-scoring topics for Friday's

unread,

Mozilla CA Program Roundtable Discussion

All, Listed below are some of the survey results and the top-scoring topics for Friday's

May 12

Rich Salz, Peter Bowen3

May 6

So it looks like I'm not really missing anything. As Peter Bowen pointed out, VikingCloud owns a

unread,

So it looks like I'm not really missing anything. As Peter Bowen pointed out, VikingCloud owns a

May 6

Apr 29

Updated Mass Revocation wiki page

All, I have updated the Mass Revocation Events (MRE) wiki page with a new section that outlines

unread,

Updated Mass Revocation wiki page

All, I have updated the Mass Revocation Events (MRE) wiki page with a new section that outlines

Apr 29

Ben Wilson, … Doug Beattie5

Apr 28

Websites Trust Bit Removal in 2026

Hi Doug, You're right. My mistake. They would be April 15, 2028. Thanks, Ben On Mon, Apr 28, 2025

unread,

Websites Trust Bit Removal in 2026

Hi Doug, You're right. My mistake. They would be April 15, 2028. Thanks, Ben On Mon, Apr 28, 2025

Apr 28

Ben Wilson, … Arabella Barks23

Apr 18

Postponement of Removal of Websites Trust Bit for ePKI Root CA

Greetings, I tested it in Firefox, and the website provided me with a certificate issued by

unread,

Postponement of Removal of Websites Trust Bit for ePKI Root CA

Greetings, I tested it in Firefox, and the website provided me with a certificate issued by

Apr 18

Ben Wilson, … 大野文彰4

Apr 1

MRSP 3.0: Published

Hello Ben-san, Thank you for your quick and courteous reply. We will prepare a report on how to post

unread,

MRSP 3.0: Published

Hello Ben-san, Thank you for your quick and courteous reply. We will prepare a report on how to post

Apr 1

Arabella Barks, … Aaron Gable14

Mar 25

Discussions on mechanism to enhance the Use of Digital Certificate Private Keys Similar to PwnedKeys

Possession of a CSR is not proof of compromise. For a quick demonstration, here are 45k CSRs which I

unread,

Discussions on mechanism to enhance the Use of Digital Certificate Private Keys Similar to PwnedKeys

Possession of a CSR is not proof of compromise. For a quick demonstration, here are 45k CSRs which I

Mar 25

Mar 12

Mozilla Security Blog Post on MRSP v. 3.0

All, Here is a recent blog post with MRSP v.3.0 as the main subject. https://blog.mozilla.org/

unread,

Mozilla Security Blog Post on MRSP v. 3.0

All, Here is a recent blog post with MRSP v.3.0 as the main subject. https://blog.mozilla.org/

Mar 12

Mar 11

Mass Revocation Planning Guidance

All, To assist CA operators in complying with MRSP section 6.1.3, I have started a wiki page to

unread,

Mass Revocation Planning Guidance

All, To assist CA operators in complying with MRSP section 6.1.3, I have started a wiki page to

Mar 11

Feb 20

Results of the Mozilla February 2025 CA Communication and Survey

All, Here are the responses to the Mozilla February 2025 CA Communication and Survey. The responses

unread,

Results of the Mozilla February 2025 CA Communication and Survey

All, Here are the responses to the Mozilla February 2025 CA Communication and Survey. The responses

Feb 20

Ben Wilson, … Jeremy Rowley7

Feb 19

MRSP 3.0: Survey Results and Status Update

All, I have renamed the previously-mentioned branch to Final Updates 3.0 (https://github.com/mozilla/

unread,

MRSP 3.0: Survey Results and Status Update

All, I have renamed the previously-mentioned branch to Final Updates 3.0 (https://github.com/mozilla/

Feb 19

Feb 18

Mass Revocation Incident Preparation and Testing Plan

Here is a non-normative template based on requests from CAs for guidance on the upcoming MRSP section

unread,

Mass Revocation Incident Preparation and Testing Plan

Here is a non-normative template based on requests from CAs for guidance on the upcoming MRSP section

Feb 18

Hanno Böck, … Pierre Barre17

Feb 16

Concerns about very-short-lived certificates

Subject: Professionalism and Constructive Discussion Matt, Your response crosses the line from

unread,

Concerns about very-short-lived certificates

Subject: Professionalism and Constructive Discussion Matt, Your response crosses the line from

Feb 16

Amir Omidi (aaomidi), … Entschew, Enrico4

Feb 12

d-trust data protection incident

Hi Hanno, I have inserted my answers further down in the text --> <-- and hope to contribute to

unread,

d-trust data protection incident

Hi Hanno, I have inserted my answers further down in the text --> <-- and hope to contribute to

Feb 12

Search

Clear search

Close search

Google apps

Main menu