dev-security-policy@mozilla.org

1–30 of 40

Welcome to the dev-security-policy group in which we discuss security-related policies, governance, and related topics; including discussion of Mozilla’s Root Store Policy and the NSS root certificate store.

Mailing List: dev-security-policy@mozilla.org
Web: https://groups.google.com/a/mozilla.org/g/dev-security-policy
Subscribe by sending email to: dev-security-policy+subscribe@mozilla.org
Unsubscribe by sending email to: dev-security-policy+unsubscribe@mozilla.org
Previous archives: https://groups.google.com/g/mozilla.dev.security.policy

0 selected

Buschart, Rufus

Jul 23

RE: Your opinion on misissuance under name constrained ICAs)

I created (with the help of Rob - thank you) a SQL statement (https://gist.github.com/RufusJWB/

unread,

RE: Your opinion on misissuance under name constrained ICAs)

I created (with the help of Rob - thank you) a SQL statement (https://gist.github.com/RufusJWB/

Jul 23

Buschart, Rufus, … Ryan Sleevi15

Jul 23

Your opinion on misissuance under name constrained ICAs

It sounds like you're saying something different: that you don't believe it's prohibited

unread,

Your opinion on misissuance under name constrained ICAs

It sounds like you're saying something different: that you don't believe it's prohibited

Jul 23

Kathleen Wilson, … Matthias van de Meent8

Jul 20

Audit Reminder Email Summary - Root Certificates

Correct. I filed the bug and then added the link there. Thanks, Kathleen On Tuesday, July 20, 2021 at

unread,

Audit Reminder Email Summary - Root Certificates

Correct. I filed the bug and then added the link there. Thanks, Kathleen On Tuesday, July 20, 2021 at

Jul 20

Kathleen Wilson, … Santiago Brox5

Jul 19

CCADB Update: New field JSON Array of Partitioned CRLs

All, The CCADB has been updated as follows: Updated the 'JSON Array of Partitioned CRLs'

unread,

CCADB Update: New field JSON Array of Partitioned CRLs

All, The CCADB has been updated as follows: Updated the 'JSON Array of Partitioned CRLs'

Jul 19

Watson Ladd, … Ryan Sleevi3

Jul 19

Broader lessons from 1718771

On Mon, Jul 19, 2021 at 9:28 AM 'Matthias van de Meent' via dev-security-policy@mozilla.org

unread,

Broader lessons from 1718771

On Mon, Jul 19, 2021 at 9:28 AM 'Matthias van de Meent' via dev-security-policy@mozilla.org

Jul 19

Ryan Hurst, … Matthew Hardeman24

Jul 14

IP Address Certificates via ACME

I believe the point that Matthias Merkel may be making is that there are, at present, multiple

unread,

IP Address Certificates via ACME

I believe the point that Matthias Merkel may be making is that there are, at present, multiple

Jul 14

Ben Wilson, … Sander Steenbergen16

Jul 7

Public Discussion of certSIGN's Externally Operated CA by KPN

Carefully reading through all the comments in this discussion has provided us with new insights. We

unread,

Public Discussion of certSIGN's Externally Operated CA by KPN

Carefully reading through all the comments in this discussion has provided us with new insights. We

Jul 7

Kathleen Wilson3

Jul 6

Audit Reminder Email Summary - Intermediate Certificates

-------- Forwarded Message -------- Subject: Summary of July 2021 Outdated Audit Statements for

unread,

Audit Reminder Email Summary - Intermediate Certificates

-------- Forwarded Message -------- Subject: Summary of July 2021 Outdated Audit Statements for

Jul 6

Ben Wilson, … yutian zheng9

Jul 4

Public Discussion re: Inclusion of the iTrusChina Root CAs

Hi All， iTrusChina submitted a document to answer a series of questions in Quantifying Value：

unread,

Public Discussion re: Inclusion of the iTrusChina Root CAs

Hi All， iTrusChina submitted a document to answer a series of questions in Quantifying Value：

Jul 4

James R Moir, … Aaron Gable5

Jul 1

Forward-date certificates?

Ah yeah, thanks for that perspective, that makes sense! Aaron On Tue, Jun 29, 2021 at 12:13 PM Ryan

unread,

Forward-date certificates?

Ah yeah, thanks for that perspective, that makes sense! Aaron On Tue, Jun 29, 2021 at 12:13 PM Ryan

Jul 1

James R Moir, … Stephen Davidson21

Jul 1

S/MIME certificate Subject

I'll take the opportunity to follow up on Ryan's introduction to the CA/Browser Forum's S

unread,

S/MIME certificate Subject

I'll take the opportunity to follow up on Ryan's introduction to the CA/Browser Forum's S

Jul 1

passerby184, … Jeremy Rowley9

Jun 25

Intermediate CAs that have both serverauth and Emailprotection extkeyusage

Both revocation and the CAB forum ballot changing the EKU requirement have effective dates. The

unread,

Intermediate CAs that have both serverauth and Emailprotection extkeyusage

Both revocation and the CAB forum ballot changing the EKU requirement have effective dates. The

Jun 25

Dimitris Zacharopoulos, … Ben Wilson8

Jun 24

Guidance for weekly updates on Bugzilla incidents

A CA can avoid posting repetitive, weekly "No updates" by posting a comment in the bug that

unread,

Guidance for weekly updates on Bugzilla incidents

A CA can avoid posting repetitive, weekly "No updates" by posting a comment in the bug that

Jun 24

Jun 24

CA Operations Community or Mailing-list?

I don't know if it is appropriate to discuss this in this mailing-list. If it NOT please let me

unread,

CA Operations Community or Mailing-list?

I don't know if it is appropriate to discuss this in this mailing-list. If it NOT please let me

Jun 24

Ben Wilson, … Syrine Tlili18

Jun 23

Public Discussion re: Inclusion of the TunTrust Root CA

I am pretty sure this is the correct link: https://bugzilla.mozilla.org/attachment.cgi?id=9228562 (

unread,

Public Discussion re: Inclusion of the TunTrust Root CA

I am pretty sure this is the correct link: https://bugzilla.mozilla.org/attachment.cgi?id=9228562 (

Jun 23

Yuki Yuki, … Moudrick M. Dadashov8

Jun 21

What does it mean by “An executed Subscriber Agreement or Terms of Use”

Thanks Ryan, By "quite close" I meant the similarity (non contradictory) of these: "

unread,

What does it mean by “An executed Subscriber Agreement or Terms of Use”

Thanks Ryan, By "quite close" I meant the similarity (non contradictory) of these: "

Jun 21

Ben Wilson, … Matthew Hardeman4

Jun 19

Process for Considering Externally Operated Subordinate CAs

I echo this question of why not just require them to become direct root program participants? With

unread,

Process for Considering Externally Operated Subordinate CAs

I echo this question of why not just require them to become direct root program participants? With

Jun 19

Ben Wilson, Andrew Ayer4

Jun 15

Public Discussion of HARICA's Root CA Inclusion Requests

On May 19, 2021, we began the public discussion period [Step 4 of the Mozilla Root Store CA

unread,

Public Discussion of HARICA's Root CA Inclusion Requests

On May 19, 2021, we began the public discussion period [Step 4 of the Mozilla Root Store CA

Jun 15

Ben Wilson, … Ryan Sleevi4

Jun 13

MRSP 6 and CPS 4.9.12 proof of key compromise compliance date

Thanks for your comments, Andrew and Ryan. The survey intended to gauge implementation timeframes for

unread,

MRSP 6 and CPS 4.9.12 proof of key compromise compliance date

Thanks for your comments, Andrew and Ryan. The survey intended to gauge implementation timeframes for

Jun 13

Aaron Gable, … Ryan Sleevi20

Jun 11

Treating timestamps as instants or intervals

On Thu, Jun 10, 2021 at 10:00 AM Ryan Sleevi <ryan@sleevi.com> wrote: With respect to incident

unread,

Treating timestamps as instants or intervals

On Thu, Jun 10, 2021 at 10:00 AM Ryan Sleevi <ryan@sleevi.com> wrote: With respect to incident

Jun 11

Watson Ladd, Matthias Merkel2

Jun 10

KIR S.A.: 8 bugs at once!

According to https://www.dns.pl/en/whois, these domains do belong to KIR. Of course, the amount of

unread,

KIR S.A.: 8 bugs at once!

According to https://www.dns.pl/en/whois, these domains do belong to KIR. Of course, the amount of

Jun 10

Michel Le Bihan, Ryan Sleevi2

Jun 10

Generalization of CPS to avoid misissuance

On Thu, Jun 10, 2021 at 5:03 AM Michel Le Bihan <michel.lebihan2000@gmail.com> wrote: Both KIR

unread,

Generalization of CPS to avoid misissuance

On Thu, Jun 10, 2021 at 5:03 AM Michel Le Bihan <michel.lebihan2000@gmail.com> wrote: Both KIR

Jun 10

Ben Wilson, … Nick Lamb6

Jun 6

Quantifying the Value of Adding a New CA

On Mon, 10 May 2021 17:13:41 -0600 Ben Wilson <bwilson@mozilla.com> wrote: > All, > >

unread,

Quantifying the Value of Adding a New CA

On Mon, 10 May 2021 17:13:41 -0600 Ben Wilson <bwilson@mozilla.com> wrote: > All, > >

Jun 6

May 31

End of an era: Certificate Transparency

As far as I can tell from my records, today, the 1st of June 2021 marks the first day when the Chrome

unread,

End of an era: Certificate Transparency

As far as I can tell from my records, today, the 1st of June 2021 marks the first day when the Chrome

May 31

Sándor dr. Szőke, … Matt Palmer4

May 26

The cryptographic requirements for Code Signing Certificates will change on 2021-06-01.

Matt Palmer a következőt írta (2021. május 26., szerda, 1:52:34 UTC+2): On Tue, May 25, 2021 at 08:06

unread,

The cryptographic requirements for Code Signing Certificates will change on 2021-06-01.

Matt Palmer a következőt írta (2021. május 26., szerda, 1:52:34 UTC+2): On Tue, May 25, 2021 at 08:06

May 26

Michel Le Bihan, … Brian Smith33

May 25

Are U-labels allowed in CN?

'Corey Bonnell' via dev-security-policy@mozilla.org <dev-security-policy@mozilla.org>

unread,

Are U-labels allowed in CN?

'Corey Bonnell' via dev-security-policy@mozilla.org <dev-security-policy@mozilla.org>

May 25

Matthias van de Meent, … Ryan Sleevi5

May 17

Signing the SHA-1 subjectKeyIdentifier

On Mon, May 17, 2021 at 12:41 PM Kurt Roeckx <kurt@roeckx.be> wrote: On Mon, May 17, 2021 at 02

unread,

Signing the SHA-1 subjectKeyIdentifier

On Mon, May 17, 2021 at 12:41 PM Kurt Roeckx <kurt@roeckx.be> wrote: On Mon, May 17, 2021 at 02

May 17

Ben Wilson, … Wojtek Porczyk3

May 14

CA Survey Responses on Removing Old Roots

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, May 13, 2021 at 07:58:17PM -0400, Ryan Sleevi

unread,

CA Survey Responses on Removing Old Roots

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, May 13, 2021 at 07:58:17PM -0400, Ryan Sleevi

May 14

Michel Le Bihan, … Phillip Hallam-Baker7

May 13

Please explain why CAs MUST NOT generate the key pairs

A major difference in the separation of concerns there is that the ACME tool is open source and

unread,

Please explain why CAs MUST NOT generate the key pairs

A major difference in the separation of concerns there is that the ACME tool is open source and

May 13

Corey Bonnell, … Kathleen Wilson4

May 13

CRL AuthorityKeyIdentifier Allowed Fields

I filed https://github.com/mozilla/pkipolicy/issues/226 to track this for our next policy update. I

unread,

CRL AuthorityKeyIdentifier Allowed Fields

I filed https://github.com/mozilla/pkipolicy/issues/226 to track this for our next policy update. I

May 13

Search

Clear search

Close search

Google apps

Main menu