Groups
Groups
Sign in
Groups
Groups
dev-security-policy@mozilla.org
Conversations
About
Send feedback
Help
dev-security-policy@mozilla.org
1–30 of 329
Welcome to the dev-security-policy group in which we discuss security-related policies, governance, and related topics; including discussion of
Mozilla’s Root Store Policy
and the
NSS root certificate store
.
Mailing List:
dev-security-policy@mozilla.or
g
Web:
https://groups.google.com/a/mo
zilla.org/g/dev-security-polic
y
Subscribe by using the button "Ask to join group" and complete the box "Reason for joining".
Membership requests must provide context for your interest in joining the group. Requests without this information will be rejected.
Participation Guidelines:
https://www.mozilla.org/about/
governance/policies/participat
ion/
Participants:
https://wiki.mozilla.org/CA/Po
licy_Participants
Unsubscribe by sending email to:
dev-security-policy+unsubscrib
e@mozilla.org
Previous archives (2009-2021):
https://groups.google.com/g/mo
zilla.dev.security.policy
RSS feed:
https://www.mail-archive.com/d
ev-security-policy@mozilla.org
/maillist.xml
Mark all as read
Report group
0 selected
Youfu Zhang
, …
Wayne
7
Sep 4
Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020
A glance through censys with the following query and a report checking parsed.extensions.
unread,
Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020
A glance through censys with the following query and a report checking parsed.extensions.
Sep 4
Ben Wilson
Aug 22
Approval of OISTE Root CA Certificate Request
All, The Mozilla root inclusion process is outlined here: https://wiki.mozilla.org/CA/
unread,
Approval of OISTE Root CA Certificate Request
All, The Mozilla root inclusion process is outlined here: https://wiki.mozilla.org/CA/
Aug 22
Ivan
,
Ben Wilson
4
Aug 8
Inquiry on "Acceptable" CA criteria, after remove of non-discrimination clause
Just realized that I've sent a previous message using a Google Groups web form, and it's most
unread,
Inquiry on "Acceptable" CA criteria, after remove of non-discrimination clause
Just realized that I've sent a previous message using a Google Groups web form, and it's most
Aug 8
Aaron Gable
2
Jul 23
Preview of Let's Encrypt's upcoming Root Ceremony
Hi Sándor, Good question! The first interpretation is correct. The authorityKeyIdentifier extension
unread,
Preview of Let's Encrypt's upcoming Root Ceremony
Hi Sándor, Good question! The first interpretation is correct. The authorityKeyIdentifier extension
Jul 23
Ben Wilson
Jul 14
Fwd: [Smcwg-public] Deprecation of Legacy
Forwarding for additional visibility and notice to SMIME-issuing CAs. ---------- Forwarded message --
unread,
Fwd: [Smcwg-public] Deprecation of Legacy
Forwarding for additional visibility and notice to SMIME-issuing CAs. ---------- Forwarded message --
Jul 14
Hanno Böck
, …
John Schanck
4
Jun 20
Limitations of aggreated CRL revocation checks
Right, Mozilla root store policy [1] requires CAs to disclose their CRLs in CCADB. Mozilla's
unread,
Limitations of aggreated CRL revocation checks
Right, Mozilla root store policy [1] requires CAs to disclose their CRLs in CCADB. Mozilla's
Jun 20
Ben Wilson
, …
Jeremy Rowley
64
Jun 18
Results of 2025 Roundtable Discussion
Sounds good. The 50k number sounds about right based on those bugs too. Most CPS errors do not
unread,
Results of 2025 Roundtable Discussion
Sounds good. The 50k number sounds about right based on those bugs too. Most CPS errors do not
Jun 18
Dana Keeler
, …
Pierre Barre
10
Jun 18
Certificate Transparency is now enforced in Firefox on desktop platforms starting with version 135
Hello, I am quite late to the party on this thread, but having recently implemented a CT log (https:/
unread,
Certificate Transparency is now enforced in Firefox on desktop platforms starting with version 135
Hello, I am quite late to the party on this thread, but having recently implemented a CT log (https:/
Jun 18
Ben Wilson
Jun 17
Approval of SwissSign's Root Inclusion Requests
All, The Mozilla root inclusion process is outlined here: https://wiki.mozilla.org/CA/
unread,
Approval of SwissSign's Root Inclusion Requests
All, The Mozilla root inclusion process is outlined here: https://wiki.mozilla.org/CA/
Jun 17
Amir Omidi
, …
Watson Ladd
6
Jun 15
Email I've received regarding Digicert
Dear Digicert and other dev sec policy people, I think this email and the response raises a lot of
unread,
Email I've received regarding Digicert
Dear Digicert and other dev sec policy people, I think this email and the response raises a lot of
Jun 15
Matt Palmer
, …
Mike Shaver
13
Jun 10
Mitigations needed for legal action imposing delayed revocation
On Tue, Jun 10, 2025 at 08:38:44AM -0400, Mike Shaver wrote: > (In the history of distrust events,
unread,
Mitigations needed for legal action imposing delayed revocation
On Tue, Jun 10, 2025 at 08:38:44AM -0400, Mike Shaver wrote: > (In the history of distrust events,
Jun 10
Ben Wilson
,
Arabella Barks
3
Jun 6
Approval of TrustAsia's root inclusion request
Thanks for letting me know. I think it was a clip-and-paste error. Here are the correct links:
unread,
Approval of TrustAsia's root inclusion request
Thanks for letting me know. I think it was a clip-and-paste error. Here are the correct links:
Jun 6
Hanno Böck
, …
Suchan Seo
4
May 18
Unusual / unparseable internediate certificate in CT log (cPanel)
https://github.com/golang/go/commit/51ff3a6965b3fc40aceebe90eaf15a8a1a00a452 looks like it fixed in
unread,
Unusual / unparseable internediate certificate in CT log (cPanel)
https://github.com/golang/go/commit/51ff3a6965b3fc40aceebe90eaf15a8a1a00a452 looks like it fixed in
May 18
Xiaohui Lam
, …
Matt Palmer
16
May 16
Extended discuss of ACME DNS Labeled With ACME Account ID Challenge
Hi Matt, Thanks for your participation in the discussion. I think rare is just my personal habit of
unread,
Extended discuss of ACME DNS Labeled With ACME Account ID Challenge
Hi Matt, Thanks for your participation in the discussion. I think rare is just my personal habit of
May 16
Aaron Gable
,
Corey Bonnell
2
May 15
New Bugzilla Report regarding issuance for Internationalized Domain Names
Hi Aaron, Thanks for raising this. Regarding the callout on P-labels in the bug: > By these
unread,
New Bugzilla Report regarding issuance for Internationalized Domain Names
Hi Aaron, Thanks for raising this. Regarding the callout on P-labels in the bug: > By these
May 15
Ben Wilson
May 12
Draft Agenda for Roundtable Discussion
Here is a draft agenda: Mozilla Root Program Roundtable – Draft Agenda (90 minutes) Welcome and
unread,
Draft Agenda for Roundtable Discussion
Here is a draft agenda: Mozilla Root Program Roundtable – Draft Agenda (90 minutes) Welcome and
May 12
Ben Wilson
, …
Mike Shaver
10
May 12
Mozilla CA Program Roundtable Discussion
All, Listed below are some of the survey results and the top-scoring topics for Friday's
unread,
Mozilla CA Program Roundtable Discussion
All, Listed below are some of the survey results and the top-scoring topics for Friday's
May 12
Rich Salz
,
Peter Bowen
3
May 6
Viking CA?
So it looks like I'm not really missing anything. As Peter Bowen pointed out, VikingCloud owns a
unread,
Viking CA?
So it looks like I'm not really missing anything. As Peter Bowen pointed out, VikingCloud owns a
May 6
Ben Wilson
Apr 29
Updated Mass Revocation wiki page
All, I have updated the Mass Revocation Events (MRE) wiki page with a new section that outlines
unread,
Updated Mass Revocation wiki page
All, I have updated the Mass Revocation Events (MRE) wiki page with a new section that outlines
Apr 29
Ben Wilson
, …
Doug Beattie
5
Apr 28
Websites Trust Bit Removal in 2026
Hi Doug, You're right. My mistake. They would be April 15, 2028. Thanks, Ben On Mon, Apr 28, 2025
unread,
Websites Trust Bit Removal in 2026
Hi Doug, You're right. My mistake. They would be April 15, 2028. Thanks, Ben On Mon, Apr 28, 2025
Apr 28
Ben Wilson
, …
Arabella Barks
23
Apr 18
Postponement of Removal of Websites Trust Bit for ePKI Root CA
Greetings, I tested it in Firefox, and the website provided me with a certificate issued by
unread,
Postponement of Removal of Websites Trust Bit for ePKI Root CA
Greetings, I tested it in Firefox, and the website provided me with a certificate issued by
Apr 18
Ben Wilson
, …
大野 文彰
4
Apr 1
MRSP 3.0: Published
Hello Ben-san, Thank you for your quick and courteous reply. We will prepare a report on how to post
unread,
MRSP 3.0: Published
Hello Ben-san, Thank you for your quick and courteous reply. We will prepare a report on how to post
Apr 1
Arabella Barks
, …
Aaron Gable
14
Mar 25
Discussions on mechanism to enhance the Use of Digital Certificate Private Keys Similar to PwnedKeys
Possession of a CSR is not proof of compromise. For a quick demonstration, here are 45k CSRs which I
unread,
Discussions on mechanism to enhance the Use of Digital Certificate Private Keys Similar to PwnedKeys
Possession of a CSR is not proof of compromise. For a quick demonstration, here are 45k CSRs which I
Mar 25
Ben Wilson
Mar 12
Mozilla Security Blog Post on MRSP v. 3.0
All, Here is a recent blog post with MRSP v.3.0 as the main subject. https://blog.mozilla.org/
unread,
Mozilla Security Blog Post on MRSP v. 3.0
All, Here is a recent blog post with MRSP v.3.0 as the main subject. https://blog.mozilla.org/
Mar 12
Ben Wilson
Mar 11
Mass Revocation Planning Guidance
All, To assist CA operators in complying with MRSP section 6.1.3, I have started a wiki page to
unread,
Mass Revocation Planning Guidance
All, To assist CA operators in complying with MRSP section 6.1.3, I have started a wiki page to
Mar 11
Ben Wilson
Feb 20
Results of the Mozilla February 2025 CA Communication and Survey
All, Here are the responses to the Mozilla February 2025 CA Communication and Survey. The responses
unread,
Results of the Mozilla February 2025 CA Communication and Survey
All, Here are the responses to the Mozilla February 2025 CA Communication and Survey. The responses
Feb 20
Ben Wilson
, …
Jeremy Rowley
7
Feb 19
MRSP 3.0: Survey Results and Status Update
All, I have renamed the previously-mentioned branch to Final Updates 3.0 (https://github.com/mozilla/
unread,
MRSP 3.0: Survey Results and Status Update
All, I have renamed the previously-mentioned branch to Final Updates 3.0 (https://github.com/mozilla/
Feb 19
Ben Wilson
Feb 18
Mass Revocation Incident Preparation and Testing Plan
Here is a non-normative template based on requests from CAs for guidance on the upcoming MRSP section
unread,
Mass Revocation Incident Preparation and Testing Plan
Here is a non-normative template based on requests from CAs for guidance on the upcoming MRSP section
Feb 18
Hanno Böck
, …
Pierre Barre
17
Feb 16
Concerns about very-short-lived certificates
Subject: Professionalism and Constructive Discussion Matt, Your response crosses the line from
unread,
Concerns about very-short-lived certificates
Subject: Professionalism and Constructive Discussion Matt, Your response crosses the line from
Feb 16
Amir Omidi (aaomidi)
, …
Entschew, Enrico
4
Feb 12
d-trust data protection incident
Hi Hanno, I have inserted my answers further down in the text --> <-- and hope to contribute to
unread,
d-trust data protection incident
Hi Hanno, I have inserted my answers further down in the text --> <-- and hope to contribute to
Feb 12