dev-security-policy@mozilla.org

Contact owners and managers

1–30 of 290

Welcome to the dev-security-policy group in which we discuss security-related policies, governance, and related topics; including discussion of Mozilla’s Root Store Policy and the NSS root certificate store.

Mailing List: dev-security-policy@mozilla.org
Web: https://groups.google.com/a/mozilla.org/g/dev-security-policy
Subscribe by using the button "Ask to join group" and complete the box "Reason for joining". Membership requests must provide context for your interest in joining the group. Requests without this information will be rejected.
Participation Guidelines: https://www.mozilla.org/about/governance/policies/participation/
Participants: https://wiki.mozilla.org/CA/Policy_Participants
Unsubscribe by sending email to: dev-security-policy+unsubscribe@mozilla.org
Previous archives (2009-2021): https://groups.google.com/g/mozilla.dev.security.policy
RSS feed: https://www.mail-archive.com/dev-security-policy@mozilla.org/maillist.xml

0 selected

Ben Wilson, … Jeremy Rowley4

Dec 20

MRSP 3.0: Issue #279: TLS-specific and S/MIME-specific Root CAs

One additional thought I had on this is that it moves SMIME to strict profiles faster than previously

unread,

MRSP 3.0: Issue #279: TLS-specific and S/MIME-specific Root CAs

One additional thought I had on this is that it moves SMIME to strict profiles faster than previously

Dec 20

Ben Wilson, … Rich Salz24

Dec 19

MRSP 3.0: Issue #276: Delayed Revocation

On Thu, Dec 19, 2024, 6:59 PM Matt Palmer <mpa...@hezmatt.org> wrote: Oh, I don't know...

unread,

MRSP 3.0: Issue #276: Delayed Revocation

On Thu, Dec 19, 2024, 6:59 PM Matt Palmer <mpa...@hezmatt.org> wrote: Oh, I don't know...

Dec 19

Dec 18

Timing of Public Discussion of S/MIME External Sub CA

All, I intend to start public discussion of this matter using the CCADB Public list (https://groups.

unread,

Timing of Public Discussion of S/MIME External Sub CA

All, I intend to start public discussion of this matter using the CCADB Public list (https://groups.

Dec 18

Hanno Böck, … Pierre Barre10

Dec 16

Concerns about very-short-lived certificates

Hi Matt, I was forwarded this thread, and as its creator, I wanted to reach out directly. Would you

unread,

Concerns about very-short-lived certificates

Hi Matt, I was forwarded this thread, and as its creator, I wanted to reach out directly. Would you

Dec 16

Ben Wilson, Roman Fischer3

Dec 11

MRSP 3.0: Issue #275: CA Key Protection

Thanks, Roman, for your questions. With respect to CA key protection, gaps in audit reports raise a

unread,

MRSP 3.0: Issue #275: CA Key Protection

Thanks, Roman, for your questions. With respect to CA key protection, gaps in audit reports raise a

Dec 11

Dec 3

Approval of D-Trust's 2023 Root CAs

Greetings, Public discussion regarding inclusion of the following D-Trust root CA certificates

unread,

Approval of D-Trust's 2023 Root CAs

Greetings, Public discussion regarding inclusion of the following D-Trust root CA certificates

Dec 3

Ben Wilson, … Dimitris Zacharopoulos3

Nov 27

MRSP 3.0: Issue #263: Clarify sentence prohibiting blank sections that also contain no Subsections in CPs and CPSes

Ben, Could you please propose this exact language to the CABF SCWG in response to the failed SC-74?

unread,

MRSP 3.0: Issue #263: Clarify sentence prohibiting blank sections that also contain no Subsections in CPs and CPSes

Ben, Could you please propose this exact language to the CABF SCWG in response to the failed SC-74?

Nov 27

Hanno Böck, … Mike Shaver3

Nov 26

Certificate with compromised key / *.digicert-demo.com

Possibly of interest in blocking keys is Matt Palmer's great work in this space: https://

unread,

Certificate with compromised key / *.digicert-demo.com

Possibly of interest in blocking keys is Matt Palmer's great work in this space: https://

Nov 26

Nov 22

MRSP 3.0: Issue #s 270 and 271: Incident Reporting

All, This post is intended to initiate public discussion on improvements to the Mozilla Root Store

unread,

MRSP 3.0: Issue #s 270 and 271: Incident Reporting

All, This post is intended to initiate public discussion on improvements to the Mozilla Root Store

Nov 22

Nov 20

Fwd: Further Improving the CCADB Incident Reporting Guidelines (FEEDBACK REQUESTED)

All, Forwarding here - please see below. Comments can be provided preferably on GitHub or on the

unread,

Fwd: Further Improving the CCADB Incident Reporting Guidelines (FEEDBACK REQUESTED)

All, Forwarding here - please see below. Comments can be provided preferably on GitHub or on the

Nov 20

M THUG, … Dana Keeler7

Nov 18

Reg : Inquiry Regarding Removal of Certificates with Specific SHA1 Fingerprints

Note that that certificate was not removed from NSS, but rather had its trust bits edited so that it

unread,

Reg : Inquiry Regarding Removal of Certificates with Specific SHA1 Fingerprints

Note that that certificate was not removed from NSS, but rather had its trust bits edited so that it

Nov 18

Matt Palmer, … Amir Omidi6

Nov 10

The Pwnedkeys Revokinator is back!

On Sun, Nov 10, 2024 at 06:19:50PM -0500, Amir Omidi wrote: > Trying to understand why signing

unread,

The Pwnedkeys Revokinator is back!

On Sun, Nov 10, 2024 at 06:19:50PM -0500, Amir Omidi wrote: > Trying to understand why signing

Nov 10

Aaron Gable, … Matt Palmer12

Nov 2

Assuming keyCompromise for unspecified-reason revocations

On Fri, Nov 01, 2024 at 06:47:54PM -0500, Jaime Hablutzel wrote: > > On 1 Nov 2024, at 7:28 AM,

unread,

Assuming keyCompromise for unspecified-reason revocations

On Fri, Nov 01, 2024 at 06:47:54PM -0500, Jaime Hablutzel wrote: > > On 1 Nov 2024, at 7:28 AM,

Nov 2

Peter Gutmann, … Rob Stradling22

Oct 30

Standard PKC Test Keys

Matt Palmer <mpa...@hezmatt.org> writes: >Well, I don't know if it's actually all

unread,

Standard PKC Test Keys

Matt Palmer <mpa...@hezmatt.org> writes: >Well, I don't know if it's actually all

Oct 30

Rob Stradling, … Matthew McPherrin5

Oct 17

Certificate Transparency enforcement in Firefox

I see you've landed a patch changing 12 to 10 weeks: https://bugzilla.mozilla.org/show_bug.cgi?id

unread,

Certificate Transparency enforcement in Firefox

I see you've landed a patch changing 12 to 10 weeks: https://bugzilla.mozilla.org/show_bug.cgi?id

Oct 17

Oct 7

MRSP 3.0: Candidate Issues for MRSP v. 3.0

All, Please also consider the addition of GitHub Issue #283 to the list of issues that we would like

unread,

MRSP 3.0: Candidate Issues for MRSP v. 3.0

All, Please also consider the addition of GitHub Issue #283 to the list of issues that we would like

Oct 7

Ben Wilson, … Matt Palmer17

Oct 1

Proposal for an Interim Policy to Address Delayed Revocation

On Tue, Oct 01, 2024 at 12:26:08PM +0000, Sandy Balzer wrote: > Dear Ben, > > Thanks a lot

unread,

Proposal for an Interim Policy to Address Delayed Revocation

On Tue, Oct 01, 2024 at 12:26:08PM +0000, Sandy Balzer wrote: > Dear Ben, > > Thanks a lot

Oct 1

Hanno Böck, … Amir Omidi11

Sep 16

IANA whois information

A ballot has been introduced removing these problematic DCV methods: https://lists.cabforum.org/

unread,

IANA whois information

A ballot has been introduced removing these problematic DCV methods: https://lists.cabforum.org/

Sep 16

Tyrel, … Wayne11

Sep 13

Sources of Domain Contact Information?

Perhaps the many CAs who are not using WHOIS would be able to help. If they were impacted, when would

unread,

Sources of Domain Contact Information?

Perhaps the many CAs who are not using WHOIS would be able to help. If they were impacted, when would

Sep 13

Sep 13

UK VAT Groups and subject:organizationIdentifier

Hi all, Following on from discoveries in Bugzilla on the non-uniqueness of subject:

unread,

UK VAT Groups and subject:organizationIdentifier

Hi all, Following on from discoveries in Bugzilla on the non-uniqueness of subject:

Sep 13

Watson Ladd, Suchan Seo2

Sep 12

Aberrant bits in certificates (location edition)

sent it as private message by mistake, writeing it again; there is possablity of someone else

unread,

Aberrant bits in certificates (location edition)

sent it as private message by mistake, writeing it again; there is possablity of someone else

Sep 12

Stephen Davidson

Sep 4

Multi Perspective Issuance Corroboration (MPIC) for S/MIME

The S/MIME Certificate Working Group (SMCWG) of the CA/Browser Forum is considering a change to the S

unread,

Multi Perspective Issuance Corroboration (MPIC) for S/MIME

The S/MIME Certificate Working Group (SMCWG) of the CA/Browser Forum is considering a change to the S

Sep 4

Tim Hollebeek, … Tobias S. Josefowitz37

Aug 13

Feasibility of a binding commitment to revoke before issuance

On Fri, 9 Aug 2024, moz...@eigenvector.org.uk wrote: > The point of the Web PKI is to convey a

unread,

Feasibility of a binding commitment to revoke before issuance

On Fri, 9 Aug 2024, moz...@eigenvector.org.uk wrote: > The point of the Web PKI is to convey a

Aug 13

Jesper Kristensen, Walt2

Aug 10

Support for quick certificate replacement in subscriber tooling

Caddy absolutely does support ARI as of 2.8.0. I'd argue that it also doesn't need to try to

unread,

Support for quick certificate replacement in subscriber tooling

Caddy absolutely does support ARI as of 2.8.0. I'd argue that it also doesn't need to try to

Aug 10

Ben Wilson, … Wayne93

Aug 5

Recent Entrust Compliance Incidents

Hi Matt, You answered my thoughts on BR applicability in your last paragraph. I don't mean to say

unread,

Recent Entrust Compliance Incidents

Hi Matt, You answered my thoughts on BR applicability in your last paragraph. I don't mean to say

Aug 5

Watson Ladd, … Amir Omidi5

Aug 1

Lawyers, (no) Guns, and Money and the CA system

There is an argument to be made that every other CA should definitely look into their legal playbooks

unread,

Lawyers, (no) Guns, and Money and the CA system

There is an argument to be made that every other CA should definitely look into their legal playbooks

Aug 1

Ben Wilson, … Bruce Morton3

Jul 31

Mozilla's Decision on Entrust's Root CA Certificates used for TLS

Ben, we are disappointed by this decision but want to reaffirm Entrust's commitment to continued

unread,

Mozilla's Decision on Entrust's Root CA Certificates used for TLS

Ben, we are disappointed by this decision but want to reaffirm Entrust's commitment to continued

Jul 31

Rob Stradling, … Mike Shaver5

Jul 30

pkimetal - A PKI Meta-Linter

Hi Ben. I forget exactly what prompt I gave the image generator, but it's supposed to be a

unread,

pkimetal - A PKI Meta-Linter

Hi Ben. I forget exactly what prompt I gave the image generator, but it's supposed to be a

Jul 30

Jul 24

Reminder: Mozilla's Community Participation Guidelines and Bugzilla Etiquette

Dear Community Members, As part of our ongoing commitment to fostering a respectful and productive

unread,

Reminder: Mozilla's Community Participation Guidelines and Bugzilla Etiquette

Dear Community Members, As part of our ongoing commitment to fostering a respectful and productive

Jul 24

Jul 16

Phasing out Legacy S/MIME Certificates

Greetings, I am writing to you as a reminder regarding future compliance of S/MIME certificates with

unread,

Phasing out Legacy S/MIME Certificates

Greetings, I am writing to you as a reminder regarding future compliance of S/MIME certificates with

Jul 16

Search

Clear search

Close search

Google apps

Main menu