dev-security-policy@mozilla.org

1–30 of 59

Welcome to the dev-security-policy group in which we discuss security-related policies, governance, and related topics; including discussion of Mozilla’s Root Store Policy and the NSS root certificate store.

Mailing List: dev-security-policy@mozilla.org
Web: https://groups.google.com/a/mozilla.org/g/dev-security-policy
Subscribe by sending email to: dev-security-policy+subscribe@mozilla.org
Unsubscribe by sending email to: dev-security-policy+unsubscribe@mozilla.org
Previous archives: https://groups.google.com/g/mozilla.dev.security.policy
RSS feed: https://www.mail-archive.com/dev-security-policy@mozilla.org/maillist.xml

0 selected

1:12 PM

Public Discussion of Firmaprofesional's Inclusion Request

This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion

unread,

Public Discussion of Firmaprofesional's Inclusion Request

This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion

1:12 PM

Oct 19

Policy 2.8: MRSP Issue #228: Clarify technically-constrained sub-CA EKUs

All, This email introduces a second issue in a series of issues selected to be addressed in the next

unread,

Policy 2.8: MRSP Issue #228: Clarify technically-constrained sub-CA EKUs

All, This email introduces a second issue in a series of issues selected to be addressed in the next

Oct 19

Oct 19

Policy 2.8: MRSP Issue #129: Require non-discriminatory CA conduct

As an initial edit, I am proposing that we add the following language as a new subsection 6 to MRSP

unread,

Policy 2.8: MRSP Issue #129: Require non-discriminatory CA conduct

As an initial edit, I am proposing that we add the following language as a new subsection 6 to MRSP

Oct 19

Ben Wilson, dr. Szőke Sándor3

Oct 18

Policy 2.7.1: Published

Dear Sandor, I have added the new versions of the ETSI EN 411-1 and EN 411-2 to the CCADB. Thanks,

unread,

Policy 2.7.1: Published

Dear Sandor, I have added the new versions of the ETSI EN 411-1 and EN 411-2 to the CCADB. Thanks,

Oct 18

Oct 15

Public Discussion of ISRG/Let's Encrypt's Inclusion Request

On September 20, 2021, we began a three-week public discussion[1] on a request from ISRG/Let's

unread,

Public Discussion of ISRG/Let's Encrypt's Inclusion Request

On September 20, 2021, we began a three-week public discussion[1] on a request from ISRG/Let's

Oct 15

Kathleen Wilson

Oct 14

Added background to wiki page about revocation checking

All, I added several paragraphs to https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox#

unread,

Added background to wiki page about revocation checking

All, I added several paragraphs to https://wiki.mozilla.org/CA/Revocation_Checking_in_Firefox#

Oct 14

Kathleen Wilson3

Oct 13

URLs to the PDFs of WebTrust Audit Statements are being changed

Update from CPA Canada: We are not going LIVE for a few days We will take the "Under

unread,

URLs to the PDFs of WebTrust Audit Statements are being changed

Update from CPA Canada: We are not going LIVE for a few days We will take the "Under

Oct 13

Corey Bonnell, … Rufus Buschart10

Oct 13

OCSP responder behavior for HTTP GET requests

Do we believe that an affected CA should open a bug report? The situation is an edge case: as long as

unread,

OCSP responder behavior for HTTP GET requests

Do we believe that an affected CA should open a bug report? The situation is an edge case: as long as

Oct 13

passerby184, … Peter Gutmann8

Oct 12

Is there any rule about validity period of CA (root/intermediate) certificate?

Ryan Sleevi <ryan@sleevi.com> writes: >Is the belief then that they are added, but then

unread,

Is there any rule about validity period of CA (root/intermediate) certificate?

Ryan Sleevi <ryan@sleevi.com> writes: >Is the belief then that they are added, but then

Oct 12

Ryan Hurst, Tim Callan2

Oct 11

Accountability and best practices for CPS and code and/or process alignment

Apologies, Ryan, for the delayed reply. It's valuable to note first that a CPS frequently states

unread,

Accountability and best practices for CPS and code and/or process alignment

Apologies, Ryan, for the delayed reply. It's valuable to note first that a CPS frequently states

Oct 11

Kathleen Wilson2

Oct 4

Added Task List item about Full CRLs to CCADB home page for CAs

We will add the following text to the new task list item pull-down report: "The following table

unread,

Added Task List item about Full CRLs to CCADB home page for CAs

We will add the following text to the new task list item pull-down report: "The following table

Oct 4

Ben Wilson, … yutian zheng25

Oct 4

Public Discussion re: Inclusion of the iTrusChina Root CAs

Summary of Discussion and Resulting Decisions or Action Items Public discussion on the iTrusChina

unread,

Public Discussion re: Inclusion of the iTrusChina Root CAs

Summary of Discussion and Resulting Decisions or Action Items Public discussion on the iTrusChina

Oct 4

Ben Wilson, Kathleen Wilson3

Oct 4

Policy 2.8: Candidate Issues to Address in MRSP v. 2.8

Hi Ben, I added one more for the CRLs section: + #235 - Add Policy requiring Full CRLs (or equivalent

unread,

Policy 2.8: Candidate Issues to Address in MRSP v. 2.8

Hi Ben, I added one more for the CRLs section: + #235 - Add Policy requiring Full CRLs (or equivalent

Oct 4

Ben Wilson, … Brett L10

Sep 29

Public Discussion of Google Trust Services' Request to Replace Root CA Certificates

All, I should have noted during public discussion that GTS was seeking enablement of both the

unread,

Public Discussion of Google Trust Services' Request to Replace Root CA Certificates

All, I should have noted during public discussion that GTS was seeking enablement of both the

Sep 29

Kathleen Wilson, … Matthias van de Meent10

Sep 27

Audit Reminder Email Summary - Root Certificates

------- Forwarded Message -------- Subject: Summary of September 2021 Audit Reminder Emails Date: Tue

unread,

Audit Reminder Email Summary - Root Certificates

------- Forwarded Message -------- Subject: Summary of September 2021 Audit Reminder Emails Date: Tue

Sep 27

Sep 21

BR Self Assessment renamed to Compliance Self Assessment

All, I have updated the BR self-assessment template and renamed it to "Compliance Self

unread,

BR Self Assessment renamed to Compliance Self Assessment

All, I have updated the BR self-assessment template and renamed it to "Compliance Self

Sep 21

Ben Wilson, … Li-Chun CHEN14

Sep 18

Public Discussion of Chunghwa Telecom's Root Inclusion Request

On August 3, 2021, we began a three-week public discussion[1] on a request by Chunghwa Telecom (

unread,

Public Discussion of Chunghwa Telecom's Root Inclusion Request

On August 3, 2021, we began a three-week public discussion[1] on a request by Chunghwa Telecom (

Sep 18

Kathleen Wilson5

Sep 7

Audit Reminder Email Summary - Intermediate Certificates

-------- Forwarded Message -------- Subject: Summary of September 2021 Outdated Audit Statements for

unread,

Audit Reminder Email Summary - Intermediate Certificates

-------- Forwarded Message -------- Subject: Summary of September 2021 Outdated Audit Statements for

Sep 7

Jaime Hablutzel

Sep 7

Why isn't the keyAgreement KU bit explicitly forbidden in ECDSA TLS certificates?

Hi, I'm seeing that the keyAgreement KU bit is not explicitly forbidden for ECDSA TLS

unread,

Why isn't the keyAgreement KU bit explicitly forbidden in ECDSA TLS certificates?

Hi, I'm seeing that the keyAgreement KU bit is not explicitly forbidden for ECDSA TLS

Sep 7

Ben Wilson, … Syrine Tlili22

Aug 24

Public Discussion re: Inclusion of the TunTrust Root CA

On April 7, 2021, we began public discussion[1] on the TunTrust root CA inclusion request[2] (Step 4

unread,

Public Discussion re: Inclusion of the TunTrust Root CA

On April 7, 2021, we began public discussion[1] on the TunTrust root CA inclusion request[2] (Step 4

Aug 24

Matthias van de Meent, … Ryan Sleevi3

Aug 23

DNS authorization delegation through non-ADN delegated records

Hi Matthias, This is permitted. It is not permitted to point the target of the CNAME to the CA, but

unread,

DNS authorization delegation through non-ADN delegated records

Hi Matthias, This is permitted. It is not permitted to point the target of the CNAME to the CA, but

Aug 23

Kathleen Wilson, … Clint Wilson11

Aug 16

CCADB Update: New field JSON Array of Partitioned CRLs

Hi Dimitris, The Apple Root Program intends to use this field for all certificates in the future, but

unread,

CCADB Update: New field JSON Array of Partitioned CRLs

Hi Dimitris, The Apple Root Program intends to use this field for all certificates in the future, but

Aug 16

Ben Wilson, … Ryan Sleevi9

Aug 10

CA Survey Responses on Removing Old Roots

On Tue, Aug 10, 2021 at 5:05 AM Jesper Kristensen <jespermlst@gmail.com> wrote: Hi Ryan You

unread,

CA Survey Responses on Removing Old Roots

On Tue, Aug 10, 2021 at 5:05 AM Jesper Kristensen <jespermlst@gmail.com> wrote: Hi Ryan You

Aug 10

Jan Schaumann, … Ryan Sleevi4

Aug 6

Zimbabwe "banned from receiving certificates"

Ryan Sleevi <ryan@sleevi.com> wrote: > On Fri, Aug 6, 2021 at 3:05 PM 'Jan Schaumann

unread,

Zimbabwe "banned from receiving certificates"

Ryan Sleevi <ryan@sleevi.com> wrote: > On Fri, Aug 6, 2021 at 3:05 PM 'Jan Schaumann

Aug 6

Kathleen Wilson2

Aug 5

CCADB Update - August 5, 2021

The updates are completed. Please let me know if you run into any issues with using the CCADB. Thanks

unread,

CCADB Update - August 5, 2021

The updates are completed. Please let me know if you run into any issues with using the CCADB. Thanks

Aug 5

Watson Ladd, … Tim Callan4

Aug 5

Broader lessons from 1718771

We'd like to offer our own perspective on this issue, having lived it firsthand, in case this

unread,

Broader lessons from 1718771

We'd like to offer our own perspective on this issue, having lived it firsthand, in case this

Aug 5

Buschart, Rufus, … Ryan Sleevi32

Aug 4

Your opinion on misissuance under name constrained ICAs

On Wed, Aug 4, 2021 at 11:37 AM Buschart, Rufus <rufus.buschart@siemens.com> wrote: Thank you

unread,

Your opinion on misissuance under name constrained ICAs

On Wed, Aug 4, 2021 at 11:37 AM Buschart, Rufus <rufus.buschart@siemens.com> wrote: Thank you

Aug 4

Aaron Gable, Ryan Sleevi4

Aug 2

[meta] RSS Mailing List Archive

I've confirmed that mail-archive is now archiving the contents of this list. The RSS feed can be

unread,

[meta] RSS Mailing List Archive

I've confirmed that mail-archive is now archiving the contents of this list. The RSS feed can be

Aug 2

Buschart, Rufus, … Ryan Sleevi3

Jul 24

RE: Your opinion on misissuance under name constrained ICAs)

On Fri, Jul 23, 2021 at 6:54 PM Buschart, Rufus <rufus.buschart@siemens.com> wrote: This

unread,

RE: Your opinion on misissuance under name constrained ICAs)

On Fri, Jul 23, 2021 at 6:54 PM Buschart, Rufus <rufus.buschart@siemens.com> wrote: This

Jul 24

Ryan Hurst, … Matthew Hardeman24

Jul 14

IP Address Certificates via ACME

I believe the point that Matthias Merkel may be making is that there are, at present, multiple

unread,

IP Address Certificates via ACME

I believe the point that Matthias Merkel may be making is that there are, at present, multiple

Jul 14

Search

Clear search

Close search

Google apps

Main menu