dev-security-policy@mozilla.org

1–30 of 94

Welcome to the dev-security-policy group in which we discuss security-related policies, governance, and related topics; including discussion of Mozilla’s Root Store Policy and the NSS root certificate store.

Mailing List: dev-security-policy@mozilla.org
Web: https://groups.google.com/a/mozilla.org/g/dev-security-policy
Subscribe by sending email to: dev-security-policy+subscribe@mozilla.org
Unsubscribe by sending email to: dev-security-policy+unsubscribe@mozilla.org
Previous archives: https://groups.google.com/g/mozilla.dev.security.policy
RSS feed: https://www.mail-archive.com/dev-security-policy@mozilla.org/maillist.xml

0 selected

Jan 21

Policy 2.8: MRSP Issue 195: Require public discussion when an organization receives a new subCA

All, This email introduces public discussion regarding additions/clarifications to be included in the

unread,

Policy 2.8: MRSP Issue 195: Require public discussion when an organization receives a new subCA

All, This email introduces public discussion regarding additions/clarifications to be included in the

Jan 21

Kathleen Wilson, … Ryan Sleevi43

Jan 21

Revocation Reason Codes for TLS End-Entity Certificates

On Thu, Jan 20, 2022 at 8:19 PM Ryan Sleevi <ryan@sleevi.com> wrote: If the goal is to ensure

unread,

Revocation Reason Codes for TLS End-Entity Certificates

On Thu, Jan 20, 2022 at 8:19 PM Ryan Sleevi <ryan@sleevi.com> wrote: If the goal is to ensure

Jan 21

Jan 21

Policy 2.8: MRSP Issue #178: Sunset SHA1

All, This email launches a new discussion related to sunsetting the future use of SHA1 in the Mozilla

unread,

Policy 2.8: MRSP Issue #178: Sunset SHA1

All, This email launches a new discussion related to sunsetting the future use of SHA1 in the Mozilla

Jan 21

Ben Wilson, … pekka.la...@teliacompany.com56

Jan 20

Public Discussion: Inclusion of Telia Root CA v2

I certainly talk on behalf of Telia CA and believe I talk also on behalf of Telia Company AB. If you

unread,

Public Discussion: Inclusion of Telia Root CA v2

I certainly talk on behalf of Telia CA and believe I talk also on behalf of Telia Company AB. If you

Jan 20

Kathleen Wilson2

Jan 18

New Owner for the CA Certificates Module

All, I have made the proposed change to the CA Certificate module. 1) CA Certificates Description:

unread,

New Owner for the CA Certificates Module

All, I have made the proposed change to the CA Certificate module. 1) CA Certificates Description:

Jan 18

Kathleen Wilson, … Matthias van de Meent14

Jan 18

Audit Reminder Email Summary - Root Certificates

-------- Forwarded Message -------- Subject: Summary of January 2022 Audit Reminder Emails Date: Tue,

unread,

Audit Reminder Email Summary - Root Certificates

-------- Forwarded Message -------- Subject: Summary of January 2022 Audit Reminder Emails Date: Tue,

Jan 18

Ben Wilson, passerby1843

Jan 18

Policy 2.8: MRSP Issue #185: Require publication of outdated CA policy documents

Here is another possible wording for new item 7 of MRSP 3.3 - "CAs SHALL maintain links to older

unread,

Policy 2.8: MRSP Issue #185: Require publication of outdated CA policy documents

Here is another possible wording for new item 7 of MRSP 3.3 - "CAs SHALL maintain links to older

Jan 18

Ben Wilson, … Corey Bonnell3

Jan 18

Policy 2.8: MRSP Issue #226: Update the incorrect extensions item in section 5.2

> A recently-relevant example could be "an OCSP Delegated Responder without the id-pkix-ocsp-

unread,

Policy 2.8: MRSP Issue #226: Update the incorrect extensions item in section 5.2

> A recently-relevant example could be "an OCSP Delegated Responder without the id-pkix-ocsp-

Jan 18

Ben Wilson, Andrew Ayer2

Jan 16

Policy 2.8: MRSP Issue #138: Make it clear that RFC 9162 precertificates are covered by Mozilla policy

Hi Ben, Comments inline: > - if any certificates with the same serial number and issuer > exist

unread,

Policy 2.8: MRSP Issue #138: Make it clear that RFC 9162 precertificates are covered by Mozilla policy

Hi Ben, Comments inline: > - if any certificates with the same serial number and issuer > exist

Jan 16

Jan 16

Policy 2.8: MRSP Issue #155: Describe actions Mozilla may take upon receipt of a qualified audit

All, This email introduces discussion of GitHub Issue #155 - Describe actions Mozilla may take upon

unread,

Policy 2.8: MRSP Issue #155: Describe actions Mozilla may take upon receipt of a qualified audit

All, This email introduces discussion of GitHub Issue #155 - Describe actions Mozilla may take upon

Jan 16

Jan 13

Policy 2.8: MRSP Issue #131: Improve terminology and style

All, This email introduces several language changes to be made in the next version of the Mozilla

unread,

Policy 2.8: MRSP Issue #131: Improve terminology and style

All, This email introduces several language changes to be made in the next version of the Mozilla

Jan 13

Jan 13

Policy 2.8: MRSP Issue #184: Change Terminology from SSL to TLS

All, This email introduces discussion of a change from the term "SSL" to the term "TLS

unread,

Policy 2.8: MRSP Issue #184: Change Terminology from SSL to TLS

All, This email introduces discussion of a change from the term "SSL" to the term "TLS

Jan 13

Ben Wilson, … Aaron Gable5

Jan 6

Policy 2.8: MRSP Issue #235: Require CCADB Disclosure of Full CRLs (or equivalent JSON array) for CRLite

Here is some draft language: "Effective October 1, 2022, CA operators with intermediate CA

unread,

Policy 2.8: MRSP Issue #235: Require CCADB Disclosure of Full CRLs (or equivalent JSON array) for CRLite

Here is some draft language: "Effective October 1, 2022, CA operators with intermediate CA

Jan 6

Jan 6

Public Discussion of D-Trust Root Inclusion Requests

D-Trust GmbH, a member of the Bundesdruckerei Group and wholly owned subsidiary of Bundesdruckerei

unread,

Public Discussion of D-Trust Root Inclusion Requests

D-Trust GmbH, a member of the Bundesdruckerei Group and wholly owned subsidiary of Bundesdruckerei

Jan 6

Kathleen Wilson8

Jan 4

Audit Reminder Email Summary - Intermediate Certificates

-------- Forwarded Message -------- Subject: Summary of January 2022 Outdated Audit Statements for

unread,

Audit Reminder Email Summary - Intermediate Certificates

-------- Forwarded Message -------- Subject: Summary of January 2022 Outdated Audit Statements for

Jan 4

Corey Bonnell, … Rufus Buschart14

Jan 3

OCSP responder behavior for HTTP GET requests

Hi Rufus, Section 3.3 of RFC 3986 [1] defines the following ABNF production rule for a path character

unread,

OCSP responder behavior for HTTP GET requests

Hi Rufus, Section 3.3 of RFC 3986 [1] defines the following ABNF production rule for a path character

Jan 3

passerby184, … Ryan Sleevi3

12/29/21

what rules apply to dedicate OCSP signer or OCSP signing certificate?

On Wed, Dec 29, 2021 at 11:53 AM Peter Bowen <pzbowen@gmail.com> wrote: On Fri, Dec 24, 2021 at

unread,

what rules apply to dedicate OCSP signer or OCSP signing certificate?

On Wed, Dec 29, 2021 at 11:53 AM Peter Bowen <pzbowen@gmail.com> wrote: On Fri, Dec 24, 2021 at

12/29/21

Ben Wilson, … Ryan Sleevi17

12/29/21

Root Replacement with digitalSignature Key Usage to Sign OCSP responses

On Wed, Dec 29, 2021 at 3:18 PM Peter Bowen <pzbowen@gmail.com> wrote: From the bug above, and

unread,

Root Replacement with digitalSignature Key Usage to Sign OCSP responses

On Wed, Dec 29, 2021 at 3:18 PM Peter Bowen <pzbowen@gmail.com> wrote: From the bug above, and

12/29/21

Ben Wilson, Moudrick M. Dadashov2

12/14/21

Policy 2.8: MRSP Issue #227: Clarify Meaning of "CP/CPS"

Good question. I think CP/CPS issue is directly related to the terms "audit scope" and

unread,

Policy 2.8: MRSP Issue #227: Clarify Meaning of "CP/CPS"

Good question. I think CP/CPS issue is directly related to the terms "audit scope" and

12/14/21

Ben Wilson, Moudrick Dadashov2

12/14/21

Policy 2.8: MRSP Issue #219: Require ETSI auditors to be ACAB-c members

With all due respect to ACAB-c, currently the term CAB means a proffesional accredited by NAB. I'

unread,

Policy 2.8: MRSP Issue #219: Require ETSI auditors to be ACAB-c members

With all due respect to ACAB-c, currently the term CAB means a proffesional accredited by NAB. I'

12/14/21

Ben Wilson, … Wayne Thayer13

12/9/21

Policy 2.8: MRSP Issue #233: Wiki page documenting process for reviewing externally operated subordinate CAs

All, I moved this section to its own wiki page - https://wiki.mozilla.org/CA/

unread,

Policy 2.8: MRSP Issue #233: Wiki page documenting process for reviewing externally operated subordinate CAs

All, I moved this section to its own wiki page - https://wiki.mozilla.org/CA/

12/9/21

12/9/21

New Mozilla Security Blog Post on Intermediate Certificates

All, Today, Kathleen and I published a new Mozilla Security blog post - Improving the Quality of

unread,

New Mozilla Security Blog Post on Intermediate Certificates

All, Today, Kathleen and I published a new Mozilla Security blog post - Improving the Quality of

12/9/21

Hanno Böck, … Peter Gutmann10

12/9/21

Certificates with OpenSSL test key

Hanno Böck <hanno@hboeck.de> writes: >I think this is generally a good idea, however I'd

unread,

Certificates with OpenSSL test key

Hanno Böck <hanno@hboeck.de> writes: >I think this is generally a good idea, however I'd

12/9/21

Kathleen Wilson

12/6/21

Update: Clarified audit period date ranges accepted by ALV

All, I added some information to the end of https://www.ccadb.org/policy#51-audit-statement-content

unread,

Update: Clarified audit period date ranges accepted by ALV

All, I added some information to the end of https://www.ccadb.org/policy#51-audit-statement-content

12/6/21

Kathleen Wilson

12/6/21

CCADB Update: CA Task List on Home Page

All, The CA Task List on the CCADB Home Page has been updated as follows: Removed duplicate

unread,

CCADB Update: CA Task List on Home Page

All, The CA Task List on the CCADB Home Page has been updated as follows: Removed duplicate

12/6/21

Brown, Wendy (10421)

12/6/21

RE: revocation reason codes

I don't understand why cessationOfOperation (5) would not be applicable for TLS certificates. If

unread,

RE: revocation reason codes

I don't understand why cessationOfOperation (5) would not be applicable for TLS certificates. If

12/6/21

12/2/21

Public Discussion of Netlock's Request for EV Enablement

All, The public discussion period has ended for this EV-enablement request. We have received no

unread,

Public Discussion of Netlock's Request for EV Enablement

All, The public discussion period has ended for this EV-enablement request. We have received no

12/2/21

Kathleen Wilson8

12/1/21

URLs to the PDFs of WebTrust Audit Statements are being changed

The concerns with the new CPA Canada pdf URLs have been resolved, so the new URLs may be used now. By

unread,

URLs to the PDFs of WebTrust Audit Statements are being changed

The concerns with the new CPA Canada pdf URLs have been resolved, so the new URLs may be used now. By

12/1/21

Ben Wilson, … Rob Stradling12

11/30/21

Public Discussion of Google Trust Services' Request to Replace Root CA Certificates

Thanks, Rob, for raising this issue here for discussion on the list. From a root program perspective,

unread,

Public Discussion of Google Trust Services' Request to Replace Root CA Certificates

Thanks, Rob, for raising this issue here for discussion on the list. From a root program perspective,

11/30/21

Kathleen Wilson, Aaron Gable3

11/30/21

Addressing Current Limitations of CRL Revocation Reason Codes

Duly noted. Thanks! On Tuesday, November 9, 2021 at 1:03:22 PM UTC-8 aa...@letsencrypt.org wrote: Hi

unread,

Addressing Current Limitations of CRL Revocation Reason Codes

Duly noted. Thanks! On Tuesday, November 9, 2021 at 1:03:22 PM UTC-8 aa...@letsencrypt.org wrote: Hi

11/30/21

Search

Clear search

Close search

Google apps

Main menu