Groups

dev-security-policy@mozilla.org

1–30 of 370

Welcome to the dev-security-policy group in which we discuss issues concerning the Mozilla Root Program, root store policy development, governance matters, and other PKI topics directly relevant to the Program.

Mailing List: dev-security-policy@mozilla.org
Web: https://groups.google.com/a/mozilla.org/g/dev-security-policy
Participation Guidelines: https://www.mozilla.org/about/governance/policies/participation/
Participants: https://wiki.mozilla.org/CA/Policy_Participants
Unsubscribe by sending email to: dev-security-policy+unsubscribe@mozilla.org
Previous list archives (2009-2021): https://groups.google.com/g/mozilla.dev.security.policy

0 selected

Apr 27

MRSP 3.1: Draft CA Communication and Survey

All, I have prepared a draft CA communication and survey to send to CA operators that are either

unread,

MRSP 3.1: Draft CA Communication and Survey

All, I have prepared a draft CA communication and survey to send to CA operators that are either

Apr 27

Ben Wilson, … Aaron Gable5

Apr 27

MRSP 3.1: Issue #s 282 and 295: CP/CPS Documentation

What about this formulation of Item 2 under MRSP section 3.3? 2. CA operators MUST maintain CP/CPS

unread,

MRSP 3.1: Issue #s 282 and 295: CP/CPS Documentation

What about this formulation of Item 2 under MRSP section 3.3? 2. CA operators MUST maintain CP/CPS

Apr 27

Apr 27

MRSP 3.1: Issue #299: Mass Revocation Planning Audits

All, This email concerns the criteria for assessing the mass revocation planning efforts of CA

unread,

MRSP 3.1: Issue #299: Mass Revocation Planning Audits

All, This email concerns the criteria for assessing the mass revocation planning efforts of CA

Apr 27

Ben Wilson, … Aaron Gable4

Apr 26

MRSP 3.1: Issue #s 294, 296, 297, and 298: Audit-related Improvements

Hi Aaron, Thanks for the feedback. On #298 (Continuous Audit Coverage): Item 5 of Section 7.1 could

unread,

MRSP 3.1: Issue #s 294, 296, 297, and 298: Audit-related Improvements

Hi Aaron, Thanks for the feedback. On #298 (Continuous Audit Coverage): Item 5 of Section 7.1 could

Apr 26

Ben Wilson, Aaron Gable3

Apr 26

MRSP 3.1: Issue #s 292 and 293: CA Operational Reporting and Policy Alignment

Hi Aaron, I tried to track these changes separately, but after merging them into my 3.1 branch I'

unread,

MRSP 3.1: Issue #s 292 and 293: CA Operational Reporting and Policy Alignment

Hi Aaron, I tried to track these changes separately, but after merging them into my 3.1 branch I'

Apr 26

Apr 23

MRSP 3.1: Issue #291: Change in Ownership or Control

All, This is the last thread introducing this batch of changes to the Mozilla Root Store Policy (MRSP

unread,

MRSP 3.1: Issue #291: Change in Ownership or Control

All, This is the last thread introducing this batch of changes to the Mozilla Root Store Policy (MRSP

Apr 23

Apr 21

MRSP 3.1: Candidate Issues

All, I have reviewed the open issues in the mozilla/pkipolicy repository and identified a set of

unread,

MRSP 3.1: Candidate Issues

All, I have reviewed the open issues in the mozilla/pkipolicy repository and identified a set of

Apr 21

Apr 16

Approval of Cybertrust Japan SecureSign Root CA16

All, Public discussion of the Cybertrust Japan SecureSign Root CA16 (email trust bit)[1] occurred in

unread,

Approval of Cybertrust Japan SecureSign Root CA16

All, Public discussion of the Cybertrust Japan SecureSign Root CA16 (email trust bit)[1] occurred in

Apr 16

Awel Dia, Arabella Barks2

Apr 10

Questions Regarding the Use of the id-ad-caIssuers Extension under the BR！

Hi Awel, BR do not impose any restrictions that the id-ad-caIssuers extension must point only to a

unread,

Questions Regarding the Use of the id-ad-caIssuers Extension under the BR！

Hi Awel, BR do not impose any restrictions that the id-ad-caIssuers extension must point only to a

Apr 10

Wayne, … Fabien Hochstrasser5

Apr 8

EJBCA - Open MPIC Issues and Impacted CAs

Hi, I am posting this message on behalf of Google Trust Services. We stopped using EJBCA in 2023. As

unread,

EJBCA - Open MPIC Issues and Impacted CAs

Hi, I am posting this message on behalf of Google Trust Services. We stopped using EJBCA in 2023. As

Apr 8

Apr 8

Upcoming April 2026 NSS Root Store Changes (Bug 2017317)

Greetings, Mozilla will be making several root store changes in its April 2026 NSS release, as

unread,

Upcoming April 2026 NSS Root Store Changes (Bug 2017317)

Greetings, Mozilla will be making several root store changes in its April 2026 NSS release, as

Apr 8

Aaron Gable, … Ryan Hurst21

Apr 3

Recent incidents regarding recording Baseline Requirements version

I am sorry, I meant for this to go to the ballot discussion and not here. Please direct any comments

unread,

Recent incidents regarding recording Baseline Requirements version

I am sorry, I meant for this to go to the ballot discussion and not here. Please direct any comments

Apr 3

Rebecca Kelley3

Mar 25

Notification of acquisition of VikingCloud’s Digital Certificate Business

On March 6, 2026, SSL.com successfully completed the acquisition of VikingCloud, with the transfer of

unread,

Notification of acquisition of VikingCloud’s Digital Certificate Business

On March 6, 2026, SSL.com successfully completed the acquisition of VikingCloud, with the transfer of

Mar 25

Michael Stone, … Peter Bowen6

Mar 24

Clarification on CAA NXDOMAIN handling: RFC 8659 vs. BR / Bug 1695786

Hi Peter, According to this decision flow, I think it's okay for a CA to issue certificates: ```

unread,

Clarification on CAA NXDOMAIN handling: RFC 8659 vs. BR / Bug 1695786

Hi Peter, According to this decision flow, I think it's okay for a CA to issue certificates: ```

Mar 24

Awel Dia, Henry Birge-Lee3

Mar 18

CAA Checking: CNAME Target Returns SERVFAIL

Hi.Henry! Thank you very much for sharing. First, I would like to share the dig commands I used and

unread,

CAA Checking: CNAME Target Returns SERVFAIL

Hi.Henry! Thank you very much for sharing. First, I would like to share the dig commands I used and

Mar 18

Wayne, … Bas Westerbaan4

Mar 17

Irregular RSA Exponents

Agreed. (Although I don't think that it should weigh heavily if at all, I do want to note that

unread,

Irregular RSA Exponents

Agreed. (Although I don't think that it should weigh heavily if at all, I do want to note that

Mar 17

Yuwei HAN (hanyuwei70), … Aaron Gable7

Mar 16

Revocation method is missing by subCA

Notice that the OCSP response contains a nextUpdate field; OCSP responses may be cached and reused

unread,

Revocation method is missing by subCA

Notice that the OCSP response contains a nextUpdate field; OCSP responses may be cached and reused

Mar 16

Mar 5

Public Discussion: Approval of JPRS as an Externally-Operated Subordinate CA under SECOM Root

Greetings, The three-week public discussion period regarding SECOM Trust Systems CO., LTD.'s

unread,

Public Discussion: Approval of JPRS as an Externally-Operated Subordinate CA under SECOM Root

Greetings, The three-week public discussion period regarding SECOM Trust Systems CO., LTD.'s

Mar 5

Arabella Barks, Rob Stradling2

Feb 24

https://opensource.apple.com/source/security_certificates/ is 404

Hi Arabella. Here's the content that used to be at that URL: https://web.archive.org/web/

unread,

https://opensource.apple.com/source/security_certificates/ is 404

Hi Arabella. Here's the content that used to be at that URL: https://web.archive.org/web/

Feb 24

大野文彰, Aaron Gable3

Feb 24

Understanding accounturi handling across manual and ACME issuance (RFC 8657 Section 5.3)

Hi Aaron-san, Thank you for the clear and helpful response. I understand your point that the main

unread,

Understanding accounturi handling across manual and ACME issuance (RFC 8657 Section 5.3)

Hi Aaron-san, Thank you for the clear and helpful response. I understand your point that the main

Feb 24

Peter Mate Erdosi, Ben Wilson2

Feb 12

Question about a Microsoft Root Program reuqirement

Hi Peter, My interpretation, which I limit to the text being discussed here, is that the policy OID

unread,

Question about a Microsoft Root Program reuqirement

Hi Peter, My interpretation, which I limit to the text being discussed here, is that the policy OID

Feb 12

Ben Wilson, … Joe DeBlasio4

Feb 5

Updated Mozilla CT Log Policy

Yes, Mozilla did ask for, and get, Google's permission to use Chrome's lists as the basis for

unread,

Updated Mozilla CT Log Policy

Yes, Mozilla did ask for, and get, Google's permission to use Chrome's lists as the basis for

Feb 5

Feb 2

Removal of 'non-disclosable intermediate certificates' language from Mozilla CA Wiki

All, We have removed the section of this Mozilla CA wiki page that referred to the concept of “non-

unread,

Removal of 'non-disclosable intermediate certificates' language from Mozilla CA Wiki

All, We have removed the section of this Mozilla CA wiki page that referred to the concept of “non-

Feb 2

Dexter Castor Döpping, … Roman Fischer8

Feb 2

HTTP request blocking by CAs for CRL, CPS, AIA caIssuers

I completely agree that CAs remain responsible to provide secure and available certificate status

unread,

HTTP request blocking by CAs for CRL, CPS, AIA caIssuers

I completely agree that CAs remain responsible to provide secure and available certificate status

Feb 2

Jan 29

Question on repurposing PublicCAs to PrivateCAs

Yo! mortals I noticed that DigiCert (after Symantec PKI acquisition) utilized the legacy VeriSign

unread,

Question on repurposing PublicCAs to PrivateCAs

Yo! mortals I noticed that DigiCert (after Symantec PKI acquisition) utilized the legacy VeriSign

Jan 29

Roger M Lambdin, Rollin Yu5

Jan 21

Regarding the LiteSSL Certificate Issuance Authentication Vulnerability

The preliminary incident report has been published on Bugzilla: https://bugzilla.mozilla.org/show_bug

unread,

Regarding the LiteSSL Certificate Issuance Authentication Vulnerability

The preliminary incident report has been published on Bugzilla: https://bugzilla.mozilla.org/show_bug

Jan 21

Jan 5

Approval of Microsec's e-Szigno TLS Root CA 2023

All, Public discussion of the Microsec e-Szigno TLS Root CA 2023 root [1] occurred from November 7,

unread,

Approval of Microsec's e-Szigno TLS Root CA 2023

All, Public discussion of the Microsec e-Szigno TLS Root CA 2023 root [1] occurred from November 7,

Jan 5

Andrew Ayer, … Filippo Valsorda8

12/13/25

Ongoing CT Logging Mistakes by CAs

I feel like it would be great if CAs that encoded invalid SCTs could proactively file incident

unread,

Ongoing CT Logging Mistakes by CAs

I feel like it would be great if CAs that encoded invalid SCTs could proactively file incident

12/13/25

12/12/25

Reflections on 2025 and Areas of Focus for 2026

Greetings, As we get to the end of 2025, it's time to reflect on the past year and to think about

unread,

Reflections on 2025 and Areas of Focus for 2026

Greetings, As we get to the end of 2025, it's time to reflect on the past year and to think about

12/12/25

Arabella Barks, … Aaron Gable10

12/3/25

Why didn’t apple trust Wyvern2027h1 and sphinx2027h1 ctlog?

They're not non-compliant, and they don't need to be revoked. This is because, so far,

unread,

Why didn’t apple trust Wyvern2027h1 and sphinx2027h1 ctlog?

They're not non-compliant, and they don't need to be revoked. This is because, so far,

12/3/25

Search

Clear search

Close search

Google apps

Main menu