Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

May 2015 CA Communication

146 views
Skip to first unread message

Kathleen Wilson

unread,
May 12, 2015, 3:19:08 PM5/12/15
to mozilla-dev-s...@lists.mozilla.org
All,

The May 2015 CA Communication has been sent.

https://blog.mozilla.org/security/2015/05/12/may-2015-ca-communication/

https://wiki.mozilla.org/CA:Communications#May_2015


Thanks to all of you who contributed to it.

Thanks,
Kathleen

Kathleen Wilson

unread,
May 12, 2015, 5:19:26 PM5/12/15
to mozilla-dev-s...@lists.mozilla.org
CAs,

A few pointers on the CA Communication...

+ If you did not receive the email and you were expecting it, send me a
note and I will let you know who I have listed as the Primary POC for
your CA.

+ If you find that the responses to one of the action items do not
exactly match what you are doing, then please choose the response that
is closest to what you are doing and then clarify in the corresponding
text input field.

+ All 5 action items require a response before your survey will be saved
-- if you submit too early there will be an error at the top of the
page. If you submit the survey successfully, a new thank-you page will
appear.

+ You can re-use the link in your email to see and update your responses
to the survey as often as you want.

Thanks,
Kathleen

David E. Ross

unread,
May 12, 2015, 5:50:11 PM5/12/15
to mozilla-dev-s...@lists.mozilla.org
What action will be taken if an E-mail is bounced for any reason (e.g.,
mail-box full, E-mail address unknown, message blocked as possible spam)?

What action will be taken if a CA fails to respond?

--
David E. Ross

I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when autocomplete=off. See
<https://bugzilla.mozilla.org/show_bug.cgi?id=433238>.

Kathleen Wilson

unread,
May 12, 2015, 6:49:34 PM5/12/15
to mozilla-dev-s...@lists.mozilla.org
On 5/12/15 2:49 PM, David E. Ross wrote:
> On 5/12/2015 12:18 PM, Kathleen Wilson wrote:
>> All,
>>
>> The May 2015 CA Communication has been sent.
>>
>> https://blog.mozilla.org/security/2015/05/12/may-2015-ca-communication/
>>
>> https://wiki.mozilla.org/CA:Communications#May_2015
>>
>>
>> Thanks to all of you who contributed to it.
>>
>> Thanks,
>> Kathleen
>>
>
> What action will be taken if an E-mail is bounced for any reason (e.g.,
> mail-box full, E-mail address unknown, message blocked as possible spam)?
>
> What action will be taken if a CA fails to respond?
>


In June I will manually send email to the CAs who haven't yet responded,
to see if they received the email, etc.
I will have a Salesforce report that will make that easier for me to do
(as compared to when I used to manually maintain a spreadsheet of
responses.)

Kathleen

Kathleen Wilson

unread,
May 12, 2015, 7:00:40 PM5/12/15
to mozilla-dev-s...@lists.mozilla.org
Also, the From address in the email is my address, so I will be notified
of any bounces.

So far, I received one out-of-office notice, and no bounces.

Kathleen



Kathleen Wilson

unread,
Jun 1, 2015, 3:08:29 PM6/1/15
to mozilla-dev-s...@lists.mozilla.org
On 5/12/15 3:59 PM, Kathleen Wilson wrote:
> On 5/12/15 3:48 PM, Kathleen Wilson wrote:
>> On 5/12/15 2:49 PM, David E. Ross wrote:
>>> On 5/12/2015 12:18 PM, Kathleen Wilson wrote:
>>>> All,
>>>>
>>>> The May 2015 CA Communication has been sent.
>>>>
>>>> https://blog.mozilla.org/security/2015/05/12/may-2015-ca-communication/
>>>>
>>>> https://wiki.mozilla.org/CA:Communications#May_2015
>>>>
>>>>
>>>> Thanks to all of you who contributed to it.
>>>>
>>>> Thanks,
>>>> Kathleen
>>>>


Here's the link to the automatically-generated report of CA responses:

https://mozillacaprogram.secure.force.com/Communications/CommunicationSummaryReport?CommunicationId=a04o000000M89RCAAZ

Kathleen


Kathleen Wilson

unread,
Jul 22, 2015, 7:36:39 PM7/22/15
to mozilla-dev-s...@lists.mozilla.org
> Here's the link to the automatically-generated report of CA responses:
>
> https://mozillacaprogram.secure.force.com/Communications/CommunicationSummaryReport?CommunicationId=a04o000000M89RCAAZ
>

All,

I apologize for my delay in following up on this, due to my summer vacation.

Every CA has responded.

There is a link to the auto-generated report here:
https://wiki.mozilla.org/CA:Communications#May_2015_Responses

I'll look into the results more when I catch up from my vacation.

Kathleen

Kathleen Wilson

unread,
Aug 3, 2015, 2:41:28 PM8/3/15
to mozilla-dev-s...@lists.mozilla.org
On 7/22/15 4:36 PM, Kathleen Wilson wrote:
>> Here's the link to the automatically-generated report of CA responses:
>>
>> https://mozillacaprogram.secure.force.com/Communications/CommunicationSummaryReport?CommunicationId=a04o000000M89RCAAZ
>>
>>
>
> Every CA has responded.
>
> There is a link to the auto-generated report here:
> https://wiki.mozilla.org/CA:Communications#May_2015_Responses
>


I have updated the Salesforce data regarding the CA responses to Action
#1 (Primary POC) and Action #2 (BR Audit statements).

3 new reports are now available here:
https://wiki.mozilla.org/CA:Communications#May_2015_Responses

1) Responses to Action #3 -- SHA-1 Deprecation Plans

2) Responses to Action #4 -- Removing workarounds implemented to allow
mozilla::pkix to handle the things listed here
https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix.

3) Responses to Action #5 -- IPv6 survey

Kathleen



Gervase Markham

unread,
Aug 5, 2015, 5:50:32 AM8/5/15
to mozilla-dev-s...@lists.mozilla.org
On 03/08/15 19:40, Kathleen Wilson wrote:
> 1) Responses to Action #3 -- SHA-1 Deprecation Plans

Several large CAs have significant outstanding inventory of SHA-1 certs
which are valid beyond 2017 and have no plans to revoke them. This is
fine in that there is no requirement to revoke them (AIUI), but it does
show that SHA-1 deprecation needs to be driven by browser UI, as it is
not going to be driven by CAs.

> 3) Responses to Action #5 -- IPv6 survey

It seems like the largest commercial CAs are all either on board (well
done Comodo and GlobalSign) or coming on board (GoDaddy, Symantec,
others). However, there is still a long tail of CAs with no plans for
implementation.


It would be great if these reports could be tweaked to include a Totals
row at the top (i.e. just under the heading) as well as at the bottom.

Gerv


Kathleen Wilson

unread,
Aug 6, 2015, 12:39:48 PM8/6/15
to mozilla-dev-s...@lists.mozilla.org
On 8/5/15 2:49 AM, Gervase Markham wrote:
> On 03/08/15 19:40, Kathleen Wilson wrote:
>> 1) Responses to Action #3 -- SHA-1 Deprecation Plans
>
> Several large CAs have significant outstanding inventory of SHA-1 certs
> which are valid beyond 2017 and have no plans to revoke them. This is
> fine in that there is no requirement to revoke them (AIUI), but it does
> show that SHA-1 deprecation needs to be driven by browser UI, as it is
> not going to be driven by CAs.

Indeed.

>
>> 3) Responses to Action #5 -- IPv6 survey
>
> It seems like the largest commercial CAs are all either on board (well
> done Comodo and GlobalSign) or coming on board (GoDaddy, Symantec,
> others). However, there is still a long tail of CAs with no plans for
> implementation.

Suggestions?

>
> It would be great if these reports could be tweaked to include a Totals
> row at the top (i.e. just under the heading) as well as at the bottom.

Done.

Thanks,
Kathleen


Gervase Markham

unread,
Aug 7, 2015, 6:39:09 AM8/7/15
to Kathleen Wilson
On 06/08/15 17:39, Kathleen Wilson wrote:
> Suggestions?

I'll defer to Ryan on that; this is his pony at the moment :-)

Gerv


0 new messages