dev-security-policy@mozilla.org

Contact owners and managers

1–30 of 294

Welcome to the dev-security-policy group in which we discuss security-related policies, governance, and related topics; including discussion of Mozilla’s Root Store Policy and the NSS root certificate store.

Mailing List: dev-security-policy@mozilla.org
Web: https://groups.google.com/a/mozilla.org/g/dev-security-policy
Subscribe by using the button "Ask to join group" and complete the box "Reason for joining". Membership requests must provide context for your interest in joining the group. Requests without this information will be rejected.
Participation Guidelines: https://www.mozilla.org/about/governance/policies/participation/
Participants: https://wiki.mozilla.org/CA/Policy_Participants
Unsubscribe by sending email to: dev-security-policy+unsubscribe@mozilla.org
Previous archives (2009-2021): https://groups.google.com/g/mozilla.dev.security.policy
RSS feed: https://www.mail-archive.com/dev-security-policy@mozilla.org/maillist.xml

0 selected

Amir Omidi (aaomidi), Enrico Entschew2

Jan 21

d-trust data protection incident

Hi Amir, At all times, this incident did not impact our certificate issuance infrastructure. The

unread,

d-trust data protection incident

Hi Amir, At all times, this incident did not impact our certificate issuance infrastructure. The

Jan 21

Ben Wilson, … Doug Beattie12

Jan 17

MRSP 3.0: Issue #279: TLS-specific and S/MIME-specific Root CAs

Hi Doug, I can make changes in section 7.5 to explicitly exempt OCSP Signing Certificates by adding

unread,

MRSP 3.0: Issue #279: TLS-specific and S/MIME-specific Root CAs

Hi Doug, I can make changes in section 7.5 to explicitly exempt OCSP Signing Certificates by adding

Jan 17

Ben Wilson, … Rob Stradling48

Jan 16

MRSP 3.0: Issue #276: Delayed Revocation

All, I have posted a replacement wiki page and created a GitHub commit to address this issue. https:/

unread,

MRSP 3.0: Issue #276: Delayed Revocation

All, I have posted a replacement wiki page and created a GitHub commit to address this issue. https:/

Jan 16

Jan 14

Approval of SECOM Request for Cybertrust Japan SureMail CA G5

All, Public discussion of the SECOM request regarding issuance of a CA certificate for the Cybertrust

unread,

Approval of SECOM Request for Cybertrust Japan SureMail CA G5

All, Public discussion of the SECOM request regarding issuance of a CA certificate for the Cybertrust

Jan 14

Mike Benza, … Jeffrey Walton4

Jan 10

GLOBALTRUST 2020's reinclusion in Mozilla's trusted certificates

On Friday, January 10, 2025 at 12:13:51 PM UTC-5 Andrew Ayer wrote: Hi Mike, GLOBALTRUST was never

unread,

GLOBALTRUST 2020's reinclusion in Mozilla's trusted certificates

On Friday, January 10, 2025 at 12:13:51 PM UTC-5 Andrew Ayer wrote: Hi Mike, GLOBALTRUST was never

Jan 10

Hanno Böck, … Rob Stradling11

Jan 10

Concerns about very-short-lived certificates

> Many rely not on actually reading CT logs, but utilize crt.sh. It is > great that this

unread,

Concerns about very-short-lived certificates

> Many rely not on actually reading CT logs, but utilize crt.sh. It is > great that this

Jan 10

Ben Wilson, … Rob Stradling8

Jan 9

MRSP 3.0: Issue #283: Automation of certificate issuance and renewal

Hi Adriano, If needed, we can clarify the language to communicate better our expectation that renewal

unread,

MRSP 3.0: Issue #283: Automation of certificate issuance and renewal

Hi Adriano, If needed, we can clarify the language to communicate better our expectation that renewal

Jan 9

12/18/24

Timing of Public Discussion of S/MIME External Sub CA

All, I intend to start public discussion of this matter using the CCADB Public list (https://groups.

unread,

Timing of Public Discussion of S/MIME External Sub CA

All, I intend to start public discussion of this matter using the CCADB Public list (https://groups.

12/18/24

Ben Wilson, Roman Fischer3

12/11/24

MRSP 3.0: Issue #275: CA Key Protection

Thanks, Roman, for your questions. With respect to CA key protection, gaps in audit reports raise a

unread,

MRSP 3.0: Issue #275: CA Key Protection

Thanks, Roman, for your questions. With respect to CA key protection, gaps in audit reports raise a

12/11/24

12/3/24

Approval of D-Trust's 2023 Root CAs

Greetings, Public discussion regarding inclusion of the following D-Trust root CA certificates

unread,

Approval of D-Trust's 2023 Root CAs

Greetings, Public discussion regarding inclusion of the following D-Trust root CA certificates

12/3/24

Ben Wilson, … Dimitris Zacharopoulos3

11/27/24

MRSP 3.0: Issue #263: Clarify sentence prohibiting blank sections that also contain no Subsections in CPs and CPSes

Ben, Could you please propose this exact language to the CABF SCWG in response to the failed SC-74?

unread,

MRSP 3.0: Issue #263: Clarify sentence prohibiting blank sections that also contain no Subsections in CPs and CPSes

Ben, Could you please propose this exact language to the CABF SCWG in response to the failed SC-74?

11/27/24

Hanno Böck, … Mike Shaver3

11/26/24

Certificate with compromised key / *.digicert-demo.com

Possibly of interest in blocking keys is Matt Palmer's great work in this space: https://

unread,

Certificate with compromised key / *.digicert-demo.com

Possibly of interest in blocking keys is Matt Palmer's great work in this space: https://

11/26/24

11/22/24

MRSP 3.0: Issue #s 270 and 271: Incident Reporting

All, This post is intended to initiate public discussion on improvements to the Mozilla Root Store

unread,

MRSP 3.0: Issue #s 270 and 271: Incident Reporting

All, This post is intended to initiate public discussion on improvements to the Mozilla Root Store

11/22/24

11/20/24

Fwd: Further Improving the CCADB Incident Reporting Guidelines (FEEDBACK REQUESTED)

All, Forwarding here - please see below. Comments can be provided preferably on GitHub or on the

unread,

Fwd: Further Improving the CCADB Incident Reporting Guidelines (FEEDBACK REQUESTED)

All, Forwarding here - please see below. Comments can be provided preferably on GitHub or on the

11/20/24

M THUG, … Dana Keeler7

11/18/24

Reg : Inquiry Regarding Removal of Certificates with Specific SHA1 Fingerprints

Note that that certificate was not removed from NSS, but rather had its trust bits edited so that it

unread,

Reg : Inquiry Regarding Removal of Certificates with Specific SHA1 Fingerprints

Note that that certificate was not removed from NSS, but rather had its trust bits edited so that it

11/18/24

Matt Palmer, … Amir Omidi6

11/11/24

The Pwnedkeys Revokinator is back!

On Sun, Nov 10, 2024 at 06:19:50PM -0500, Amir Omidi wrote: > Trying to understand why signing

unread,

The Pwnedkeys Revokinator is back!

On Sun, Nov 10, 2024 at 06:19:50PM -0500, Amir Omidi wrote: > Trying to understand why signing

11/11/24

Aaron Gable, … Matt Palmer12

11/2/24

Assuming keyCompromise for unspecified-reason revocations

On Fri, Nov 01, 2024 at 06:47:54PM -0500, Jaime Hablutzel wrote: > > On 1 Nov 2024, at 7:28 AM,

unread,

Assuming keyCompromise for unspecified-reason revocations

On Fri, Nov 01, 2024 at 06:47:54PM -0500, Jaime Hablutzel wrote: > > On 1 Nov 2024, at 7:28 AM,

11/2/24

Peter Gutmann, … Rob Stradling22

10/30/24

Standard PKC Test Keys

Matt Palmer <mpa...@hezmatt.org> writes: >Well, I don't know if it's actually all

unread,

Standard PKC Test Keys

Matt Palmer <mpa...@hezmatt.org> writes: >Well, I don't know if it's actually all

10/30/24

Rob Stradling, … Matthew McPherrin5

10/17/24

Certificate Transparency enforcement in Firefox

I see you've landed a patch changing 12 to 10 weeks: https://bugzilla.mozilla.org/show_bug.cgi?id

unread,

Certificate Transparency enforcement in Firefox

I see you've landed a patch changing 12 to 10 weeks: https://bugzilla.mozilla.org/show_bug.cgi?id

10/17/24

10/7/24

MRSP 3.0: Candidate Issues for MRSP v. 3.0

All, Please also consider the addition of GitHub Issue #283 to the list of issues that we would like

unread,

MRSP 3.0: Candidate Issues for MRSP v. 3.0

All, Please also consider the addition of GitHub Issue #283 to the list of issues that we would like

10/7/24

Ben Wilson, … Matt Palmer17

10/2/24

Proposal for an Interim Policy to Address Delayed Revocation

On Tue, Oct 01, 2024 at 12:26:08PM +0000, Sandy Balzer wrote: > Dear Ben, > > Thanks a lot

unread,

Proposal for an Interim Policy to Address Delayed Revocation

On Tue, Oct 01, 2024 at 12:26:08PM +0000, Sandy Balzer wrote: > Dear Ben, > > Thanks a lot

10/2/24

Hanno Böck, … Amir Omidi11

9/16/24

IANA whois information

A ballot has been introduced removing these problematic DCV methods: https://lists.cabforum.org/

unread,

IANA whois information

A ballot has been introduced removing these problematic DCV methods: https://lists.cabforum.org/

9/16/24

Tyrel, … Wayne11

9/13/24

Sources of Domain Contact Information?

Perhaps the many CAs who are not using WHOIS would be able to help. If they were impacted, when would

unread,

Sources of Domain Contact Information?

Perhaps the many CAs who are not using WHOIS would be able to help. If they were impacted, when would

9/13/24

9/13/24

UK VAT Groups and subject:organizationIdentifier

Hi all, Following on from discoveries in Bugzilla on the non-uniqueness of subject:

unread,

UK VAT Groups and subject:organizationIdentifier

Hi all, Following on from discoveries in Bugzilla on the non-uniqueness of subject:

9/13/24

Watson Ladd, Suchan Seo2

9/13/24

Aberrant bits in certificates (location edition)

sent it as private message by mistake, writeing it again; there is possablity of someone else

unread,

Aberrant bits in certificates (location edition)

sent it as private message by mistake, writeing it again; there is possablity of someone else

9/13/24

Stephen Davidson

9/4/24

Multi Perspective Issuance Corroboration (MPIC) for S/MIME

The S/MIME Certificate Working Group (SMCWG) of the CA/Browser Forum is considering a change to the S

unread,

Multi Perspective Issuance Corroboration (MPIC) for S/MIME

The S/MIME Certificate Working Group (SMCWG) of the CA/Browser Forum is considering a change to the S

9/4/24

Tim Hollebeek, … Tobias S. Josefowitz37

8/13/24

Feasibility of a binding commitment to revoke before issuance

On Fri, 9 Aug 2024, moz...@eigenvector.org.uk wrote: > The point of the Web PKI is to convey a

unread,

Feasibility of a binding commitment to revoke before issuance

On Fri, 9 Aug 2024, moz...@eigenvector.org.uk wrote: > The point of the Web PKI is to convey a

8/13/24

Jesper Kristensen, Walt2

8/11/24

Support for quick certificate replacement in subscriber tooling

Caddy absolutely does support ARI as of 2.8.0. I'd argue that it also doesn't need to try to

unread,

Support for quick certificate replacement in subscriber tooling

Caddy absolutely does support ARI as of 2.8.0. I'd argue that it also doesn't need to try to

8/11/24

Ben Wilson, … Wayne93

8/5/24

Recent Entrust Compliance Incidents

Hi Matt, You answered my thoughts on BR applicability in your last paragraph. I don't mean to say

unread,

Recent Entrust Compliance Incidents

Hi Matt, You answered my thoughts on BR applicability in your last paragraph. I don't mean to say

8/5/24

Watson Ladd, … Amir Omidi5

8/2/24

Lawyers, (no) Guns, and Money and the CA system

There is an argument to be made that every other CA should definitely look into their legal playbooks

unread,

Lawyers, (no) Guns, and Money and the CA system

There is an argument to be made that every other CA should definitely look into their legal playbooks

8/2/24

Search

Clear search

Close search

Google apps

Main menu