W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: Fate of Secure Origins in Question?

From: Daniel Veditz <dveditz@mozilla.com>
Date: Mon, 6 Apr 2015 10:05:38 -0700
Message-ID: <CADYDTCAgffj9NqQGodLv=43dCn=ozEqZBZC0yKOdyf=p9WL7iA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: noloader@gmail.com, "public-webappsec@w3.org" <public-webappsec@w3.org>
I echo Brad's suggestion to take this concern to Mozilla's security policy
group. Issuing unconstrained and un-audited sub-CA certs would violate
Mozilla's certificate policy (see section 8 of
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/).
The press release doesn't actually say such certs would be unconstrained
and GeoTrust should be well aware of these requirements, but it doesn't
hurt to follow-up and make sure.

-Dan Veditz
Received on Monday, 6 April 2015 17:06:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC