W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: Fate of Secure Origins in Question?

From: Eric Mill <eric@konklone.com>
Date: Mon, 6 Apr 2015 14:56:40 -0400
Message-ID: <CANBOYLV2PPsTyc7orGTx_wxpDj4O5d62Uxn+RvLZLE0czidRtw@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: Brad Hill <hillbrad@gmail.com>, noloader@gmail.com, "public-webappsec@w3.org" <public-webappsec@w3.org>
I hate to extend the off-topic thread more, but so it's clear, this is a
10-year old announcement:
http://www.hostreview.com/news/050215geotrust.html

As Peter Bowen pointed out in another thread, intermediate CAs (like Google
G2) have since become subject to auditing requirements they were not in
2005.

On Mon, Apr 6, 2015 at 1:05 PM, Daniel Veditz <dveditz@mozilla.com> wrote:

> I echo Brad's suggestion to take this concern to Mozilla's security policy
> group. Issuing unconstrained and un-audited sub-CA certs would violate
> Mozilla's certificate policy (see section 8 of
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/).
> The press release doesn't actually say such certs would be unconstrained
> and GeoTrust should be well aware of these requirements, but it doesn't
> hurt to follow-up and make sure.
>
> -Dan Veditz
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
Received on Monday, 6 April 2015 18:57:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC