On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote: > Are there any other topics that I should include in this upcoming CA > Communication?
It can be worth following-up on date-in-time commitments from those CAs in replies to the previous communication this year. Each CA should be able to confirm either that the committed action has now happened as planned, or is delayed and give a new hoped-for date. China Internet Network Information Center (CNNIC) wrote "We plan to upgrade device and software and also deploy new SHA 256 intermediate Root (operated by CNNIC ) to issue SHA256 DV and EV cert by the end of May, 2016." RSA the Security Division of EMC wrote of their SHA-1 signing "There is a plan in place to change this to SHA-2 by June 15, 2016" SwissSign AG wrote also of a system that still uses SHA-1 "We will Change this to SHA2 until August 2016." Swisscom (Switzerland) Ltd wrote "SHA-1 S/MIME certificates are still being issued since one our customers did not fully migrate to SHA-256 yet. Deadline for this migration is 06/30/2016, from this date on, no more SHA-1 based S/MIME certificates will be issued" Telia Company (formerly TeliaSonera) wrote that they need "more time up to 06/30/2016 to find the details" of certificates which lack a matching SAN for the CN. Trustis wrote "KeyUsage will be added to all Certificates with effect from 05/30/2016" T-Systems International GmbH (Deutsche Telekom) wrote that dubious OCSP responses "will be fixed by June 02, 2016." and also that "We plan to switch to SHA-2 until Q3/2016" for CRL signing. Autoridad de Certificacion Firmaprofesional wrote that certificates with no corresponding SAN for their CN "will be revoked by July, the 1st, 2016" Camerfirma use BMPString in the certificate DN, but "We plan to have a solution in a couple of months" DocuSign (OpenTrust/Keynectis) likewise use unsupported encodings in the DN. They wrote "Last issuance date will be 06/30/2016" Entrust again with unsupported DN encodings, wrote "last issuance date could be as late as 30 June 2016" Government of Hong Kong (SAR), Hongkong Post, Certizen, wrote that they "Will stop issuing SSL certificates without the DNSName entry in the subjectAltName extension on 1 Sep 2016." Government of The Netherlands, PKIoverheid (Logius) wrote "We are in the process of altering our CP with regard to this issue. Our new CP will be effective coming July." WISeKey wrote of continued non-SSL SHA-1 issuance "We expect this situation to be solved during the first half of 2016 " I am sure we all recognise that it is easy to make commitments about the future but not always so easy to keep them. For this reason I think reminders are useful. Because the earlier replies with these dates in were public, updates should be made public too. However it may be more appropriate to handle these as individual messages rather than a mass communication. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
