Before this goes too far. Perhaps we should have an in person meeting on how to deal with this down in the valley and do a review on ACME at the same time. These being somewhat linked.
The controls Tim Mather and co brought over from the NSA worked well for 20 years but it looks like they have been eroded. At this point we are on the brink of a technology transition to ECC and also deploying CT. There are options on the table today that we did not know existed in 1995. On Sat, Sep 19, 2015 at 5:06 PM, Richard Barnes <[email protected]> wrote: > On Sat, Sep 19, 2015 at 2:12 PM, Brian Smith <[email protected]> wrote: > > > On Sat, Sep 19, 2015 at 7:20 AM, Gervase Markham <[email protected]> > wrote: > > > > > Symantec just fired people for mis-issuing a google.com 1-day > pre-cert: > > > > > > > By the way, Symantec didn't say "pre-cert," they said "certificates". > > > > Well, a "pre-cert" is just a certificate with the poison extension in it. > > --Richard > > > > > > > Also, I we shouldn't be splitting hairs at the difference between > > pre-certificates and certificates as far as mis-issuance detection is > > concerned. If people think there is a meaningful (technical, legal, etc.) > > distinction between a pre-certificate being logged via CT and the > > corresponding certificate being logged in CT, then we should consider > > removing the pre-certificate mechanism from CT so that there's no doubts > in > > that. My view is that there is no meaningful difference. > > > > Cheers, > > Brian > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
