On Monday, March 9, 2020 at 2:48:56 PM UTC-4, Kathleen Wilson wrote:
> * The root contains subject L and organizationIdentifier fields which
> are arguably in violation of BR 7.1.4.3 [5]. Some, if not all, of the
> subCAs also exhibit this issue.
Given that Mozilla explicitly encourages CAs to
On Tue, Mar 10, 2020 at 05:53:13PM -0500, Matthew Hardeman via
dev-security-policy wrote:
> Isn't the evident answer, if reasonable compromise is not forthcoming, just
> to publish the compromised private key. There's no proof of a compromised
> private key quite as good as providing a copy of
On Tue, Mar 10, 2020 at 01:48:49PM -0700, Chris Kemmerer via
dev-security-policy wrote:
> We have updated https://bugzilla.mozilla.org/show_bug.cgi?id=1620772 with
> the findings of our current investigation.
Thanks for this update. I have... comments.
Before I get into the nitty-gritty,
Isn't the evident answer, if reasonable compromise is not forthcoming, just
to publish the compromised private key. There's no proof of a compromised
private key quite as good as providing a copy of it.
I understand the downsides, but I think that capricious burdens encourage
stripping the issue
We have updated https://bugzilla.mozilla.org/show_bug.cgi?id=1620772 with the
findings of our current investigation.
We believe all issues raised in this thread are addressed in this update. Our
investigation is ongoing and we welcome any positive input by the community as
an opportunity to
For 0% of impact the FPs do not matter that much, so agreed!
Of course for now reality is not that... yet!
https://github.com/certbot/certbot/issues/1028 seems so appropriate :)
PS I was definitely not advocating for 5% false negative, no; we must
strive for 0% false negatives as well; all I
On Tue, Mar 10, 2020 at 05:18:51PM -0400, Ryan Sleevi via dev-security-policy
wrote:
> I'm sympathetic to CAs wanting to filter out the noise of shoddy reports
> and shenanigans, but I'm also highly suspicious of CAs that put too
> unreasonable an onus on reporters.
If CAs want a 100% reliable
On Tue, Mar 10, 2020 at 01:25:11PM -0700, bif via dev-security-policy wrote:
> Voluntarily providing CSR is not an ideal way to prove key compromise,
> because you could've simply found this CSR somewhere (I know, I know,
> super unlikely with your Subject... but still could happen.)
Feel free
On Tue, Mar 10, 2020 at 5:56 PM Piotr Kucharski wrote:
> I'm sympathetic to CAs wanting to filter out the noise of shoddy reports
>> and shenanigans, but I'm also highly suspicious of CAs that put too
>> unreasonable an onus on reporters. It seems, in the key compromise case,
>> the benefit of
On Tue, 10 Mar 2020 at 22:19, Ryan Sleevi wrote:
>
>
> On Tue, Mar 10, 2020 at 4:25 PM bif via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Matt,
>>
>> Voluntarily providing CSR is not an ideal way to prove key compromise,
>> because you could've simply found this
On Tuesday, March 10, 2020 at 1:25:21 PM UTC-7, bif wrote:
> Matt,
>
> Voluntarily providing CSR is not an ideal way to prove key compromise,
> because you could've simply found this CSR somewhere (I know, I know, super
> unlikely with your Subject... but still could happen.)
>
While a CSR
On Tue, Mar 10, 2020 at 4:25 PM bif via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Matt,
>
> Voluntarily providing CSR is not an ideal way to prove key compromise,
> because you could've simply found this CSR somewhere (I know, I know, super
> unlikely with your
Matt,
Voluntarily providing CSR is not an ideal way to prove key compromise, because
you could've simply found this CSR somewhere (I know, I know, super unlikely
with your Subject... but still could happen.)
And while "compromised" is way too short (one can sign up to 32 bytes using it
as a
Comments inline and snipped
On Mon, Mar 9, 2020 at 2:48 PM Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> ==Meh==
>
* Microsec issued two certificates in 2018 with 3-year validity periods [1].
>
That bug, and the related discussion, discussions
An incident report was created for this yesterday:
https://bugzilla.mozilla.org/show_bug.cgi?id=1620922
> -Original Message-
> From: dev-security-policy
On
> Behalf Of Matt Palmer via dev-security-policy
> Sent: dinsdag 10 maart 2020 1:41
> To: dev-security-policy@lists.mozilla.org
>
15 matches
Mail list logo