nner that complements the
existing design constraints, rather than conflicts with them.
However this solution seems to not rely on PKI clients having fail-hard
CRL/OCSP handling, but on them having a way to enforce SubCA
revocations. This includes Mozilla OneCRL, the static CRL support
in OpenSSL and
best of us, to hire the very best, and to be the very best
at explaining. Unfortunately, as your post highlights, CAs have largely
optimized for reducing "financial strain", and thus, haven't really tried
to be the best or have the best. And I think, for users, that's unfort
s on how we can make this language even
more
clear.
How would that phrasing cover doppelgangers of intermediary SubCAs under
an included root CA?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This
d they won't accept audits from.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Man
ts,
even if doing so would be legitimate or even required by the root
programs.
Thus the hypothetical scenario could land the CAO in an impossible
situation, if root program requirements or common CA protocols change,
and those changes would require even one additional signature by the
root CA
On 2020-10-30 18:45, Ryan Sleevi wrote:
On Fri, Oct 30, 2020 at 12:38 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 2020-10-30 16:29, Rob Stradling wrote:
Perhaps add: "And also include any other certificates sharing the same
private/publi
"as CA certificates".
____
From: Jakob Bohm via dev-security-policy
Sent: 29 October 2020 14:57
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Policy 2.7.1: MRSP Issue #186: Requirement to Disclose Self-signed
Certificates
On 2020-10-29 01:25, Ben Wilson wrote
of certificates with easily
compromised keys.
Thus it makes sense for the involved CAs (such as Let's Encrypt) to
issue these certificates with a unique EKU other than the generic
"Server Authentication" traditionally associated with TLS.
Enjoy
Jakob
--
Jakob Bohm, CI
criber participate in
the above system without violating the relevant requirements?
Thanks,
Jacob
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contai
add: "And also include any other certificates sharing the same
private/public key pairs as certificates already included in the
requirements." (this covers the situation you mentioned where a
self-signed certificate shares the key pair of a certificate that chains
to an included roo
On 2020-10-28 20:54, Ryan Sleevi wrote:
On Wed, Oct 28, 2020 at 10:50 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
This aspect of RFC5280 section 4.1.2.5 is quite unusual in computing,
where the ends of intervals are typically encoded suc
seems another detail where the old IETF working group made
things unnecessarily complicated for everybody.
From a policy perspective, if enough code out there has the same
interpretation as old EJBCA versions, maybe it would make more sense
for the policy bodies to override RFC5280.
Enjoy
Jako
On 2020-10-17 01:38, Ryan Sleevi wrote:
On Fri, Oct 16, 2020 at 5:27 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
RFC4180 section 3 explicitly warns that there are other variants and
specifications of the CSV format, and thus the full generalizati
On 2020-10-16 14:11, Ryan Sleevi wrote:
On Thu, Oct 15, 2020 at 7:44 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 2020-10-15 11:57, Ryan Sleevi wrote:
On Thu, Oct 15, 2020 at 1:14 AM Jakob Bohm via dev-security-policy <
dev-securi
rification started with:
> In addition to the questions posted by Wayne, I think it'd be useful
> to confirm:
> ...
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion me
what meaning was intended.
From: dev-security-policy on behalf
of Jakob Bohm via dev-security-policy
Sent: 12 October 2020 22:41
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Sectigo to Be Acquired by GI Partners
Hi Rob,
The e-mail you quote below
On 2020-10-15 11:57, Ryan Sleevi wrote:
On Thu, Oct 15, 2020 at 1:14 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
For example, embedded new lines are discussed in 2.6 and the ABNF
therein.
The one difference from RFC4180 is that CR and LF a
On 2020-10-15 04:52, Ryan Sleevi wrote:
On Wed, Oct 14, 2020 at 7:31 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Only the CSV form now contains CSV artifacts. And it isn't really CSV
either (even if Microsoft Excel handles it).
Hi Jakob,
ent data, e.g.
data published directly via the CCADB. I think that providing the data
in an easily consumable format is better than having folks extract the
data from certdata.txt.
Thanks,
Kathleen
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29,
Pnnchpj04gftI2jE9K+OJ9dC1vX7gUMQSibMjmhAxhduub+84Mxh2EQIDAQABo4
IBbDCCAWgwEgYDVR0TAQH/BAgwBgEB/wIBDDAdBgNVHQ4EFgQU+SSsD7K1+HnA+mCIG
8TZTQKeFxkwgeMGA1UdIwSB2zCB2IAU+SSsD7K1+HnA+mCIG8TZTQKeFxmhgbSkgbEw
ga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJ
lc3MgYXQgd3d3LmNhbWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlB
On 2020-10-12 20:50, Kathleen Wilson wrote:
On 10/7/20 1:09 PM, Jakob Bohm wrote:
Please note that at least the first CSV download is not really a CSV
file, as there are line feeds within each "PEM" value, and only one
column. It would probably be more useful as a simple concat
zilla policy.
Thanks,
Ben
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-pol
Mozilla-trusted certificates and labels them as simply
"mozilla/cert-public-name", even though more useful naming can be
extracted from the last (most complete) report, after finding a non-gui
tool that can actually parse CSV files with embedded newlines in string
values.
En
mat suits to avoid transporting
the virus between redundant backup CA offices that have been kept
separate to ensure CA operations continue even if every person at one
office become critically ill.
Thanks,
Ben Wilson
Mozilla Root Store Manager
<https://wiki.mozilla.org/CA/Audit_Statements#Audi
y the code to collect
and cache OCSP responses.
P.S. One commonly wilified server brand actually does use AIA to build
the server chain.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct
in accordance with Section
3.2.2.1.
I'm pretty sure this isn't what the BRs intended, but this appears to forbid
issuance with a meaningful subject:organizationalUnitName unless all of the
above attributes are populated. EVG §9.2.9 forbids including those attributes
in the first pla
.
It was moved entirely off screen, and replaced with very subtle
differences in the contents of a pop-up.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and
been
issued before Vrowser Policy made BR compliance mandatory. In other
words, BR non-compliance may not have been actual non-compliance at
that time.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
On 07/10/2019 17:35, Ryan Sleevi wrote:
> On Mon, Oct 7, 2019 at 11:26 AM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> On 07/10/2019 16:52, Ryan Sleevi wrote:
>>> I'm curious how folks feel about the following p
clear-cut violation of the Baseline Requirements,
and "Foo" could have pursued an alternative hierarchy to avoid needing to
cross-sign. However, I thought it interesting to solicit others' feedback
on this situation, before opening the CA incident for Foo.
Enjoy
Jakob
--
Jakob Bo
the equation. :-)
>>
>> Short-term:
>> - I think BR 7.1.2.5, as written, is decidedly unhelpful and should
>> be revised to have a much smaller scope. Surely only the serial number
>> uniqueness requirement (RFC5280 section 4.1.2.2) needs to be relaxed,
>> n
t if a consumable
component (such as a COTS disk system or COTS server) fails.
- A system failure during actual certificate signing needs to be
detected and handled within the 24 hour deadline. But such failures
are typically detected within the hour, thus during any business hours
signing cer
rtificates that contain the EKU for Microsoft compatibility.
This is especially bad if the SubCA is controlled by an entity other
than its direct parent CA.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13
On 03/09/2019 00:54, Ryan Sleevi wrote:
> On Mon, Sep 2, 2019 at 2:14 PM Alex Cohn via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> On Mon, Sep 2, 2019 at 12:42 PM Jakob Bohm via dev-security-policy <
>> dev-security-policy@lists.mozilla
On 02/09/2019 20:13, Alex Cohn wrote:
On Mon, Sep 2, 2019 at 12:42 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
If an OCSP server supports returning (or always returns) properties of
the actual cert, such as the CT proofs, then it really cannot
Responder Returned “Unauthorized”
> for Some Precertificates
>
> I dont recall the cab forum ever contemplating or discussing ocsp for
> precertificates. The requirement to provide responses is pretty clear, but
> what that response should be is a little confusing imo.
> ...
Enjoy
subscriber to use the validity before the cert
actually exists, while in other cases it is not possible, except for the
difficulty in proving that the cert doesn't exist.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denm
On 29/08/2019 19:47, Nick Lamb wrote:
> On Thu, 29 Aug 2019 17:05:43 +0200
> Jakob Bohm via dev-security-policy
> wrote:
>
>> The example given a few messages above was a different jurisdiction
>> than those two easily duped company registries.
>
> I see. Perha
b Site" from London, UK [Union
> flag].
>
> Sounds legitimate.
>
> Remember, the British government doesn't care that Authorised Web Site
> is a stupid name for a company, that its named officers are the
> characters in Toy Story, that its claimed offices are a bu
** Note that this plan excludes QuoVadis; we will be posting updates on the
QuoVadis system migration later once we free up resources from the Symantec
migration.
Looking forward to the questions!
Jeremy
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.
On 27/08/2019 08:03, Peter Gutmann wrote:
> Jakob Bohm via dev-security-policy
> writes:
>
>> <https://www.typewritten.net/writer/ev-phishing/> and
>> <https://stripe.ian.sh/> both took advantage of weaknesses in two
>> government registries
>
On 26/08/2019 21:49, Jonathan Rudenberg wrote:
> On Mon, Aug 26, 2019, at 15:01, Jakob Bohm via dev-security-policy wrote:
>> <https://www.typewritten.net/writer/ev-phishing/> and
>> <https://stripe.ian.sh/> both took advantage of weaknesses in two
>> government
.1.543.2117&rep=rep1&type=pdf
An undated(!) study involving highly outdated browsers. No indication
this was ever in a peer reviewed journal.
DV is sufficient. Why pay for something you don't need?
Unproven claim, especially by studies from before free DV without
traceable credit
rwork. Thus someone reading the wording of
company bylaws, would assume all companies are registered and incorporated
at the county level, because the bylaws will usually not even mention the
country (or the registration number, as the initial bylaws must be
submitte
istration.
But a CA validation team should research this further to set up proper
templates and scripts for validating EV/OV/IV applicants claiming C=DK.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16
n the report is one of
claiming a subscriber violates a subjective rule, such as malicious cert
use or name ownership conflicts.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message
s that use EV certificates, but
the
EV indicator bar is still better than just nothing. AntiPhishing filters
are not a good alternative because they only protect when the harm is
already done to some users.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transfor
not perfect, they are useless,
while ignoring any and all improvements since you original write ups.
You really should look at the long term agendas at work here and
reconsider what you may be inadvertently supporting.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
On 14/08/2019 21:55, Peter Bowen wrote:
On Wed, Aug 14, 2019 at 10:16 AM Jakob Bohm wrote:
On 14/08/2019 18:18, Peter Bowen wrote:
On thing I've found really useful in working on user experience is to
discuss things using problem & solution statements that show the before
and
af
On 14/08/2019 18:18, Peter Bowen wrote:
On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
A policy of switching from positive to negative indicators of security
differences is no justification to switch to NO indication.
ks :evilpie for
working on it!). We're planning to flip this pref to false in bug 1572936
<https://bugzilla.mozilla.org/show_bug.cgi?id=1572936>.
Please let us know if you have any questions or concerns,
Wayne & Johann
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://
more. ISRG / Let's Encrypt pursued something
similar-but-different, but which had the functional goal of reducing their
dependency on the IdenTrust root in favor of the ISRG root.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wise
s in 2019. Don't let embarrassing
incidents like this happen to you.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo -
not trust them, no matter the source.
I believe this is either done, or easy to add.
On Friday, July 19, 2019 at 1:27:17 PM UTC-7, Jakob Bohm wrote:
On 19/07/2019 21:13, andrey...@gmail.com wrote:
I am confused. Since when Mozilla is under obligation to provide customized
solutions for
of secrecy from
even the authorities.
A large home to consider could be 4 generations living together, with
8 to 10 children and 4 spouses for each in each generation, but in
relative poverty.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
malicious and user-helping systems.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
a.txt", this file is including Public CA
certificates. So an expired certificate means that the key cannot be used
anymore.
I'm still not expressing this message as an issue, but an suggestion to
update/remove those expired Public Keys from your certdata.txt.
Enjoy
Jakob
--
Jakob
On 14/06/2019 18:54, Ryan Sleevi wrote:
> On Fri, Jun 14, 2019 at 4:12 PM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> In such a case, there are two obvious solutions:
>>
>> A. Trademark owner (prompted by applic
ot always possible if other
legal issues take priority for the applicant, such as keeping their
online webshop legally separate from their core IP assets).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 1
hed to safely handle the heartbeat TLS extension would
typically be misdetected as vulnerable. Also, use of a HSM to store the
private key would make it not compromised even if used with a vulnerable
OpenSSL.
So identifying affected certificates from the CA community side in such
situations is us
On 17/05/2019 07:21, Jakob Bohm wrote:
> On 17/05/2019 01:39, Wayne Thayer wrote:
>> On Thu, May 16, 2019 at 4:23 PM Wayne Thayer wrote:
>>
>> I will soon file a bug requesting removal of the “Certinomis - Root CA”
>>> from NSS.
>>>
>>
>> T
certificates that expire on or before 2019-08-31, as those
will be unaffected by a September distrust.
- Exclude certificates issued after 2019-05-17 (today), as Certinomis
should be aware of the likely distrust by tonight.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https
ty.policy/RJHPWUd93xE/lyAX9Wz_AQAJ
[3] https://crt.sh/?opt=cablint&id=160150786
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wi
On 10/05/2019 05:25, Ryan Sleevi wrote:
On Thu, May 9, 2019 at 10:44 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 09/05/2019 16:35, Ryan Sleevi wrote:
Given that the remark is that such a desire is common, perhaps you can
provide some ex
On 09/05/2019 16:35, Ryan Sleevi wrote:
> On Wed, May 8, 2019 at 10:36 PM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> [ Note, I am arguing a neutral position on the specific proposal ]
>>
>> The common purpose of havi
termediaries) would also depend on the abilities of corporate
software packages.
>> Does this clarify why having a single "Org CA" would help in deployment
>> in some enterprise environments?
>>
>
> Yes. Hopefully my response demonstrates why, based on the preconditi
find the CP/CPS for a CA. Linking
directly to the document would help a lot.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wis
ated by reference into EN 319 401 (the above quote is a
statement of intent to include the BR requirements that existed when
EN 319 401 was written).
That said, Mozilla policy at the time may have explicitly stated that an
EN 319 401 audit is/was sufficient for Mozilla inclusion purposes.
Enjoy
e OID system)
a different assigned OID such as 9.88.999. thus not overlapping.
Thus no risk of conflicting uses unless someone breaks the basic OID
rules. The actual risk (as illustrated by EV) is getting too many
different OIDs for the same thing.
Enjoy
Jakob
--
Jakob Bohm, CIO, Pa
On 15-Apr-19 6:57 PM, Jakob Bohm via dev-security-policy wrote:
Thanks for the explanation.
Is it possible that a significant percentage of less-skilled users
simply pasted in the wrong certificates by mistake, then wondered why
their new certificates newer worked?
Pasting in the wrong certifica
ame. We've
since disabled that system, although we didn't file any incident report (for
the reasons discussed so far).
-Original Message-
From: dev-security-policy On
Behalf Of Wayne Thayer via dev-security-policy
Sent: Friday, April 12, 2019 10:39 AM
To: Jakob Bohm
Cc:
the other certs looks like cross-sign for the
Digicert root.
Why still no response from Digicert? Has this been reported to them
directly?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This pub
cy/mCKvUmYUMb0/sqZVnFvKBwAJ
[2]
https://github.com/mozilla/pkipolicy/commit/3e38142acd28b152eca263e7528fac940efb20e2
[3] https://github.com/mozilla/pkipolicy/issues/5
[4] https://github.com/mozilla/pkipolicy/issues/170
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søb
time after their last actual use.
2h. Servers managed by teams that are busy with unrelated tasks at
this time.
2o. Obscure servers that are rarely touched, causing practical problems
locating the teams responsible.
2p. Anything else.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.
s if some hypothetical kind of wildcard
EE cert).
This of cause remains applicable to all the kinds of identities
recognized and regulated by the Mozilla root program, which currently
happens to be server domain, EV organization, and e-mail address
identities.
I realize that the BR meani
On 25/03/2019 23:42, Wayne Thayer wrote:
> My general sense is that we should be doing more to discourage the use of
> SHA-1 rather than less. I've just filed an issue [1] to consider a ban on
> SHA-1 S/MIME certificates in the future.
>
> On Mon, Mar 25, 2019 at 10:54 A
l cannot be easily fixed/upgraded to remove the problem.
If there is no such problematic tool in the target environment, GRCA
could (like other CAs in the Mozilla root program) make a list of needed
specific EKU oids and include them all in their certificate template.
Enjoy
Jakob
--
Jakob Bo
y issued
sequentially named new issuing CAs for these purposes at regular
intervals (perhaps annually), however this is against current Mozilla
Policy if the root is still in the Mozilla program (as an anchor for
SHA2 WebPKI or e-mail certs).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partn
thus no one could have proven control of
that domain.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service
ng scheme is to collect all / most
of the issued serial numbers, extract the bit positions that are random
according the the CPS, then run statistical tests to check if they do
indeed form a plausible output from a CSRNG.
Note 4: In addition to external statistical tests, the auditor of t
e
discussion certainly has been raised by a lot of people.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remo
such that there
will be a useful basis for discussion of whatever should or should not
be done long term, once the specific single case has been handled.
I did not wake this sleeping dog, it was barking and yanking its chain
all week.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https
he countries in which
Telia-Sonera is the incumbent Telco (Finland, Sweden and Åland).
This overall issue was touched repeatedly in the thread, especially
point 3 above, but the earliest I could find was in Message ID
posted on Fri, 22 Feb 2019 23:45:39 UTC by "cooperq"
On 07/
Kushner from EJBCA and a discovery that Google Trust Services was
also hit with this issue to the tune of 100K non-compliant certificates.
On 07/03/2019 18:59, Jakob Bohm wrote:
> This thread is intended to be a catalog of general issues that come/came
> up at various points in the Dark
.
Once again, no further mentions of Darkmatter in this thread are
allowed, keep those in the actual Darkmatter threads.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non
forum
use a completely different such text than my private e-mail
communication. As a lawyer you should be able to draft such a text
much better than my own feeble attempt.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, De
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Emb
quire
>> membership in the CA/Browser Forum should, on their face, be rejected - a
>> CA should not have to join the Forum in order to be a CA.
>>
>> I do agree, however, that the use of WHOIS data continues to show
>> problematic incidents - whether it's with OC
;opt=cablint,x509lint,zlint
Are duplicate SANs forbidden by any standard? (it's obviously
wasteful, but RFC3280 seems to implicitly allow it).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This
e vaults. We
really don't want to publish a hit list of whom criminal gangs
(etc.) should target with violence, kidnapping, blackmail etc.
when they want to get malicious certificates for use against high
value targets.
4. If a CA still practices the "off-site split key sec
ssuance. It's also not clear if
in-addr.arpa should even be issuable.
I would like to take a moment to thank Ben Cartwright-Cox and igloo5
in pointing out this violation.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denma
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
rver software packages without upstream stapling support.
3. Don't forget Thunderbird (technically no longer a primary Mozilla
product, but still a major use of Mozilla certificate infrastructure).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformerv
On 19/02/2019 04:04, Ryan Sleevi wrote:
> On Mon, Feb 18, 2019 at 4:59 PM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> On 14/02/2019 23:31, Wayne Thayer wrote:
>>> This may be of interest:
>>>
>>>
>
,
replacing the Mozilla root store by relying on the OS root store would
cut off its own feet.
- Some participants in the community actively refuse to support use of
the Mozilla root store in other open source initiatives.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https
On 15/02/2019 19:33, Ryan Sleevi wrote:
> On Fri, Feb 15, 2019 at 12:01 PM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Indeed, the report states that the bug was in the pre-issuance checking
>> software.
>>
>
problem in
substantial technical detail, so that we can understand how the fixes will
address, and so that the community at large can be aware of systemic risks
or patterns and ensure that, regardless of what PKI software they use, so
that the ecosystem can itself improve.
Please continue
-384.
Using the same P-384 ECDSA key pair with both SHA-384 and
SHA-3-384 might be within some readings of the FIPS, but would
still be vulnerable to the issue above (imagine a pre-image
weakness being found in either hash algorithm, all signatures
with such a key would then become suspec
procedural
delay.
As pointed out in other recent cases, CA software must allow
revoking a certificate without making it publicly valid first, in
case Scenario B happens.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +4
1 - 100 of 644 matches
Mail list logo