Re: Anomalous Certificate Issuances based on historic CAA records

2017-11-29 Thread Ben Laurie via dev-security-policy
On 29 November 2017 at 22:33, Paul Wouters <p...@nohats.ca> wrote: > > > > On Nov 29, 2017, at 17:00, Ben Laurie via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > This whole conversation makes me wonder if CAA Transparency sh

Re: Anomalous Certificate Issuances based on historic CAA records

2017-11-29 Thread Ben Laurie via dev-security-policy
This whole conversation makes me wonder if CAA Transparency should be a thing. On 29 November 2017 at 20:44, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The Thawte records aren't showing any CAA record preventing wildcards > either. > > Here's the

Re: GoDaddy Revocation Disclosure

2018-08-18 Thread Ben Laurie via dev-security-policy
On Fri, 17 Aug 2018 at 18:22, Daymion Reynolds via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Revoke Disclosure > > GoDaddy has been proactively performing self-audits. As part of this > process, we identified a vulnerability in our code that would allow our >

Re: How do you handle mass revocation requests?

2018-03-01 Thread Ben Laurie via dev-security-policy
On 28 February 2018 at 19:40, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The end user agreed to the subscriber agreement, not Trustico. Our > analysis follows what Peter B. posted – the subscriber is the “natural > person or Legal Entity to whom a

Re: How do you handle mass revocation requests?

2018-03-01 Thread Ben Laurie via dev-security-policy
On 28 February 2018 at 21:37, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wed, 28 Feb 2018 20:03:51 + > Jeremy Rowley via dev-security-policy > wrote: > > > The keys were emailed to me. I'm trying to get a

Re: Violation report - Comodo CA certificates revocation delays

2018-10-12 Thread Ben Laurie via dev-security-policy
On Fri, 12 Oct 2018 at 16:41, Ryan Sleevi wrote: > > > On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie wrote: > >> >> >> On Fri, 12 Oct 2018 at 03:16, Ryan Sleevi via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> I believe that may be misunderstanding the concern. >>>

Re: Violation report - Comodo CA certificates revocation delays

2018-10-18 Thread Ben Laurie via dev-security-policy
On Fri, 12 Oct 2018 at 19:01, Rob Stradling wrote: > On 12/10/18 16:40, Ryan Sleevi via dev-security-policy wrote: > > On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie wrote: > > >> This is one of the reasons we also need revocation transparency. > > > > As tempting as the buzzword is, and as much

Re: Violation report - Comodo CA certificates revocation delays

2018-10-12 Thread Ben Laurie via dev-security-policy
On Fri, 12 Oct 2018 at 03:16, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I believe that may be misunderstanding the concern. > > Once these certificates expire, there's not a good way to check whether or > not they were revoked, because such revocation

Re: Violation report - Comodo CA certificates revocation delays

2018-10-12 Thread Ben Laurie via dev-security-policy
On Fri, 12 Oct 2018 at 13:54, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 12/10/2018 14:33, Ben Laurie wrote: > > On Fri, 12 Oct 2018 at 03:16, Ryan Sleevi via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> I believe

Re: Violation report - Comodo CA certificates revocation delays

2018-10-19 Thread Ben Laurie via dev-security-policy
On Fri, 19 Oct 2018 at 10:38, Rob Stradling wrote: > On 18/10/2018 22:55, Ben Laurie wrote: > > On Fri, 12 Oct 2018 at 19:01, Rob Stradling wrote: > > > > On 12/10/18 16:40, Ryan Sleevi via dev-security-policy wrote: > > > On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie >

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Ben Laurie via dev-security-policy
On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > DB: Yes, that's true. I was saying that phishing sites don't use EV, not > that EV sites don't get phished Surely this shows that EV is not needed to make phishing work, not that

Re: [FORGED] Re: How Certificates are Verified by Firefox

2019-12-09 Thread Ben Laurie via dev-security-policy
te: > >> >> >> On Thu, 28 Nov 2019 at 20:22, Peter Gutmann >> wrote: >> >>> Ben Laurie via dev-security-policy < >>> dev-security-policy@lists.mozilla.org> writes: >>> >>> >In short: caching considered harmful. >>

Re: [FORGED] Re: How Certificates are Verified by Firefox

2019-12-09 Thread Ben Laurie via dev-security-policy
e further dismayed to learn that Firefox will soon implement >> > intermediate preloading [1] as a privacy-preserving alternative to AIA >> chasing. >> > >> > - Wayne >> > >> > [1] >> > >> >> https://wiki.mozilla.org/Security/Cr

Re: [FORGED] Re: How Certificates are Verified by Firefox

2019-11-28 Thread Ben Laurie via dev-security-policy
On Thu, 28 Nov 2019 at 20:22, Peter Gutmann wrote: > Ben Laurie via dev-security-policy > writes: > > >In short: caching considered harmful. > > Or "cacheing considered necessary to make things work"? If you happen to visit a bazillion sites a day. >

Re: How Certificates are Verified by Firefox

2019-11-28 Thread Ben Laurie via dev-security-policy
One of the things that was quite annoying when developing CT was browser behaviour wrt intermediates - caching them and filling in missing ones means that failure to present correct cert chains is common behaviour. Which means that anything that _doesn't_ see a lot of certs has quite a low chance