Re: Mozilla's Expectations for OCSP Incident Reporting
Browsers by default just ignore any OCSP error. So while the browser might have seen an error getting the OCSP reply, the user is not aware of it. And why Browsers do ignore OCSP errors? Because some CA don't take OCSP errors seriously. So yes, it has an impact: it comfort Browsers in that situation, which is less than ideal, because it impacts the security of *all* users. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible violation of CAA by nazwa.pl
> The party actually running the authoritative DNS servers is in control of the domain. I'm not sure I agree. They can control the domain, but they are supposed to be subordinate of the domain owner. If they did something without the owner consent/approval, it really looks like a domain hijacking. > I'm not suggesting that the CA did anything untoward in issuing this > certificate. I am not suggesting that at all. My opinion is that if the CA was aware that the owner didn't ask/consent to that issuance, If it's not a misissuance according to the BRs, it should be. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Submission to ct-logs of the final certificate when there is already a pre-certificate
Following the discussion on https://community.letsencrypt.org/t/non-logging-of-final-certificates/58394 What is the position of Mozilla about the submission to ct-logs of the final certificate when there is already a pre-certificate? As it helps discover bugs ( https://twitter.com/_quirins/status/979788044994834434 ), it helps accountability of CAs and it's easily enforceable, I feel that it should be mandatory. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy