until after Let's Encrypt has launched (IIRC
that was the consensus in Dallas, too). And in the pre-launch period, a
bug tracker is the most efficient and practical way for us to keep track
of things that we absolutely need to fix/diverge from the draft spec on.
--
Peter Eckersley
-dropping protection without
making manual authentication a pain? Or are the two inherently the same
thing?
--
Peter Eckersleyp...@eff.org
Chief Computer Scientist Tel +1 415 436 9333 x131
Electronic Frontier FoundationFax +1 415 436 9993
I should have added another option, 3b, drop the Content-Type
restriction but allow file extensions.
Sounds like that would be a win on IIS.
On Thu, Nov 12, 2015 at 05:05:53PM -0800, Martin Thomson wrote:
> On 12 November 2015 at 16:44, Peter Eckersley <p...@eff.org> wrote:
> > Bu
nitely include it in any breaking change we're making
to DVSNI, rather than waiting to see if we need to make another breaking
change shortly down the road.
--
Peter Eckersleyp...@eff.org
Chief Computer Scientist Tel +1 415 436 9333 x131
Electron
rve such a
> redirect if an HTTPS virtual host for that hostname was configured.
--
Peter Eckersleyp...@eff.org
Chief Computer Scientist Tel +1 415 436 9333 x131
Electronic Frontier FoundationFax +1 415 436 9993
_
ng the protocol support this
use case for CAs that want to offer it?
--
Peter Eckersleyp...@eff.org
Chief Computer Scientist Tel +1 415 436 9333 x131
Electronic Frontier FoundationFax +1 415 436 9993
l]
Are there any typical hosting environments in which such executables can
bind to port 666, while being unable to tear down and replace the
service that's bound of 443? What are they?
--
Peter Eckersleyp...@eff.org
Chief Computer Scientist Tel +1 415 436 9333
wgUbGo1uTfHB2mj
> T2CdCCZhcmJFurvz+7FVI1WaVgGR/rdZbu4ueC+0YNZEOICXE0pIJEw8rKWJbqe3
> lKchgpR6jR3TKHHwNFDIZj049TBiEGxMXsdEaGlLOHdnr4ZlIDgfycumhYVTNJUi
> IDHRifjFUchCynluOhZi
> =3akD
> -END PGP SIGNATURE-
>
> ___
> Acme mailing list
> Ac
ate the vulnerability, but allow verifying
> HTTPS-only sites with http-01.
That's pretty corner case-y behaviour for a very specialised use case
(server *must* have port 80 firewalled, and cannot possibly perform a
graceful server reload). Are there other voices in favour of special
casi
On Sat, Jan 09, 2016 at 12:56:49AM +0100, Peter Wu wrote:
> On Fri, Jan 08, 2016 at 10:23:25AM -0800, Peter Eckersley wrote:
> > On Fri, Jan 08, 2016 at 06:27:09PM +0100, Peter Wu wrote:
> >
> > > Peter (Eckersley), you reported this concern with the premise t
On Fri, Jan 08, 2016 at 06:27:09PM +0100, Peter Wu wrote:
> Peter (Eckersley), you reported this concern with the premise that it is
> a common configuration mistake that impacts many hosting providers. Do
> you have scans backing up that concern? Websites that are managed by a
> s
> cert to prove that they hold the corresponding private key?
>
> If not, maybe we can streamline the spec by removing that challenge
> type. It can always get re-added in a future spec if there turns out
> to be a need.
>
> --Richard
>
> ___
IT security
> > departments.
> >
> > randy
> >
> > ___
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
>
>
>
> --
>
> Best regards,
> Kathleen
&
___
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
>
> ___
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
--
Peter Ec
ey
> thumbprints. Did you have something else in mind?
>
> Hugo Landau
>
> On Fri, Feb 26, 2016 at 05:21:53PM -0800, Peter Eckersley wrote:
> > If we're going to do account key binding, we should try to do it with
> > cryptographically authenticated protocols. CAA + DNS
//cabforum.org/pipermail/validation/2016-February/000210.html
>
> --
> J.C. Jones
>
> ___
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
--
Peter Eckersleyp...@eff
cket starts
listening. If nobody has deployed mid-handshake cert generation, we can
be a bit more gradual with the tls-sni-01 deprecation schedule.
--
Peter Eckersleyp...@eff.org
Chief Computer Scientist Tel +1 415 436 9333 x131
Electronic Frontier Foundation
a bit of warning I might have been able to put that together for this
deadline.
--
Peter Eckersleyp...@eff.org
Chief Computer Scientist Tel +1 415 436 9333 x131
Electronic Frontier FoundationFax +1 415 436 9993
_
flows. Or perhaps both: aim to allow existing clients to get
wildcards (if they can request authz for them and solve a new challenge type)
and add /submit-csr as an endpoint that makes it easier to get through the
existing flow in an efficient way.
--
Peter Eckersley
o their
language's HTTP library.
I'm agnostic about whether the wording should be struck from the draft or
changed to be "clients SHOULD support HTTP public key pinning if the libraries
they depend on can provide it".
--
Peter Eckersleyp...@eff.org
Chief Co
ucture/49996
> > [1]
> > https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188
> > [2]
> > https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg08984.html
> > ___
21 matches
Mail list logo
