On 07/31/2014 01:17 AM, Ondrej Mikle wrote:
> On 07/30/2014 09:17 PM, Kathleen Wilson wrote:
[...]
>> So, Should we do this?
>> Does it introduce security concerns?
>
> It definitely introduces non-deterministic behavior controlled by a potential
> MitM attacker, in addition being hard to debug.
On 07/30/2014 09:17 PM, Kathleen Wilson wrote:
> On 7/28/14, 11:00 AM, Brian Smith wrote:
>> I suggest that, instead of including the cross-signing certificates in
>> the NSS certificate database, the mozilla::pkix code should be changed
>> to look up those certificates when attempting to find them
On 7/30/2014 12:17 PM, Kathleen Wilson wrote:
> On 7/28/14, 11:00 AM, Brian Smith wrote:
>> I suggest that, instead of including the cross-signing certificates in
>> the NSS certificate database, the mozilla::pkix code should be changed
>> to look up those certificates when attempting to find them
Per our CPS and the BR/EV requirements, we always abide by the latest version
of the BRs
>From Section 8.3:
" [Name of CA] conforms to the current version of the CA/Browser Forum
Guidelines for Issuance and Management of Extended Validation Certificates
published at http://www.cabforum.org. In
On Mon, Jul 28, 2014 at 12:05 PM, Kai Engert wrote:
> On Mon, 2014-07-28 at 21:02 +0200, Kai Engert wrote:
>> On Mon, 2014-07-28 at 11:00 -0700, Brian Smith wrote:
>> > I suggest that, instead of including the cross-signing certificates in
>> > the NSS certificate database, the mozilla::pkix code
I do not think specifying a version number is required. All CAs issuing EV
certs (or SSL) are required to abide by the latest version of the guidelines
and attest to that fact in their CPS using the prescribed CAB Forum language:
"[Name of CA] conforms to the current version of the CA/Browser
On Wed, Jul 30, 2014 at 12:17:27PM -0700, Kathleen Wilson wrote:
> On 7/28/14, 11:00 AM, Brian Smith wrote:
> >I suggest that, instead of including the cross-signing certificates in
> >the NSS certificate database, the mozilla::pkix code should be changed
> >to look up those certificates when attem
On Wed, Jul 30, 2014 at 12:17 PM, Kathleen Wilson wrote:
> On 7/28/14, 11:00 AM, Brian Smith wrote:
>>
>> I suggest that, instead of including the cross-signing certificates in
>> the NSS certificate database, the mozilla::pkix code should be changed
>> to look up those certificates when attemptin
On 7/28/14, 11:00 AM, Brian Smith wrote:
I suggest that, instead of including the cross-signing certificates in
the NSS certificate database, the mozilla::pkix code should be changed
to look up those certificates when attempting to find them through NSS
fails. That way, Firefox and other products
OK, let's dive into the CPS dissection game...
On Tue, Jul 29, 2014 at 03:26:08PM -0700, Kathleen Wilson wrote:
> ** CPS section 3.2.2.3, Extended Validation Certificates (SSL and
> Code Signing): For Extended Validation Certificates, the EV
> Guidelines are followed.
I'm new to this, so perhaps
10 matches
Mail list logo
