Re: A-Trust Root Renewal Request

Maybe a "Timeline" could help here: * the customer orders the certificate * the agent gathers all the necessary information from various sources * once everything is available, another agent verifies the data (first check) * the certificate is issued / created * new second check that compares

Re: A-Trust Root Renewal Request

On Sun, Feb 28, 2016 at 10:40:36PM -0800, theltal...@hotmail.com wrote: > Am Sonntag, 28. Februar 2016 00:31:48 UTC+1 schrieb Matt Palmer: > > On Fri, Feb 26, 2016 at 06:22:22AM -0800, Christoph Klein wrote: > > > To prevent future problems with values in the certficate fields, we have > > >

Re: Private PKIs, Re: Proposed limited exception to SHA-1 issuance

On Mon, Feb 29, 2016 at 7:09 AM, Peter Gutmann wrote: > Jürgen Brauckmann writes: > >>Nice example from the consumer electronics world: Android >= 4.4 is quite >>resistant against private PKIs. You cannot import your own/your corporate >>private

Let's Encrypt Feb 29, 2016, RFC 5280 Compliance Revocations

Peter Bowen recently created a certlint tool [1] to check certificates for CA/Browser Forum Baseline Requirements compliance. Thanks Peter! Using this tool we uncovered a number of Let's Encrypt certificates that are not compliant with RFC 5280. There were two issues: 1) Let's Encrypt was not

Re: Proposed limited exception to SHA-1 issuance

On 27/02/16 23:50, David E. Ross wrote: > According to Softpedia, Mozilla is the only organization that agreed to > Symantec's request. Microsoft, Google, and others are holding firm on > rejecting SHA-1 certificates. See >

Re: A-Trust Root Renewal Request

Am Sonntag, 28. Februar 2016 00:31:48 UTC+1 schrieb Matt Palmer: > On Fri, Feb 26, 2016 at 06:22:22AM -0800, Christoph Klein wrote: > > To prevent future problems with values in the certficate fields, we have > > implemented another layer of cross checks after the issuing of the > > certificate. >

Re: Private PKIs, Re: Proposed limited exception to SHA-1 issuance

On Mon, Feb 29, 2016 at 4:18 AM, Jürgen Brauckmann wrote: > Peter Gutmann schrieb: > >> Wouldn't it be easier to issue their own certs (or roll out equipment >> which >> relies on WorldPay certs), at which point they could follow their own >> policies? Their problem is

Re: Private PKIs, Re: Proposed limited exception to SHA-1 issuance

Peter Gutmann schrieb: Jürgen Brauckmann writes: http://www.howtogeek.com/198811/ask-htg-whats-the-deal-with-androids-persistent-network-may-be-monitored-warning/ Ugh, yuck! So on the one hand we have numerous research papers showing that Android apps that blindly

Re: A-Trust Root Renewal Request

Yes, the new check happens after we issued the certificate to make sure, that the final content of the certificate matches the data gathered and checked in the "first round", before the issuing. This will be done in addition to the checks before, not instead.

Re: Private PKIs, Re: Proposed limited exception to SHA-1 issuance

On Mon, 29 Feb 2016 10:18:01 +0100 Jürgen Brauckmann wrote: > Using private PKIs for such stuff isn't risk-free, as software > vendors are confused about the security properties of their root > store. Actually I also thought while reading this thread that I disagree that

RE: Private PKIs, Re: Proposed limited exception to SHA-1 issuance

Jürgen Brauckmann writes: >Nice example from the consumer electronics world: Android >= 4.4 is quite >resistant against private PKIs. You cannot import your own/your corporate >private Root CAs for Openvpn- or Wifi access point security without getting >persistent, nasty,