On Friday, June 17, 2016 at 3:17:28 PM UTC+3, Jakob Bohm wrote:
> The trick here is that the random value cannot be predicted by the
> MITM, yet the server can generate it trivially without knowing the
> dynamic page elements. Also the HTML compatibility rules make the page
> show normally in brow
Peter is right, but the problem is similar to what's in the Identrust thread
mentioned by Richard. "Cross-certifying a subordinated CA has been standard
practice by not only IdenTrust, but other large CAs such as Symantec for more
than a decade ..."
Trouble is, I can't tell by looking at http
DigiCert didn't cross-sign the Federal PKI with their Mozilla trusted CAs.
I'm sure Ben will tell me I have my terminology wrong, but DigiCert
basically operates two PKIs:
- DigiCert Public WebPKI
- DigiCert Shared FederatedPKI
The first is a set of CAs that are in the Mozilla program and CAs
sig
Fed Root (not trusted) signs DigiCert Fed CA (not trusted)
A third CA (trusted) signs Fed Root (now trusted)
DigiCert Fed CA all of a sudden trusted but not through DigiCert. This CA now
shows up on the list although it wasn’t DigiCert who signed it.
From: Eric Mill [mailto:e...@konklone.com
Peter, I think I get what you're saying about this being a different
category of cross-sign, but could you spell out explicitly how this differs
from e.g. the Identrust cross-sign issue that Richard linked to?
-- Eric
On Thu, Jun 23, 2016 at 4:39 PM, Ben Wilson wrote:
> That's correct.
>
>
Given that is correct, I would say it is not DigiCert's responsibility
to disclose to Mozilla. Rather it is your responsibility to disclose
to Federal PKI, and they need to disclose to whoever subordinated them
from a Mozilla root.
On Thu, Jun 23, 2016 at 1:39 PM, Ben Wilson wrote:
> That's corr
That's correct.
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Thursday, June 23, 2016 2:39 PM
To: Ben Wilson
Cc: Eric Mill ; Kurt Roeckx ; Richard Barnes
; Jeremy Rowley ; Steve
; mozilla-dev-security-pol...@lists.mozilla.org;
Kathleen Wilson ; Rob Stradling
S
On Thu, Jun 23, 2016 at 11:45 AM, Ben Wilson wrote:
> Another issue that needs to be resolved involves the Federal Bridge CA 2013
> (“Federal Bridge”). When a publicly trusted sub CA cross-certifies the
> Federal Bridge, then all of the CAs cross-certified by the Federal Bridge
> are trusted.
On Thu, Jun 23, 2016 at 2:45 PM, Ben Wilson wrote:
> Another issue that needs to be resolved involves the Federal Bridge CA
> 2013 (“Federal Bridge”). When a publicly trusted sub CA cross-certifies
> the Federal Bridge, then all of the CAs cross-certified by the Federal
> Bridge are trusted.
>
Another issue that needs to be resolved involves the Federal Bridge CA 2013
(“Federal Bridge”). When a publicly trusted sub CA cross-certifies the Federal
Bridge, then all of the CAs cross-certified by the Federal Bridge are trusted.
The chart (https://crt.sh/mozilla-disclosures) then captur
10 matches
Mail list logo