Re: SHA-1 issuances in 2016 That Chain to Mozilla Roots

On Saturday, 5 November 2016 15:56:39 UTC, Peter Bowen wrote: > Is this a problem? Maybe. We know about the risks of pivoting, but if > browsers disable SHA-1 that risk goes away. The risk exists so long as anything trusts SHA-1 signatures. Disabling SHA-1 in current versions of browsers

Re: Cerificate Concern about Cloudflare's DNS

On Sunday, November 6, 2016 at 12:11:43 AM UTC+2, Ryan Sleevi wrote: > Can you tell me where that clause indicates that they should use the Alexa > Top 1 million to consider a request "High Risk"? It doesn't, "High risk" is left for the CA's interpretation. But after the fact you can say that

Re: Cerificate Concern about Cloudflare's DNS

On Saturday, November 5, 2016 at 2:54:05 PM UTC-7, Itzhak Daniel wrote: > (to my understanding) They did violate a "SHALL" guideline: > > "The CA SHALL develop, maintain, and implement documented procedures that > identify and require additional verification activity for High Risk > Certificate

Re: Cerificate Concern about Cloudflare's DNS

On Friday, November 4, 2016 at 12:18:40 PM UTC+2, Gervase Markham wrote: > ... But because WoSign had done the appropriate domain control checks, > we did not consider this a mistake by WoSign. (to my understanding) They did violate a "SHALL" guideline: "The CA SHALL develop, maintain, and

Re: Mozilla CT Policy

On Friday, November 4, 2016 at 5:32:23 AM UTC-7, Hanno Böck wrote: > Hi, > > Great to see Mozilla committing to CT. > > On Fri, 4 Nov 2016 12:19:32 + > Gervase Markham wrote: > > > So, please add comments with additional _questions_ you think the > > policy will need to

Re: Mozilla CT Policy

On Saturday, November 5, 2016 at 10:59:04 AM UTC-7, Tom Ritter wrote: > > * Are there any CT-related services Mozilla should consider running or > > supporting, for the good of the ecosystem? > > Part answer, part question, but I don't want to forget it: Besides an > Auditor, perhaps Mozilla

Re: Mozilla CT Policy

On 4 November 2016 at 07:19, Gervase Markham wrote: > * Are there any CT-related services Mozilla should consider running or > supporting, for the good of the ecosystem? Part answer, part question, but I don't want to forget it: Besides an Auditor, perhaps Mozilla should run a

Re: SHA-1 issuances in 2016 That Chain to Mozilla Roots

> On Nov 5, 2016, at 6:49 AM, Ryan Sleevi wrote: > > On Saturday, November 5, 2016 at 2:06:00 AM UTC-7, Gervase Markham wrote: >> On 04/11/16 21:23, Ryan Sleevi wrote: >>> If there's concerns about GAs - would it be best to reply on this thread or >>> start a new one per-CA?

Re: SHA-1 issuances in 2016 That Chain to Mozilla Roots

On Saturday, November 5, 2016 at 2:06:00 AM UTC-7, Gervase Markham wrote: > On 04/11/16 21:23, Ryan Sleevi wrote: > > If there's concerns about GAs - would it be best to reply on this thread or > > start a new one per-CA? > > If there's more than one CA, perhaps a new one per CA would be better,

Re: Update on transition of the Verizon roots and issuance of SHA1 certificates

This looks like a very accurate representation of the data protection European regulations. I have the same view. Not so easy to implement but if it is implemented correctly, I think very few people will disagree with the essence of this regulation. Dimitris. -- Sent from my mobile device.

Re: Update on transition of the Verizon roots and issuance of SHA1 certificates

On Friday, 4 November 2016 19:37:07 UTC, Jeremy Rowley wrote: > We also like the public disclosures CT requires as its been essential in > identifying issuing CAs and non-compliances. That's probably not a surprise > as we've always strongly supported CT. I do see the need for name redaction

Re: New SHA-1 certificates issued in 2016

On Sat, Nov 05, 2016 at 09:09:49AM +, Gervase Markham wrote: > > If they had sent an incident report to Mozilla I would agree, but I do > > not think that CAs should be credited for noticing mistakes when they > > try to sweep them under the rug. This is particularly true in the case > > of

Re: New SHA-1 certificates issued in 2016

On 04/11/16 23:51, Andrew Ayer wrote: > The March 2016 CA communication said[1]: > > "It has been pointed out in the mozilla.dev.security.policy forum that > a chosen-prefix attack on SHA-1 could be used to forge a certificate if > a CA's private key is used to sign *anything* with SHA-1." > >

Re: SHA-1 issuances in 2016 That Chain to Mozilla Roots

On 04/11/16 21:23, Ryan Sleevi wrote: > If there's concerns about GAs - would it be best to reply on this thread or > start a new one per-CA? If there's more than one CA, perhaps a new one per CA would be better, please. Note that marking an issuance as "GA" doesn't mean it might not be added

Re: Mozilla CT Policy

Hey list, Here are some suggestions: Should we define log algorithm/key requirements (hashing algorithms (relevant with RFC6962-bis), asymmetric key type and length)? Should we define a maximum threshold on log response delay to queries? (e.g. is it acceptable for a log to answer to queries