On Saturday, 5 November 2016 15:56:39 UTC, Peter Bowen wrote:
> Is this a problem? Maybe. We know about the risks of pivoting, but if
> browsers disable SHA-1 that risk goes away.
The risk exists so long as anything trusts SHA-1 signatures. Disabling SHA-1 in
current versions of browsers
On Sunday, November 6, 2016 at 12:11:43 AM UTC+2, Ryan Sleevi wrote:
> Can you tell me where that clause indicates that they should use the Alexa
> Top 1 million to consider a request "High Risk"?
It doesn't, "High risk" is left for the CA's interpretation. But after the fact
you can say that
On Saturday, November 5, 2016 at 2:54:05 PM UTC-7, Itzhak Daniel wrote:
> (to my understanding) They did violate a "SHALL" guideline:
>
> "The CA SHALL develop, maintain, and implement documented procedures that
> identify and require additional verification activity for High Risk
> Certificate
On Friday, November 4, 2016 at 12:18:40 PM UTC+2, Gervase Markham wrote:
> ... But because WoSign had done the appropriate domain control checks,
> we did not consider this a mistake by WoSign.
(to my understanding) They did violate a "SHALL" guideline:
"The CA SHALL develop, maintain, and
On Friday, November 4, 2016 at 5:32:23 AM UTC-7, Hanno Böck wrote:
> Hi,
>
> Great to see Mozilla committing to CT.
>
> On Fri, 4 Nov 2016 12:19:32 +
> Gervase Markham wrote:
>
> > So, please add comments with additional _questions_ you think the
> > policy will need to
On Saturday, November 5, 2016 at 10:59:04 AM UTC-7, Tom Ritter wrote:
> > * Are there any CT-related services Mozilla should consider running or
> > supporting, for the good of the ecosystem?
>
> Part answer, part question, but I don't want to forget it: Besides an
> Auditor, perhaps Mozilla
On 4 November 2016 at 07:19, Gervase Markham wrote:
> * Are there any CT-related services Mozilla should consider running or
> supporting, for the good of the ecosystem?
Part answer, part question, but I don't want to forget it: Besides an
Auditor, perhaps Mozilla should run a
> On Nov 5, 2016, at 6:49 AM, Ryan Sleevi wrote:
>
> On Saturday, November 5, 2016 at 2:06:00 AM UTC-7, Gervase Markham wrote:
>> On 04/11/16 21:23, Ryan Sleevi wrote:
>>> If there's concerns about GAs - would it be best to reply on this thread or
>>> start a new one per-CA?
On Saturday, November 5, 2016 at 2:06:00 AM UTC-7, Gervase Markham wrote:
> On 04/11/16 21:23, Ryan Sleevi wrote:
> > If there's concerns about GAs - would it be best to reply on this thread or
> > start a new one per-CA?
>
> If there's more than one CA, perhaps a new one per CA would be better,
This looks like a very accurate representation of the data protection European
regulations. I have the same view.
Not so easy to implement but if it is implemented correctly, I think very few
people will disagree with the essence of this regulation.
Dimitris.
--
Sent from my mobile device.
On Friday, 4 November 2016 19:37:07 UTC, Jeremy Rowley wrote:
> We also like the public disclosures CT requires as its been essential in
> identifying issuing CAs and non-compliances. That's probably not a surprise
> as we've always strongly supported CT. I do see the need for name redaction
On Sat, Nov 05, 2016 at 09:09:49AM +, Gervase Markham wrote:
> > If they had sent an incident report to Mozilla I would agree, but I do
> > not think that CAs should be credited for noticing mistakes when they
> > try to sweep them under the rug. This is particularly true in the case
> > of
On 04/11/16 23:51, Andrew Ayer wrote:
> The March 2016 CA communication said[1]:
>
> "It has been pointed out in the mozilla.dev.security.policy forum that
> a chosen-prefix attack on SHA-1 could be used to forge a certificate if
> a CA's private key is used to sign *anything* with SHA-1."
>
>
On 04/11/16 21:23, Ryan Sleevi wrote:
> If there's concerns about GAs - would it be best to reply on this thread or
> start a new one per-CA?
If there's more than one CA, perhaps a new one per CA would be better,
please.
Note that marking an issuance as "GA" doesn't mean it might not be added
Hey list,
Here are some suggestions:
Should we define log algorithm/key requirements (hashing algorithms (relevant
with RFC6962-bis), asymmetric key type and length)?
Should we define a maximum threshold on log response delay to queries? (e.g. is
it acceptable for a log to answer to queries
15 matches
Mail list logo