FYI - still looking into this. I should have a report tomorrow.
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org]
On Behalf Of Jeremy Rowley via dev-security-policy
Sent: Wednesday, April 19, 2017 2:27 PM
To:
On Wed, Apr 19, 2017 at 09:00:22PM -0400, Ryan Sleevi wrote:
> On Wed, Apr 19, 2017 at 7:53 PM, Kurt Roeckx via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> >
> > (It was a code sign certificate, but I expect if it's labeled EV
> > that the same things apply.)
> >
>
>
On Wed, Apr 19, 2017 at 11:58:28PM +, Jeremy Rowley wrote:
> That was changed in ballot 127.
Which is adopted in july 2014. This was somewhere in 2016.
As I understood it, they didn't ask for the HR department, just
someone else. That might of course be a misunderstanding of what
was asked,
On Wed, Apr 19, 2017 at 7:53 PM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> (It was a code sign certificate, but I expect if it's labeled EV
> that the same things apply.)
>
Not necessarily. A separate set of guidelines cover those -
That was changed in ballot 127.
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Kurt Roeckx via dev-security-policy
Sent: Wednesday, April 19, 2017 5:54 PM
To: Peter Gutmann
On Wed, Apr 19, 2017 at 10:41:33PM +, Peter Gutmann via dev-security-policy
wrote:
> Kurt Roeckx via dev-security-policy
> writes:
>
> >Both the localityName and stateOrProvinceName are Almere, while the province
> >is Flevoland.
>
> How much
I probably need some additional information to see if my partners can
effectively share PHI at LOA 3 and I don't want to burden the list on whether
the healthcare use cases defined by the Federal Health Architecture is covered
by ACES 2017 Jan policy. It's very important that the community
On Wed, Apr 19, 2017 at 6:41 PM, Peter Gutmann via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Kurt Roeckx via dev-security-policy
> writes:
>
> >Both the localityName and stateOrProvinceName are Almere, while the
> province
> >is
Kurt Roeckx via dev-security-policy
writes:
>Both the localityName and stateOrProvinceName are Almere, while the province
>is Flevoland.
How much checking is a CA expected to do here? I know that OV and DV certs
are just "someone at this site responded
I hope you could investigate it even further as this might be just the
beginning.
I just did a random quick lookup so far. And I guess there are over a thousand
or more Digicert certificates issued for Dutch websites and companies.
Does this mean the validation process is lacking proper
I’m looking into it right now. I’ll report back shortly.
Jeremy
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Wednesday, April 19, 2017 2:25 PM
To: Mike vd Ent
Cc: mozilla-dev-security-policy
; Jeremy Rowley
On Wed, Apr 19, 2017 at 3:47 PM, Mike vd Ent via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Ryan,
>
> My answers on the particular issues are stated inline.
> But the thing I want to address is how could (in this case Digicert)
> validate such data and issues
Ryan,
My answers on the particular issues are stated inline.
But the thing I want to address is how could (in this case Digicert) validate
such data and issues certificates? I am investigation more of them and afraid
even linked company names or registration numbers could be false. Shouldn't
On Wed, Apr 19, 2017 at 12:28:16PM -0700, Ryan Sleevi via dev-security-policy
wrote:
> > https://portal.mobilitymixx.nl
>
> I'm not sure I understand enough to know what the issues are here. Could you
> explain?
Both the localityName and stateOrProvinceName are Almere, while
the province is
I found out that often the OV or EV validation of CA's is lacking and
concerning the baseline requirements data submitted for a TLS certificate
should be valid and thus validated. So when a country is Amsterdam, that should
fail or a city Utrecht is placed in the province Zuid-Holland, that
IdenTrust operates an issuing CA for the US Federal Government - General
Services Administration - Access Certificates for Electronic Services Program
(ACES). It is a government sponsored PKI program separate from the Non-Federal
issuer programs under the Federal Bridge.
ACES certificates are
On 15/04/17 17:05, Peter Bowen via dev-security-policy wrote:
On Thu, Apr 13, 2017 at 9:33 AM, douglas.beattie--- via
dev-security-policy wrote:
On Thursday, April 13, 2017 at 10:49:17 AM UTC-4, Gervase Markham wrote:
On 13/04/17 14:23, Doug Beattie
17 matches
Mail list logo