I definitely consider increased visibility into the vast iceberg that is
the public PKI to be a good thing!
What set of intermediates are you using? If it's reasonably complete, I
doubt we'll do any better than you, though maybe someone here has a
particularly clever technique for processing
On Thu, Jun 22, 2017 at 3:53 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 22/06/2017 15:02, Ryan Sleevi wrote:
> > On Thu, Jun 22, 2017 at 1:59 PM Jakob Bohm via dev-security-policy <
> > dev-security-policy@lists.mozilla.org> wrote:
> >
> > (Snip
I think you're right, it was probably me submitting my corpus - I hope
that's a good thing! :-)
I only submitted the ones I could verify, would you be interested in the
others? Many are clearly not interesting, but others seem like they may be
interesting if I had an intermediate I haven't seen.
On Thursday, June 22, 2017 at 6:29:17 AM UTC-5, Jakob Bohm wrote:
> The most obvious concern to me is random web servers, possibly through
> hidden web elements (such as script tags) gaining access to anything
> outside the Browser's sandbox without clear and separate user
> action. For example,
On 22/06/2017 15:02, Ryan Sleevi wrote:
On Thu, Jun 22, 2017 at 1:59 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> (Snip long repeat of the same opinion)
You seem to argue:
- Because the recent research on efficient central CRL distribution was
One of my hobbies is keeping track of publicly trusted (by any of the major
root programs) CAs, for which there are no logged certificates. There's
over 1000 of these. In the last day, presumably as a result of these
efforts, 50-100 CAs were removed from the list.
Cheers,
Alex
On Thu, Jun 22,
On Thu, Jun 22, 2017 at 1:59 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Please note that Apache and NGINX are by far not the only TLS servers
> that will need working OCSP stapling code before must-staple can become
> default or the only method checked
On 21/06/17 16:58, Doug Beattie wrote:
>> It's worth noting that if we had discovered this situation for SSL - that an
>> unconstrained intermediate or uncontrolled power of issuance had been
>> given to a company with no audit - we would be requiring the intermediate
>> be revoked today, and
On 21/06/2017 19:40, Matthew Hardeman wrote:
Hi all,
I'm sure questions of certificates leaked to the public via GitHub and other
file sharing / code sharing / deployment repository hosting and sharing sites
have come up before, but last night I spent a couple of hours constructing
various
On 21/06/2017 22:01, andrewm@gmail.com wrote:
On Wednesday, June 21, 2017 at 1:35:13 PM UTC-5, Matthew Hardeman wrote:
Regarding localhost access, you are presently incorrect. The browsers do not
allow access to localhost via insecure websocket if the page loads from a
secure context.
On 19/06/17 20:41, Tavis Ormandy via dev-security-policy wrote:
Thanks Alex, I took a look, it looks like the check pings crt.sh - is doing
that for a large number of certificates acceptable Rob?
Hi Tavis. Yes, Alex's tool uses https://crt.sh/gen-add-chain to find a
suitable cert chain and
11 matches
Mail list logo