Gerv - Peer Emeritus

All, I have had the tremendous opportunity to work with Gerv Markham on the CA Program for many years, and am extremely grateful to Gerv for his countless valuable and lasting contributions to the CA world. Gerv has decided to step away from work at this time, to focus on his family[1]. We

Re: Root Store Policy 2.6

On Fri, Feb 16, 2018 at 3:41 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I have begun work on version 2.6 of the Root Store Policy by drafting some > changes that are [I hope] uncontroversial. The diff can be viewed at >

Root Store Policy 2.6

I have begun work on version 2.6 of the Root Store Policy by drafting some changes that are [I hope] uncontroversial. The diff can be viewed at https://github.com/mozilla/pkipolicy/compare/2.6 The changes I have already drafted are: - Require disclosure of email validation practices in CPS

Re: TLS everywhere has a major flaw and needs refining to the page level.

On Fri, 16 Feb 2018 08:15:10 -0800 > Given this group focused on Mozilla, it is likely out of scope to > discuss Chromium design. I do suggest you look at > https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html > It seems reasonably clear the marking is per top level page

Re: TLS everywhere has a major flaw and needs refining to the page level.

On Fri, Feb 16, 2018 at 3:34 AM, Kevin Chadwick via dev-security-policy wrote: > > On that subject I think the chromium reported plan to label sites as > insecure should perhaps be revised to page insecured or something more > accurate? Given this group

Re: TLS everywhere has a major flaw and needs refining to the page level.

On Thu, Feb 15, 2018 at 6:34 AM, Kevin Chadwick wrote: > The cookies etc. should be SSL only. Particular pages enforced, sure. > > Enforcing TLS with HSTS sitewide means that users with failed > bios/laptop batteries have to know to reset their clock or get used to >

Re: TLS everywhere has a major flaw and needs refining to the page level.

On Thu, 15 Feb 2018 15:55:27 -0600 > I'm not sure this can be worked around. A setup where time is not > pulled from the network is abnormal now, and most people who have such > a system soon realize what the issue is. OpenNTP has a constraint system but considering NTP is a latent, insecure,

Re: Certificates with 2008 Debian weak key bug

On Fri, 16 Feb 2018 11:28:41 + Arkadiusz Ławniczak via dev-security-policy wrote: > The issue was caused by incorrect calculation of the SHA1 > fingerprint of public key. Public keys hashes stored in Certum's > database was calculated from the

RE: Certificates with 2008 Debian weak key bug

Hello ALL Please find our incident report below. 1. How your CA first became aware of the problem and the time and date. 1) 3 February 2018, 12:06 CET - Certum receives the message from ha...@hboeck.de to rev...@certum.pl. 2. A timeline of the actions CERTUM took in

Re: TLS everywhere has a major flaw and needs refining to the page level.

On 15.02.2018 13:34, Kevin Chadwick wrote: > Enforcing TLS with HSTS sitewide means that users with failed > bios/laptop batteries have to know to reset their clock or get used to > bypassing SSL warnings or use out of date browsers to access sites. Firefox and many other browsers have their own