Ronald Crane via dev-security-policy
writes:
>Please cite the best study you know about on this topic (BTW, I am *not*
>snidely
>implying that there isn't one).
Sure, gimme a day or two since I'm away at the moment.
Alternatively, there's been such a vast amount of work done on this that a
One suggestion on incident reports is to define "regularly update" as some
period of time as non-responses can result in additional incident reports.
Maybe something along the lines of "the greater of every 7 days, the time
period specified in the next update field by Mozilla, or the time
I'm surprised any CA has heartburn over the EKU changes. Microsoft has required
them in end entity certificates for quite some time. From the MS policy:
"Effective February 1, 2017, all end-entity certificates must contain the EKU
for the purpose that the CA issued the certificate to the
Thank you Ryan. Brian reviewed these changes back in May, so I've gone
ahead and accepted them for the 2.7 policy update:
https://github.com/mozilla/pkipolicy/commit/5657ecf650d70fd3c6ca5062bee360fd83da9d27
I'll consider this issue resolved unless there are further comments.
- Wayne
On Fri, May
On September 21, I sent a message to the Mozilla community with the results of
a survey of all of Entrust Datacard’s customers (both those who use EV
certificates, and those who don’t) concerning what they think about website
identity in browsers, browser UIs in general, and EV browser UIs in
On 10/2/2019 3:27 PM, Peter Gutmann wrote:
Ronald Crane via dev-security-policy
writes:
"Virtually impossible"? "Anyone"? Really? Those are big claims that need real
data.
How many references to research papers would you like? Would a dozen do, or
do you want two dozen?
One well-done
> On Oct 2, 2019, at 3:41 PM, Ronald Crane via dev-security-policy
> wrote:
>
> On 10/2/2019 3:00 PM, Paul Walsh via dev-security-policy wrote:
>> On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy
>> wrote:
> [snip]
>>> Some other changes that might help reduce phishing are:
> On Oct 2, 2019, at 3:27 PM, Peter Gutmann via dev-security-policy
> wrote:
>
> Ronald Crane via dev-security-policy
> writes:
>
>> "Virtually impossible"? "Anyone"? Really? Those are big claims that need real
>> data.
>
> How many references to research papers would you like? Would a
> On Oct 2, 2019, at 3:20 PM, Kurt Roeckx wrote:
>
> On Wed, Oct 02, 2019 at 03:17:31PM -0700, Paul Walsh wrote:
In separate research, CAs have shown data to demonstrate that website
owners want to have their identity verified.
>>>
>>> They have not. In fact, I would say that most
> On Oct 2, 2019, at 3:18 PM, Ronald Crane via dev-security-policy
> wrote:
>
>
> On 10/2/2019 2:47 PM, Paul Walsh via dev-security-policy wrote:
>> On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy
>> wrote:
>>> On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote:
On Wed, Oct 02, 2019 at 03:17:31PM -0700, Paul Walsh wrote:
> >> In separate research, CAs have shown data to demonstrate that website
> >> owners want to have their identity verified.
> >
> > They have not. In fact, I would say that most website owners are perfectly
> > happy with DV
> On Oct 2, 2019, at 3:11 PM, Kurt Roeckx wrote:
>
> On Wed, Oct 02, 2019 at 02:48:56PM -0700, Paul Walsh wrote:
>> On Oct 2, 2019, at 12:52 AM, Kurt Roeckx via dev-security-policy
>> wrote:
>>>
>>> On 2019-10-02 09:20, Kurt Roeckx wrote:
On 2019-10-02 02:39, Paul Walsh wrote:
>
Over the past 3 months, a number of other projects distracted me from this
work. Now I'd like to focus on finishing these updates to our Root Store
policy. There are roughly 6 issues remaining to be discussed, and I will,
as always, greatly appreciate everyone's input on them. I'll be sending out
On 10/2/2019 2:47 PM, Paul Walsh via dev-security-policy wrote:
On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy
wrote:
On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote:
New tools such as Modlishka now automate phishing attacks, making it virtually
impossible
On Wed, Oct 02, 2019 at 02:48:56PM -0700, Paul Walsh wrote:
> On Oct 2, 2019, at 12:52 AM, Kurt Roeckx via dev-security-policy
> wrote:
> >
> > On 2019-10-02 09:20, Kurt Roeckx wrote:
> >> On 2019-10-02 02:39, Paul Walsh wrote:
> >>>
> >>> According to Ellis, the goal for a customer survey is
On Oct 2, 2019, at 2:52 PM, Ronald Crane via dev-security-policy
wrote:
>
> On 10/2/2019 1:16 PM, Ronald Crane via dev-security-policy wrote:
>> On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote:
>>> New tools such as Modlishka now automate phishing attacks, making it
>>>
On Oct 2, 2019, at 12:52 AM, Kurt Roeckx via dev-security-policy
wrote:
>
> On 2019-10-02 09:20, Kurt Roeckx wrote:
>> On 2019-10-02 02:39, Paul Walsh wrote:
>>>
>>> According to Ellis, the goal for a customer survey is to get feedback from
>>> people who had recently experienced "real usage"
On Oct 2, 2019, at 1:16 PM, Ronald Crane via dev-security-policy
wrote:
>
> On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote:
>> New tools such as Modlishka now automate phishing attacks, making it
>> virtually impossible for any browser or security solution to detect -
>>
On 10/1/2019 6:56 PM, Paul Walsh via dev-security-policy wrote:
New tools such as Modlishka now automate phishing attacks, making it virtually
impossible for any browser or security solution to detect - bypassing 2FA.
Google has admitted that it’s unable to detect these phishing scams as they
On 02/10/2019 00:51, Wayne Thayer wrote:
> On Tue, Oct 1, 2019 at 3:34 AM Rob Stradling wrote:
>
> I propose that you update [4] to say that Mozilla won't treat
> non-compliance with [4] as an "incident" whilst it remains the case
> that the BRs are inconsistent with [4].
>
> I could
On 2019-10-02 09:20, Kurt Roeckx wrote:
On 2019-10-02 02:39, Paul Walsh wrote:
According to Ellis, the goal for a customer survey is to get feedback
from people who had recently experienced "real usage" of the product.
The key question in the survey for these people according to Ellis, is:
On 2019-10-02 02:39, Paul Walsh wrote:
According to Ellis, the goal for a customer survey is to get feedback from people who had
recently experienced "real usage" of the product. The key question in the
survey for these people according to Ellis, is:
"How would you feel if you could no
22 matches
Mail list logo