Re: [FORGED] Re: How Certificates are Verified by Firefox

t; -Tim >> >> > -Original Message- >> > From: dev-security-policy < >> dev-security-policy-boun...@lists.mozilla.org> >> On >> > Behalf Of Wayne Thayer via dev-security-policy >> > Sent: Monday, December 2, 2019 3:29 PM >> >

Re: [FORGED] Re: How Certificates are Verified by Firefox

> If that involves loading and using intermediates that are not actually available via AIA, then yes. > - Wayne > > [1] > https://wiki.mozilla.org/Security/CryptoEngineering/Intermediate_Preloading#Intermediate_CA_Preloading > > On Thu, Nov 28, 2019 at 1:39 PM Ben Laurie wro

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Thu, 28 Nov 2019 at 20:22, Peter Gutmann wrote: > Ben Laurie via dev-security-policy > writes: > > >In short: caching considered harmful. > > Or "cacheing considered necessary to make things work"? If you happen to visit a bazillion sites a day. >

Re: How Certificates are Verified by Firefox

One of the things that was quite annoying when developing CT was browser behaviour wrt intermediates - caching them and filling in missing ones means that failure to present correct cert chains is common behaviour. Which means that anything that _doesn't_ see a lot of certs has quite a low chance

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > DB: Yes, that's true. I was saying that phishing sites don't use EV, not > that EV sites don't get phished Surely this shows that EV is not needed to make phishing work, not that

Re: Violation report - Comodo CA certificates revocation delays

On Fri, 19 Oct 2018 at 10:38, Rob Stradling wrote: > On 18/10/2018 22:55, Ben Laurie wrote: > > On Fri, 12 Oct 2018 at 19:01, Rob Stradling wrote: > > > > On 12/10/18 16:40, Ryan Sleevi via dev-security-policy wrote: > > > On Fri, Oct 12, 2018 at 8:33

Re: Violation report - Comodo CA certificates revocation delays

On Fri, 12 Oct 2018 at 19:01, Rob Stradling wrote: > On 12/10/18 16:40, Ryan Sleevi via dev-security-policy wrote: > > On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie wrote: > > >> This is one of the reasons we also need revocation transparency. > > > > As temptin

Re: Violation report - Comodo CA certificates revocation delays

On Fri, 12 Oct 2018 at 16:41, Ryan Sleevi wrote: > > > On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie wrote: > >> >> >> On Fri, 12 Oct 2018 at 03:16, Ryan Sleevi via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >&g

Re: Violation report - Comodo CA certificates revocation delays

On Fri, 12 Oct 2018 at 13:54, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 12/10/2018 14:33, Ben Laurie wrote: > > On Fri, 12 Oct 2018 at 03:16, Ryan Sleevi via dev-security-policy < > > dev-security-policy@lists.mozilla.org>

Re: Violation report - Comodo CA certificates revocation delays

On Fri, 12 Oct 2018 at 03:16, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I believe that may be misunderstanding the concern. > > Once these certificates expire, there's not a good way to check whether or > not they were revoked, because such revocation

Re: GoDaddy Revocation Disclosure

On Fri, 17 Aug 2018 at 18:22, Daymion Reynolds via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Revoke Disclosure > > GoDaddy has been proactively performing self-audits. As part of this > process, we identified a vulnerability in our code that would allow our >

Re: How do you handle mass revocation requests?

On 28 February 2018 at 21:37, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wed, 28 Feb 2018 20:03:51 + > Jeremy Rowley via dev-security-policy > wrote: > > > The keys were emailed to me. I'm trying to get a

Re: How do you handle mass revocation requests?

On 28 February 2018 at 19:40, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The end user agreed to the subscriber agreement, not Trustico. Our > analysis follows what Peter B. posted – the subscriber is the “natural > person or Legal Entity to whom a

Re: Anomalous Certificate Issuances based on historic CAA records

On 29 November 2017 at 22:33, Paul Wouters <p...@nohats.ca> wrote: > > > > On Nov 29, 2017, at 17:00, Ben Laurie via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > This whole conversation makes me wonder if CAA Transparency sh

Re: Anomalous Certificate Issuances based on historic CAA records

This whole conversation makes me wonder if CAA Transparency should be a thing. On 29 November 2017 at 20:44, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The Thawte records aren't showing any CAA record preventing wildcards > either. > > Here's the

Re: Intermediate certificate disclosure deadline in 2 weeks

On 25 June 2016 at 00:56, Rob Stradling wrote: > On 24/06/16 14:38, Rob Stradling wrote: >> >> I've just updated https://crt.sh/mozilla-disclosures. >> >> There's now a separate grouping for undisclosed intermediates for which >> all observed paths to a trusted root have