On 2/28/2019 7:45 PM, 孙圣男 wrote:
> Dear Mozilla:
> This problem had been confirmed. We contacted the customer and
> confirmed this certificate haven't been deployed to production system, no
> damage is caused. This certificate had been revoked in March 1, 2019. We had
> fixed this bug in
g1464306.bmoattachments.org/attachment.cgi?id=8980478
> [2]
> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/Ng99HcqhZtI/bkcimGlECAAJ
> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1267332
> [4]
> https://crt.sh/?caid=7319=cablint,zlint,x509lint=2017-01-01
On 10/24/2018 1:07 PM, Wayne Thayer wrote:
> On Tue, Oct 23, 2018 at 1:46 PM David E. Ross via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> On 10/23/2018 11:45 AM, Wayne Thayer wrote:
>>> I believe that the discussion over Certigna's r
lla.org/show_bug.cgi?id=1485413
> [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1265683
>
If there remain unresolved issues, should not approval be withheld?
--
David E. Ross
<http://www.rossde.com>
Too often, Twitter is a source of verbal vomit. Examples in
eld until the issues leading
to qualified reports are resolved?
--
David E. Ross
<http://www.rossde.com>
Too often, Twitter is a source of verbal vomit. Examples include Donald
Trump, Roseanne Barr, and Elon Musk.
___
dev-security-policy mai
since version 60 is not
compatible with several of the extensions that I consider important.
--
David E. Ross
<http://www.rossde.com>
Too often, Twitter is a source of verbal vomit. Examples include Donald
Trump, Roseanne Barr, and Elon Musk.
_
No, I am not suggesting that such an audit
is required at this time. I am merely saying that the documents must
provide clear, objective statements against which an auditor can
determine if the Mozilla policy is being followed.
--
David E. Ross
<http://www.rossde.com>
Too often, Twitter is a
uot;subordinate
certificates newly issued from roots"?
I do not really want to be picky. However, when dealing with something
as important as Internet security, being picky is mandatory.
--
David E. Ross
<http://www.rossde.com/>
President Trump: Please stop using Twitter. We need
to
blished, misissued, and currently unrevoked
> certificates in the CCR2016 hierarchy:
> https://crt.sh/?caid=50473=cablint,zlint,x509lint=2011-01-01
If Camerfirma had been already approved and its root added to the RSS
database, would not the above item be sufficient to remove that
ng to
expire. The site's administration decides to obtain a new certificate
from a different certification authority. Because of various
administrative processes, the switch to the new site certificate cannot
be accomplished quickly (e.g., moving the server); so they establish a
notBefore date th
under OCSP at [Edit > Preferences > Privacy &
Security > Certificates], I am now able to reach Google Web sites.
--
David E. Ross
<http://www.rossde.com/>
President Trump: Please stop using Twitter. We need
to hear your voice and see you talking. We need to know
when you
ing security problems, I have doubts whether this
request should be approved.
See <https://bugzilla.mozilla.org/show_bug.cgi?id=1325532>.
--
David E. Ross
<http://www.rossde.com/>
President Trump: Please stop using Twitter. We need
to hear your voice and see you talking. We need t
uired
to obtain confirmation from their hardware suppliers that the MAC
addresses in their devices are indeed unique.
--
David E. Ross
<http://www.rossde.com/>
President Trump: Please stop using Twitter. We need
to hear your voice and see you talking. We need to know
when your message is reall
er of a root certificate to the level
> it trusted the previous owner.
Excellent!!
--
David E. Ross
<http://www.rossde.com/>
Yes, George Washington, Thomas Jefferson, and other
"founding fathers" owned slaves. However, they created
a nation. Robert E. Lee, Jefferson Da
subject was "Expired Server Certificate".
--
David E. Ross
<http://www.rossde.com/>
Yes, George Washington, Thomas Jefferson, and other
"founding fathers" owned slaves. However, they created
a nation. Robert E. Lee, Jefferson Davis, Thomas
"Stonewall" Jackson a
On 8/11/2017 7:26 AM, Ben Wilson wrote:
>
> With regard to Siemens, given the large number of certificates and
> the disruption that massive revocations will have on their
> infrastructure, what does this community expect them to do?
>
Each violation of published requirements for the operation
Errors like this make me question whether the
certification authority is sufficiently competent to be trusted. Small
errors can indicate an increased likelihood of serious errors.
--
David E. Ross
<http://www.rossde.com/>
President Trump demands loyalty to himself from Republican member
olicy. I cannot find such a requirement
now unless the Baseline Requirements, which are included by reference in
Mozilla's policy, require it.
--
David E. Ross
<http://www.rossde.com/>
President Trump demands loyalty to himself from Republican members
of Congress. I always thought that member
rupt
termination of DigiNotar when that certification authority was found to
have serious lapses in its operations. The world did not end.
--
David E. Ross
<http://www.rossde.com/>.
The only reason we have so many laws is that not enough people will do
the right thing. (© 1997 by David Ros
Under the Servers tab for Certificate Manager, I see several root
certificates whose expiration dates have passed. I believe these were
all marked untrusted at one time. For example, I see six DigiNotar
certificates, CNNIC's MCSHOLDING TEST, Equifax's MD5 Collisions, among
others. Is it safe to
On 7/19/2017 8:31 AM, Steve Medin wrote:
>> -Original Message-
>> From: dev-security-policy [mailto:dev-security-policy-
>> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
>> Jakob Bohm via dev-security-policy
>> Sent: Tuesday, July 18, 2017 4:39 PM
>> To:
On 6/8/2017 2:38 AM, Gervase Markham wrote:
> On 02/06/17 11:28, Gervase Markham wrote:
>> Proposal: add a bullet to section 2.3, where we define BR exceptions:
>>
>> "Insofar as the Baseline Requirements attempt to define their own scope,
>> the scope of this policy (section 1.1) overrides that.
t Symantec to notify promptly all holders of
subscriber certificates of the terms of the probation. This would warn
potential users of concern over Symantec's operations. This would also
give existing users time to consider renewing their expiring subscriber
certificates with other certification
as a broader scope by levying additional
requirements on certification authorities.
--
David E. Ross
<http://www.rossde.com>
Consider:
* Most state mandate that drivers have liability insurance.
* Employers are mandated to have worker's compensation insurance.
* If you live in a
about a site’s
> content or who runs it. DV certificates do not include any
> information about a website’s reputation, real-world identity, or
> safety. To me, this means that certificates can be freely issued to criminal
enterprises.
--
David E. Ross
<http://www.rossde.com>
C
e limitsbut the sentence is so long, I am not sure.
--
David E. Ross
<http://www.rossde.com/>
Paraphrasing Mark Twain, who was quoting someone else:
There are three kinds of lies: lies, damned lies, and
alternative truths.
___
dev-security-policy ma
is is also seen with "CA". That
acronym means "certification authority", but it is too often seen to
mean "root certificate".
Enforceable policies require that all terminology be accurate and
unambiguous.
--
David E. Ross
<http://www.rossde.com/>
Pa
tificates of certification
authorities, the public should be able to access, view, and even copy
those authorities' CPs and CPSs.
--
David E. Ross
The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>
the CP/CPS also.
As an alternative, auditors should choose between (a) assert compliance
to the English version and (b) assert that the English version is an
accurate and complete translation of the version in the certification
authority's native language.
--
David E. Ross
The Crimea is Putin's Sude
oyee of the actual employer and not a 1099-MISC
contractor]
* The job opportunity is a role relevant to the forum's audience [who
would review the posting to verify this?]
If this is a valid use of news.mozilla.org, then perhaps a new MODERATED
newsgroup would be appropriate. However, that would still requir
rejecting SHA-1 certificates. See
<http://news.softpedia.com/news/mozilla-gives-a-security-pass-to-the-people-it-shouldn-t-500986.shtml>.
--
David E. Ross
While many tributes to the late Supreme Court Associate Justice
Antonin Scalia now fill the news media, his legacy was not
necessarily positive
at <http://addonconverter.fotokraina.com/> in an attempt to
make it compatible with SeaMonkey, and installed in SeaMonkey 2.39 on
Windows 7. I did not get the icon you describe.
Until this extension is modified to work not only with SeaMonkey
(without use of the Extension Converter) but
raint” for
> “rfc822names” if Subscriber Certificate are for email protection to be
> set in the CA certificate (refer to section 10.3 below).
> — All the possible “Extended Key Usage” that are set in the Subscriber
> Certificate in order to be set in the CA certificate (refer t
In the USA, individual tax returns for income received during a calendar
year are not due until 15 April, 4.5 months after the end of the taxed
year.
I think
> within three months of the point in time date or the end date of
> the period
does not give the certification authority sufficient t
cts the too casual use of "CA" by too many individuals to mean
"certification authority" and "root certificate". "CA" is used for both
-- often by the same individual -- but with different meanings at
different times. That is why the acronym should not be us
On 11/5/2015 11:10 AM, Kathleen Wilson wrote:
> On 11/5/15 10:58 AM, David E. Ross wrote:
>>
>> Rather than list acceptable key types and sizes, cite the Baseline
>> Requirements along with listing exceptions, both types and sizes that
>> are not supported but are in
v.security.policy/atSYV_QPPFA/ycC96j6PBAAJ
>
>
For E-mail, I would much rather use OpenPGP instead of S/MIME. However,
the mail-news component alters E-mail and newsgroup messages in a way
after they have been encyrpted or signed that renders the encryption or
signature invalid. Bug re
to Slash.dot, ZDNet, or any other external news
services? Or will this be announced only within Mozilla's media?
--
David E. Ross
The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>.
_
I am getting a number of failures to reach Web sites. The error message
says:
An error occurred during a connection to [some domain].
Invalid OCSP signing certificate in OCSP response.
(Error code: sec_error_ocsp_invalid_signing_cert)
--
David E. Ross
I am sticking with SeaMonkey 2.26.1
, and other entities where trust between
the provider of a service and its customers is important. By
customers, I would include both subscribers (notified by the old
owner) and end-users (notified here in mozilla.dev.security.policy).
--
David E. Ross
I am sticking with SeaMonkey 2.26.1 until saved
On 6/1/2015 2:45 PM, Kathleen Wilson wrote:
On 5/29/15 4:55 PM, David E. Ross wrote:
On 5/29/2015 2:16 PM, Kathleen Wilson wrote:
On 5/28/15 7:53 PM, David E. Ross wrote:
I have started the wiki page for this, and I will appreciate your
feedback on it.
https://wiki.mozilla.org
On 5/29/2015 2:16 PM, Kathleen Wilson wrote:
On 5/28/15 7:53 PM, David E. Ross wrote:
I have started the wiki page for this, and I will appreciate your
feedback on it.
https://wiki.mozilla.org/CA:RootTransferPolicy
Thanks,
Kathleen
Does the line beginning In all of these cases, the CA
of this
is confusing.
--
David E. Ross
I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when autocomplete=off. See
https://bugzilla.mozilla.org/show_bug.cgi?id=433238.
___
dev-security-policy mailing list
dev-security-policy
.
--
David E. Ross
I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when autocomplete=off. See
https://bugzilla.mozilla.org/show_bug.cgi?id=433238.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https
,
Kathleen
What action will be taken if an E-mail is bounced for any reason (e.g.,
mail-box full, E-mail address unknown, message blocked as possible spam)?
What action will be taken if a CA fails to respond?
--
David E. Ross
I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when
On 4/24/2015 10:14 PM, Ryan Sleevi wrote:
On Fri, April 24, 2015 7:52 pm, David E. Ross wrote:
If a root has already been added to the NSS database, we must assume
that it has undergone the Mozilla process for that inclusion. The
process involves looking not only at the root but also
I forgot to include the following point.
On 4/24/2015 11:32 PM, David E. Ross wrote:
However, all certification authorities whose root certificates are in
the NSS database have indeed undergone community review.
How else can you explain that a single request to Mozilla from a
certification
-- not Mozilla -- is responsible for initiating
the process.
--
David E. Ross
I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when autocomplete=off. See
https://bugzilla.mozilla.org/show_bug.cgi?id=433238.
___
dev-security-policy
to the Web
of Trust.
--
David E. Ross
I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when autocomplete=off. See
https://bugzilla.mozilla.org/show_bug.cgi?id=433238.
___
dev-security-policy mailing list
dev-security-policy
an agent of the Chinese
military.
--
David E. Ross
I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when autocomplete=off. See
https://bugzilla.mozilla.org/show_bug.cgi?id=433238.
___
dev-security-policy mailing list
dev-security
to your discussion is
dev-security-policy@lists.mozilla.org, without the leading mozilla-.
--
David E. Ross
I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when autocomplete=off. See
https://bugzilla.mozilla.org/show_bug.cgi?id=433238
that Kaply will
continue to maintain his Web site. I suggest you obtain permission to
replicate his page within the Mozilla wiki.
--
David E. Ross
I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when autocomplete=off. See
https://bugzilla.mozilla.org/show_bug.cgi?id=433238
/2014 05:06 PM, David E. Ross wrote:
I see a number of server certificates when I open the Certificate
Manager window and select the Servers tab. Except possibly one or two,
I did not add these; these came with an update to my browser.
Some of these have expiration dates that have already passed
? Or is this intentional?
--
David E. Ross
I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when autocomplete=off. See
https://bugzilla.mozilla.org/show_bug.cgi?id=1064639.
___
dev-security-policy mailing list
dev-security-policy
has Brower instead of Browser.
--
David E. Ross
I am sticking with SeaMonkey 2.26.1 until saved passwords can
be used when autocomplete=off. See
https://bugzilla.mozilla.org/show_bug.cgi?id=1064639.
___
dev-security-policy mailing list
dev-security
. The same is true of
distributors of malware.
If short-lived certificates are subjected to less stringent security by
client applications, I would fear that they would become hacker and
malware tools.
--
David E. Ross
The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See
: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org]
On Behalf Of David E. Ross
Sent: Thursday, September 4, 2014 11:36 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Short-lived certs
On 9/4/2014 3:21 AM, Gervase
suggestion.
--
David E. Ross
The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See http://www.rossde.com/editorials/edtl_PutinUkraine.html.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https
On 8/27/2014 7:11 AM, Jean-Marc Desperrier wrote:
David E. Ross a écrit :
With a redacted audit report, the presumption
should be that hidden negative information exists that would disqualify
the certification authority from having its root certificate in the NSS
database if such information
, not merely with a
wall of shame on a Mozilla Web site but also sending out press
releases to appropriate news media, alerts to US-CERT, and messages to
non-Mozilla newsgroups.
--
David E. Ross
The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See http://www.rossde.com
On 8/13/2014 12:34 PM, Ryan Sleevi wrote:
On Wed, August 13, 2014 12:02 pm, David E. Ross wrote:
On 8/13/2014 11:16 AM, Kathleen Wilson wrote [in part]:
All,
As the CFCA discussion showed, there are a few things still to figure
out regarding the audits of CA conformance to the BRs.
Here
On 8/10/2014 8:16 PM, David E. Ross wrote:
On 8/10/2014 4:09 PM, Matt Palmer wrote:
On Sat, Aug 09, 2014 at 04:53:46PM -0700, David E. Ross wrote:
Anyone wishing to argue this issue further -- to argue in favor of
implementing a scheme to encourage all Web sites to be HTTPS with site
interest in selling site
certificates, he argues against the idea that all Web sites should be
HTTPS.
--
David E. Ross
The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See http://www.rossde.com/editorials/edtl_PutinUkraine.html
On 7/30/2014 3:14 PM, David E. Ross wrote:
On 7/30/2014 12:17 PM, Kathleen Wilson wrote:
On 7/28/14, 11:00 AM, Brian Smith wrote:
I suggest that, instead of including the cross-signing certificates in
the NSS certificate database, the mozilla::pkix code should be changed
to look up those
automatically supply a missing intermediate certificate
or replacing an incorrect one with the correct one effectively hides
other possible security lapses.
--
David E. Ross
The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See http://www.rossde.com/editorials
exposure to spam. I am not the only
participant in news.mozilla.org newsgroups who munges his or her E-mail
address.
--
David E. Ross
http://www.rossde.com/
On occasion, I filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam, flames
many of their root
certificates as untrusted.
--
David E. Ross
http://www.rossde.com/
On occasion, I filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam, flames, and trolling from that source
queue.
--
David E. Ross
http://www.rossde.com/
On occasion, I filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam, flames, and trolling from that source.
___
dev-security-policy mailing list
reports have been filed for each non-complying root certificate.
See the following bugs: 1015767, 1015770, 1015771, 1015772, 1015773,
1026128, and 1026741.
--
David E. Ross
http://www.rossde.com/
On occasion, I filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2
Does NSS use any code in common with OpenSSL? Is any part of OpenSSL
used in any Mozilla applications?
--
David E. Ross
http://www.rossde.com/
On occasion, I filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam, flames
.
OR
Mozilla::pkix must be able to build at least one trusted path that lacks
the inhibitAnyPolicy extension to grant EV treatment to a certificate.
Any preference?
Kathleen
--
David E. Ross
http://www.rossde.com/
On occasion, I filter and ignore all newsgroup messages
or not) have professional
experience in performing formal audits.
--
David E. Ross
http://www.rossde.com/
On occasion, I filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam, flames, and trolling from that source
where a certificate is meant.
I would also add a prohibition against including the root certificate of
any Super-CA.
Finally, the wording cites third-party subordinate CAs. I assume the
Super-CA is the first-party. What is a second-party subordinate CA?
--
David E. Ross
http://www.rossde.com
.
--
David E. Ross
http://www.rossde.com/
On occasion, I filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam, flames, and trolling from that source.
___
dev-security-policy mailing list
dev
twice in the
mozilla.dev.security.policy newsgroup. It was sent both to the
newsgroup and to the E-mail address
dev-security-policy@lists.mozilla.org.
--
David E. Ross
http://www.rossde.com/
On occasion, I filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user
to the mozilla.dev.security.policy newsgroup OR to
the dev-security-policy@lists.mozilla.org mailing list, BUT NOT BOTH.
Each feeds into the other.
--
David E. Ross
http://www.rossde.com/
On occasion, I filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because
--
David E. Ross
http://www.rossde.com/
On occasion, I filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam, flames, and trolling from that source.
___
dev-security-policy mailing list
dev
practices by allowing server
administrators to be lazy and incompetent -- allowing them to tell users
their browsing session is secure while the server is incompletely
configured.
--
David E. Ross
http://www.rossde.com/
On occasion, I filter and ignore all newsgroup messages
posted through
checkmarks for some or
all of the trust bits.
I checked the security for file cert8.db. All entities have write
permission.
Is this a known bug?
--
David E. Ross
http://www.rossde.com/
Where does your elected official stand? Which
politicians refuse to tell us where they stand?
See the non
and administrative capabilities
to act on their own. Such a lack might indicate other inabilities that
could impair the trustworthiness of their operations.
--
David E. Ross
http://www.rossde.com/
Where does your elected official stand? Which
politicians refuse to tell us where they stand?
See the non
80 matches
Mail list logo