Hi Jeremy,
Can you clarify why you believe the signing key cannot be easily used? Is
there a cryptographic limitation in what was disclosed?
Also, do you have plans for a more formal post-mortem? Since vulnerability
management is usually an organization-wide process, it would be useful to
On Thursday, March 26, 2020 at 2:23:11 PM UTC-7, Ryan Sleevi wrote:
> On Thu, Mar 26, 2020 at 4:45 PM Ian Carroll via dev-security-policy
> wrote:
> >
> > Hi all,
> >
> > A recent thread on CAs using contractual terms to revoke certificates has
> > made m
Hi all,
A recent thread on CAs using contractual terms to revoke certificates has made
me want to bring up a topic that I am surprised does not come up more: removing
the control of revocation from CAs and moving it to the user agent. While this
is an idea that requires the backing of a user
Hi,
I was recently sent https://crt.sh/?id=380678631 by Nathanial Lattimer
(https://twitter.com/d0nutptr), when he noticed it appeared to contain subject
information for a completely different entity (Harman International's domain,
Twitter's organizational information). It appears Sectigo made
On Thursday, August 29, 2019 at 11:49:16 AM UTC-7, Kirk Hall wrote:
> On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote:
> > On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote:
> > > This string is about Mozilla’s announced plan to remove the EV UI
On Thursday, August 15, 2019 at 10:59:32 AM UTC-7, Doug Beattie wrote:
> So far I see is a number of contrived test cases picking apart small
> components of EV, and no real data to back it up. Mostly academic or
> irrelevant research, imho. Here are a couple of links posted in this thread:
>
I do not usually comment on new CA applications, so take this with whatever
grain of salt you'd like, but from looking at [3] I think it should be a
very negative mark against a CA to have to OneCRL one of their
intermediates. If the CA is not committed to closely following web PKI
standards, it's
On Tuesday, October 2, 2018 at 7:02:32 AM UTC-7, Dimitris Zacharopoulos wrote:
> On 1/10/2018 8:15 μμ, Ryan Sleevi via dev-security-policy wrote:
> > On Mon, Oct 1, 2018 at 9:21 AM Dimitris Zacharopoulos
> > wrote:
>
> > [...]
> >
> >
> >> I am certainly not suggesting that CAs should put
lephone numbers (self-reported),
> * color of the building (self-reported),
>
> and the CA, during evaluation, might decide to accept only the first 5
> as Reliable/Qualified Information as they have higher level of
> assurance. That would be the right thing to do. For the rest of th
On Wednesday, September 26, 2018 at 6:12:22 PM UTC-7, Ryan Sleevi wrote:
> Thanks for raising this, Ian.
>
> The question and concern about QIIS is extremely reasonable. As discussed
> in past CA/Browser Forum activities, some CAs have extended the definition
> to treat Google Maps as a QIIS (it
Hi,
In April and May of this year, I attempted to change the address listed in Dun
& Bradstreet of my (Kentucky-incorporated) company "Stripe, Inc" to an address
in Toledo, Ohio that did not exist (185 Berry Street Toledo Ohio). I was
wondering the extent of validation Dun & Bradstreet would
> an EV certificate issued and fairly promptly revoked by Comodo.
Just to clarify, Comodo revoked it at least four months after it was issued
(https://crt.sh/?id=273634647). It was not "promptly" revoked.
___
dev-security-policy mailing list
(re-sending to list)
> We also asked Trustico to cease offering any tools to generate and/or
retain customer private keys.
Does Comodo intend to standardize a policy against this? GoGetSSL has a
tool like this in their customer panel and I’m sure there are more.
On Fri, Mar 2, 2018 at 12:29 PM
On Monday, December 18, 2017 at 4:54:24 PM UTC-5, Andrew wrote:
> On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote:
> > Thank you Ryan for raising this question, and to everyone who has been
> > contributing in a constructive manner to the discussion. A number of
> > excellent
14 matches
Mail list logo
