On 16/12/2016 12:22, Hanno Böck wrote:
On Fri, 16 Dec 2016 02:51:47 +0100
Jakob Bohm wrote:
[Snip: Discussion of potential odd client bug]
...
I wonder if Let's Encrypt ever issued SHA-1 certificates, and if any
of those are non-expired.
Almost certainly not. Given 3 month lifeti
g a bit
too close to the edge of what the spec allows. I don't think it should
be much of a cost to pregenerate responses for both forms of CertID
(SHA-256 and SHA-1) and send the response matching the query what is
asked.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wis
LS, CA and OCSP-signing certificates, and the former have
3 month lifetime).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo -
On 09/12/2016 00:48, David E. Ross wrote:
On 12/8/2016 1:41 PM, Jakob Bohm wrote [in part]:
It is in particular noted that these things are a lot less than what
any of the regular CC licenses permit. For example, Mozilla has no
reason to require that other CA operators be permitted to reuse
, would be in scope, unless all such names were excluded by
the name constraints.
Not sure about whether you would want to include the URL type.
Someone who knows the NSS code should also check which values the
current NSS accepts for various scenarios/actual usages.
Enjoy
Jakob
--
Jakob
uments as their own, even though such other CA operators are
encouraged to participate in the permitted activities, such as publicly
talking about the practices of their competitor.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denma
On 04/12/2016 06:00, capuchin...@gmail.com wrote:
Jakob Bohm於 2016年12月4日星期日 UTC+8上午1時23分16秒寫道:
You have made a fundamental technical mistake.
I do not understand that why do you said that we made a fundamental technical
mistake? As I had participated in drafting RFC 5280, I am sure that our
ith original" and "2016 with original"
certificates) should point to different CRL and OCSP URLs that are
signed with SHA-256, but still reports all the old revoked SHA-1 certs.
P.S.
Be careful when revoking the "original with 2012" certificate, when
GlobalSign recentl
y the Mozilla
organization.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Emb
ual certificate validity and note that
the organizations running TCSCs need to be aware that if they don't
keep up to date with the policies that apply to the parent CA,
certificates that don't follow those policies might stop working due
to 3rd parties (such as Browser vendors) enforcing
s,
.gov, .mil and .edu, CN has .cn, .hk etc., DK has .dk, .gl and .fo,
etc.) name constraints allowing that set of alternatives or a subset
would be accepted.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45
glish has not
been posted yet, indicating that Mozilla will just have to put the
inclusion request on hold until then.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is
On 17/11/2016 01:14, Matt Palmer wrote:
On Wed, Nov 16, 2016 at 04:35:18PM +0100, Jakob Bohm wrote:
Redacted CT records that tell the world that "there is this single
certificate with this full TBS hash and these technical extensions
issued to some name domain/e-mail under example.com, b
On 16/11/2016 02:13, Nick Lamb wrote:
On Tuesday, 15 November 2016 09:35:17 UTC, Jakob Bohm wrote:
The HTTPS-everywhere tendency, including the plans of some people to
completely remove unencrypted HTTP from implementations, makes it
necessary for non-public stuff connected to the Internet to
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Emb
But it's best
for you to hire a professional translator.
Since CPS is very critical, I hope you understand what I said before. I don't
want another Wosign incident happen again.
Note that he said most of these things already in his post dated Thu,
27 Oct 2016 03:21:53 -0700 (PDT)
Enjoy
On 14/11/2016 21:37, Nick Lamb wrote:
On Monday, 14 November 2016 16:57:20 UTC, Jakob Bohm wrote:
If this is the only privacy mechanism in 6962bis, I would suggest that
everyone not employed by either Google or another mass-monitoring
service block its adoption on human rights grounds and on
On 14/11/2016 18:59, Gervase Markham wrote:
On 14/11/16 16:56, Jakob Bohm wrote:
If this is the only privacy mechanism in 6962bis, I would suggest that
everyone not employed by either Google or another mass-monitoring
service block its adoption on human rights grounds and on the basis of
being
t accept 'but we
have a lot of certs under TCSCs which will be affected by this' as a
valid reason not to do something. In other words, if you hide stuff and
it breaks, you get to keep both pieces. But in practice, such a line
might not hold.
Thoughts and suggestions?
Gerv
Enjoy
Jakob
e paths to easy TCSC
creation.
#3 would be in apparent violation of the BR applicability document you
proposed in another thread. Alternative would be to pre-create
resellable TCSC key pairs in advance during auditor visits, then throw
away unsold ones at the next such ceremony.
Enjoy
Jakob
--
part of the transition away from SHA-1, those roots were
usually cross signed by their already trusted SHA-1 roots).
Perhaps a better text would be
"1 and a half) The CA private key must not be used for any other CA or
entity, but a CA may have more than one CA Certificate for that private
;t check this either?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management
On 08/11/2016 20:37, Gervase Markham wrote:
On 08/11/16 19:11, Jakob Bohm wrote:
However because all the sources are from a single entity (the UK
government), that entity could manipulate the results, thus falsifying
the provable randomness of the process.
I think you are bikeshedding the
On 08/11/2016 20:51, Ryan Sleevi wrote:
On Tue, Nov 8, 2016 at 11:24 AM, Jakob Bohm wrote:
Diversity requirements are about reducing the likelihood of
simultaneous coercion, as it can never be ruled out that some powerful
organization already engaged in such things could use some of its
backhanded tactics to subvert a log operator that is entirely outside
its direct jurisdiction.
History has taught us that such things do happen from time to time.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 1
tion time in UTC, not UK local time, e.g. 12:00 noon
UTC.
P.S.
I am aware of the current zero-difference between UK local time and
UTC, but this was not so just 10 days ago.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denm
He wasn't claiming that.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phon
On 04/11/2016 15:42, Hanno Böck wrote:
On Fri, 4 Nov 2016 14:09:55 +0100
Jakob Bohm wrote:
* How do we allow organization internal non-public CAs to not reveal
their secret membership/server lists to public CT systems or
otherwise run the (administratively and technically) expensive
logs be independent of the issuing CA (e.g.
Symantec/Thawte can run a CT log, but it only counts for certificates
from other CAs).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion
On 04/11/2016 11:21, Gervase Markham wrote:
On 03/11/16 21:17, Jakob Bohm wrote:
Note that the GlobalSign SHA-1 intermediaries chain only to their old
SHA-1 root which is (I believe) not used for any SHA-256 certs, except
a cross-cert that signs their current SHA-256 root.
Nevertheless, it is
state
that the CA must do so if made aware that the "service agreement"
allowing the issuance has been terminated.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion
for
e-mail (because some non-Mozilla e-mail clients were very late to
supporting SHA-2 e-mail signatures).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and m
raight away. I was
surprised when https://crt.sh/atom?q=crt.sh alerted me to
https://crt.sh/?id=42619974
So I guess you haven't added your own domains (such as crt.sh) to the
list of "high-value manual review" domains for your own certificate
issuance processes?
Enjoy
Jak
On 02/11/2016 17:08, Peter Bowen wrote:
On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote:
On 2 November 2016 at 09:44, Jakob Bohm wrote:
The only thing that might be a CA / BR issue would be this:
There's been (some) mention that even if a user moves off Cloudflare,
the CA is not obli
llegations are in any way comparable to armed robbery. Only that
the CA operational principle in question might be the same.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message
eone else mentioned that earlier, Ryan Sleevi of Google
explained that their customer announcement didn't rule out reinclusion,
they simply didn't say anything. So as far as the official Google
announcement goes, there is no (published) minimum return date for
Chrome (the second largest
On 22/10/2016 14:59, Ryan Sleevi wrote:
On Saturday, October 22, 2016 at 5:11:29 AM UTC-7, Jakob Bohm wrote:
Talking of codesigning, which root store does Chrome use to validate
signatures on the PPAPI plug ins it is currently forcing developers to
switch to?
I've mentioned to you repea
that
were not published.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service
mailing list to them.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs,
as
not yet completed.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones an
nceptual rather than just a
technical level).
Each of my examples above are examples of changes that could (and have
apparently in the past) lead downstream stores astray without that
tidbit of information.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transforme
On 18/10/2016 20:50, douglas.beat...@gmail.com wrote:
On Monday, October 17, 2016 at 4:19:34 PM UTC-7, Jakob Bohm wrote:
On 16/10/2016 09:59, Adrian R. wrote:
Hello
i read in the news (but not here on m.d.s.p) that a few days ago Globalsign
revoked one of their intermediary roots and then un
e does Chrome use to validate
signatures on the PPAPI plug ins it is currently forcing developers to
switch to?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding a
On 18/10/2016 14:35, Gervase Markham wrote:
On 17/10/16 16:35, Jakob Bohm wrote:
In the not so distant past, the Mozilla root program was much more
useful due to different behavior:
1. Mozilla managed the root program based on an assumption that relying
parties would use the common standard
On 18/10/2016 01:22, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:39:42AM +0200, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote:
Over the past few years, this has caused the Mozilla root list to
become less and less useful for the rest of the open source world
ents, and if so, which one.
5. If this was e-mailed to all potentially affected certificate
holders, or just dumped in some public forums which certificate
holders might not see in time to take necessary action.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tr
On 18/10/2016 00:39, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote:
Over the past few years, this has caused the Mozilla root list to
become less and less useful for the rest of the open source world, a
fact which at least some of the Mozilla-root-list-copying
st some of the Mozilla-root-list-copying open source
projects seem not to be aware of yet.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain e
Qihoo 360 shareholders.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Emb
the Qihoo 360 HQ
vault, is this the HSM for the StartCOM CA root, and/or the HSM for the
Intermediary certificates?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-b
to ensure that Richard Wang or his
underlings have not used that key in ways not logged in the log files
and databases now controlled by the new StartCOM?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
s. Thus B
would loose 15 months of income while keeping up significant
operational costs just for the hope of maybe getting readmitted.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public disc
f cross-signatures of a
CA that might be distrusted, disclosure of e-mail only cross signatures
and e-mail only subCAs still need to be disclosed in order to maintain
root program integrity.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denm
StartCom has not yet decided
on a technical separation plan, could one acceptable option for such a
plan be to reactivate the old (pre-acquisition) infrastructure and
software and take it from there?
An answer to that might help StartCom choose an acceptable plan.
Enjoy
Jakob
--
Jakob Bohm, CIO
On 06/10/2016 15:58, Gervase Markham wrote:
On 06/10/16 12:38, Jakob Bohm wrote:
Which is why I have repeatedly suggested that maybe the rules should be
changed to promote/demote some of the historic SHA-1 root certs into
"SHA-1 forever" roots that can service older devices and brow
large numbers to end users in the form of phones, PDAs etc.
Ideally, there should also be a way for TLS servers (such as web
servers) to detect if the TLS client suffers from historic public key
limitations such as SHA-1 only, low maximum DH key size etc., thus
allowing the TLS server to use str
around and worked
around -- most recently with Certificate Transparency -- when the actual
reason for the problem was simply "end entities cannot do risk management
within the current protocols".
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformer
his they will
immediately distrust all Wosign/StartCOM certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote S
On 30/09/2016 13:21, Gervase Markham wrote:
On 30/09/16 07:50, Jakob Bohm wrote:
SHA-1 certs until the hardware dies. On a trust policy/BR level, the
key detail here is that the issuing root cert is a SHA-1 cert itself
and would thus be distrusted by SHA-1-distrusting systems anyway.
That&#
s etc.) new
SHA-1 certs until the hardware dies. On a trust policy/BR level, the
key detail here is that the issuing root cert is a SHA-1 cert itself
and would thus be distrusted by SHA-1-distrusting systems anyway.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tr
On 27/09/2016 09:31, Kurt Roeckx wrote:
On 2016-09-27 01:18, Jakob Bohm wrote:
It would perhaps be useful if you could dispute, using Firefox as an
example, and considering the real deployment (not the theorhetical
abstract of ways in which someone 'might' configure about:flags, but
r files not received with a
mime-type, like ftp: and file: URLs) and many other software systems.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and m
On 23/09/2016 18:46, Ryan Sleevi wrote:
On Friday, September 23, 2016 at 9:15:48 AM UTC-7, Jakob Bohm wrote:
they are nowhere as bad as proponents of
extreme centralization schemes claim.
Citation needed. It would seem that you're not familiar with the somewhat
well-accepted industry
On 23/09/2016 17:18, Rob Stradling wrote:
On 22/09/16 18:48, Jakob Bohm wrote:
While you are at it:
1. How many WoSign/StartCom certificates did you find with domains not
on that IANA list?
Hi Jakob. I wasn't looking for this sort of thing, because Gerv was
only interested in &q
y. Or the
attacker could choose a CA with too long expiry times on their CRLs and
OCSP responses.
Mechanisms such as OneCRL tend to be horribly incomplete. Just in the
past few months there has been repeated mention on this list of revoked
certificates that were not on OneCRL, only on the CA CRLs.
only "permitted"
algorithms are all broken before replacements become "permitted".
having a specific BR rule banning any curve except 3 curves from a
single government project in a single country certainly looks like a
very bad idea.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner,
ays a fee and passes a full BR audit by Ernst, Young or
Deloite".
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo -
On 23/09/2016 12:51, Peter Gutmann wrote:
Jakob Bohm writes:
While you are at it:
1. How many WoSign/StartCom certificates did you find with domains not
on that IANA list?
2. How many WoSign/StartCom certificates did you find for other uses
than https://www.example.tld:
2.1
ihoo 360 for
reporting this bug to the OpenSSL team, thus helping to protect us all.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wi
ates for "odd" subdomains such as "extranet.example.com"
2.2 Certificates for e-mail
2.3 Code signing certificates
2.4 Others?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
Thi
uot;forums",
and you appear to be using that Google web app, but not everyone does.
If the Google web app is blocked in China, then the Chinese
participants (I have read messages from at least 2 people from China in
the past week here), are presumably not using the Google web app.
Enjoy
ere present, not all
certificate requests will come from DNSSEC signed domains. After all,
if they did, DANE would soon be a substitute for DV certs.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
Th
On 14/09/2016 16:11, Kyle Hamilton wrote:
On 9/12/2016 20:20, Jakob Bohm wrote:
On 13/09/2016 03:03, Kyle Hamilton wrote:
I would prefer not to see a securelogin-.arubanetworks.com
name, because such makes it look like Aruba Networks is operating the
captive portal. If (for
s.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones an
On 13/09/2016 16:47, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 8:30:07 PM UTC-7, Jakob Bohm wrote:
A variation of this, would be to create (compacted) whitelists for
specific old intermediary certs,
It sounds like you haven't been following this conversation, but the entire
On 13/09/2016 11:50, Gervase Markham wrote:
On 12/09/16 19:02, Jakob Bohm wrote:
Wouldn't this fall under the general auditable requirement of being
careful in their practices and procedures.
Ask an auditor, and they will tell you that "be careful" is not an
auditable require
On 13/09/2016 11:50, Gervase Markham wrote:
Hi Jakob,
On 12/09/16 18:30, Jakob Bohm wrote:
Our current evidence seems to be an unfortunate mix of actual issues
(such as the github.io certificates), and semi-irrelevant smear, which
means we will need to separate the chaff from the wheat before
ure by creating new intermediary
certs for which no trust restrictions exist.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain e
ieval environment and
compromised private key.
-Kyle H
On 9/7/2016 00:41, Jakob Bohm wrote:
Given the specific name in those certificates, and the place where the
private key was seen, I would guess the actual use case is this:
...
Just to clarify, I never said that the use was for a "captiv
On 13/09/2016 01:28, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 3:51:56 PM UTC-7, Jakob Bohm wrote:
Note that this is *entirely* outside CA/B and CA inclusion related
guidelines, since CloudFlare is (presumably) not a CA and thus not
subject to such guidelines.
Then isn't it
On 12/09/2016 23:48, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 2:33:47 PM UTC-7, Jakob Bohm wrote:
I find fault in CloudFlare (presuming the story is actually as
reported).
Why? Apologies, but I fail to see what you believe is "wrong", given how
multiple people have poin
On 12/09/2016 21:57, Rob Stradling wrote:
On 12/09/16 18:57, Jakob Bohm wrote:
On 11/09/2016 07:49, Peter Bowen wrote:
On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote:
So when I delegated the DNS service to Cloudflare, Cloudflare have
the privilege to issue the certificate by default? Can
f starts to play fast
and loose with the identity of the proxied domains, that becomes a
security concern in itself, unrelated to CA inclusion policy.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This
and procedures. For example, I don't think
there would be specific BRs covering if they remember to lock the door
to the server room.
This would be very similar to how financial auditors does do some
checking if the day to day accounting practices are sound in terms of
avoiding fraud.
Enjoy
On 10/09/2016 14:39, Gervase Markham wrote:
On 09/09/16 11:59, Jakob Bohm wrote:
Since a major root compromise is generally considered the worst
possible security event for a trusted CA, this wording could easily be
(mis?)understood not to require reporting of lesser security failures,
such as
On 10/09/2016 14:45, Gervase Markham wrote:
On 09/09/16 11:53, Jakob Bohm wrote:
As I read the Wiki description of WoSign issue L: Arbitrary High port
validation, the description notes a case of port 8080 validation as an
instance of this.
If the BR and or CP/CPS indeed classify port 8080 as a
issuing millions (or just hundreds) of certificates without
proper validation etc.
Am I reading something wrong, or is their an unintended loophole in the
Mozilla Policy, as written, in this regard?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
,
but the relevant formal documents do not, then that would be a separate
but related issue, which should get it's own letter on the Wiki page.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
T
efore date? If so, that would be
cryptographic evidence that the certificates were signed after those
SCT entries were generated.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussi
than the identified
subject to possess the private key for a publicly-trusted certificate.
It does; have you notified GeoTrust using whatever mechanism they make
available for such notifications? They are supposed to have one, according
to the BRs. I'm not sure posting here would count.
Enjoy
#x27;s systems don't work.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service
On 06/09/2016 18:15, Ryan Hurst wrote:
On Tuesday, September 6, 2016 at 7:54:14 AM UTC-7, Jakob Bohm wrote:
On 06/09/2016 16:43, Martin Rublik wrote:
On Tue, Sep 6, 2016 at 2:16 PM, Jakob Bohm wrote:
Here are a list of software where I have personally observed bad OCSP
stapling support
On 06/09/2016 16:43, Martin Rublik wrote:
On Tue, Sep 6, 2016 at 2:16 PM, Jakob Bohm wrote:
Here are a list of software where I have personally observed bad OCSP
stapling support:
IIS for Windows Server 2008 (latest IIS supporting pure 32 bit
configurations): No obvious (if any) OCSP
ed PKI criticism, it is noted that some
of the many new CAs found in root stores are governments who (unlike
commercial CAs) are the actual authority on the identity of their
citizens.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Den
ard way of writing a derisive laughter in response to a bad
unfunny joke.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wis
On 06/09/2016 15:37, Kurt Roeckx wrote:
On 2016-09-06 14:16, Jakob Bohm wrote:
On 06/09/2016 10:25, Kurt Roeckx wrote:
If you think there is something we can do in OpenSSL to improve this,
please let us know.
Here are a list of software where I have personally observed bad OCSP
stapling
SL/TLS front end: No OCSP
stapling support in the standard version.
IIS for Windows Server 2008 (latest IIS supporting pure 32 bit
configurations): No obvious (if any) OCSP stapling support.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29,
SCTs in the certs, I thought the
plan was to have the problematic CA *not* issue more certs...
Indeed, I have found that a number of common web server implementations
simply lack the ability to do OCSP stapling at all.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.c
d from the lists because those signed
e-mails need to remain checkable at a later time, regardless if the
original signer cooperates or tries to repudiate his own signature.
Once the last TLS certificate is gone from the list, the expiry
period of the .jar files is increased significantly
utomated test
script that scans issued certificates for the problem and raises an
alarm so such certificates would be reissued (with distinct serial
numbers) and revoked within a few days of each failure.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej
501 - 600 of 644 matches
Mail list logo
