Re: Mozilla's Expectations for OCSP Incident Reporting

2020-05-15 Thread Lee via dev-security-policy
On 5/15/20, Peter Gutmann via dev-security-policy wrote: > Hanno Böck writes: > >>The impact it had was a monitoring system that checked whether the >>certificate of a host was okay, using gnutls-cli with ocsp enabled (which >>also uncovered a somewhat unexpected inconsistency in how the gnutls

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-29 Thread Lee via dev-security-policy
On 12/29/18, Ryan Sleevi wrote: > On Sat, Dec 29, 2018 at 10:24 AM Lee wrote: > >> > It does not seem like a productive discussion will emerge if the >> > ontology >> > is going to be honest/dishonest participants. >> >> I think it's an excellent distinction. An honest subscriber won't >>

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-29 Thread Lee via dev-security-policy
On 12/29/18, Ryan Sleevi via dev-security-policy wrote: > On Fri, Dec 28, 2018 at 11:21 PM Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> > My guess is all CAs have something like >> >https://www.digicert.com/certificate-terms/ >> > 15. Certificate

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-29 Thread Lee via dev-security-policy
On 12/28/18, Jakob Bohm via dev-security-policy wrote: > On 28/12/2018 19:44, Lee wrote: >> On 12/27/18, Jakob Bohm via dev-security-policy >> wrote: >>> Looking at the BRs, specifically BR 4.9.1, the reasons that can lead >>> to fast revocation fall into a few categories / groups: >> <..

Re: When should honest subscribers expect sudden (24 hours / 120 hours) revocations?

2018-12-28 Thread Lee via dev-security-policy
On 12/27/18, Jakob Bohm via dev-security-policy wrote: > Looking at the BRs, specifically BR 4.9.1, the reasons that can lead > to fast revocation fall into a few categories / groups: <.. snip ..> > So absent a bad CA, I wonder where there is a rule that subscribers > should be ready to

Re: Disallowed company name

2018-06-03 Thread Lee via dev-security-policy
On 6/1/18, Ryan Sleevi wrote: > On Fri, Jun 1, 2018 at 9:14 AM, Peter Kurrasch wrote: > >> Security can be viewed as a series of AND's that must be satisfied in >> order to conclude "you are probably secure". For example, when you browse >> to an important website, make sure that "https" is used

Re: Misissued certificates

2017-08-09 Thread Lee via dev-security-policy
What's it going to take for mozilla to set up near real-time monitoring/auditing of certs showing up in ct logs? Lee On 8/9/17, Alex Gaynor via dev-security-policy wrote: > (Whoops, accidentally originally CC'd to m.d.s originally! Original mail > was to

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

2017-08-09 Thread Lee via dev-security-policy
On 8/9/17, Eric Mill wrote: > On Wed, Aug 9, 2017 at 4:28 PM, Lee wrote: > >> On 8/9/17, Eric Mill via dev-security-policy >> wrote: >> > On Tue, Aug 8, 2017 at 5:53 PM, identrust--- via dev-security-policy < >> >

Re: Certificates issued with HTTPS OCSP responder URL (IdenTrust)

2017-08-09 Thread Lee via dev-security-policy
On 8/9/17, Eric Mill via dev-security-policy wrote: > On Tue, Aug 8, 2017 at 5:53 PM, identrust--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On Tuesday, August 8, 2017 at 12:06:47 PM UTC-4, Jonathan Rudenberg wrote: >> >

Re: Private key corresponding to public key in trusted Cisco certificate embedded in executable

2017-06-20 Thread Lee via dev-security-policy
On 6/20/17, mfisch--- via dev-security-policy wrote: > On Monday, June 19, 2017 at 7:37:23 PM UTC-4, Matt Palmer wrote: >> On Sun, Jun 18, 2017 at 08:17:07AM -0700, troy.fridley--- via >> dev-security-policy wrote: >> > If you should find such an issue again

Re: Policy 2.5 Proposal: Indicate direction of travel with respect to permitted domain validation methods

2017-05-01 Thread Lee via dev-security-policy
On 5/1/17, Ryan Sleevi <r...@sleevi.com> wrote: > On Mon, May 1, 2017 at 1:53 PM, Lee via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On 5/1/17, Gervase Markham via dev-security-policy >> <dev-security-policy@lists.mozilla.org>

Re: Policy 2.5 Proposal: Indicate direction of travel with respect to permitted domain validation methods

2017-05-01 Thread Lee via dev-security-policy
On 5/1/17, Gervase Markham via dev-security-policy wrote: > The last CA Communication laid down our policy of only permitting the 10 > Blessed Methods of domain validation. A CA Communication is an official > vehicle for Mozilla Policy so this is now policy,