On 13/04/17 17:43, Jeremy Rowley wrote:
> Because the certificate improperly included Symantec's BR-compliance OID. If
> the cert wasn't a BR-covered certificate but included the BR compliance OID,
> then the cert was still mis-issued and should be disclosed.
But that was not the reason they gave
v-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Gervase Markham via dev-security-policy
Sent: Thursday, April 13, 2017 7:49 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Symantec Response B
Symantec's bug opens with the words:
&quo
Symantec's bug opens with the words:
"At the end of 2013, Symantec issued a cert to one of its customers that
did not comply with several provisions of the CA/Browser Forum Baseline
Requirements."[0]
So Symantec, at least, thought that this cert fell under the BRs. If
their case was that it did n
On Behalf Of Ryan Sleevi via dev-security-policy
Sent: Wednesday, April 12, 2017 6:40 AM
To: Kurt Roeckx
Cc: mozilla-dev-security-policy
Subject: Re: Symantec Response B
On Wed, Apr 12, 2017 at 4:24 AM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
On Wed, Apr 12, 2017 at 4:24 AM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> I don't think 2) applies. It's only their software, that obviously can't
> be updated yet, and so won't enforce such limit. That doesn't prevent the
> rest of us to set such limi
On 2017-04-11 17:54, Ryan Sleevi wrote:
On Tue, Apr 11, 2017 at 11:44 AM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
The reply indicated that it was a non-browser application. So I understand
that a browser should never see that certificate.
There's n
On Tue, Apr 11, 2017 at 11:44 AM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> The reply indicated that it was a non-browser application. So I understand
> that a browser should never see that certificate.
>
There's no way to objectively quantify or asses
On 2017-04-11 17:20, Ryan Sleevi wrote:
On Tue, Apr 11, 2017 at 6:02 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Hi Ryan,
On 10/04/17 16:38, Ryan Sleevi wrote:
1) You're arguing that "the issuance of this cert didn't impose risk on
anyone but th
On Tue, Apr 11, 2017 at 6:02 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi Ryan,
>
> On 10/04/17 16:38, Ryan Sleevi wrote:
> > 1) You're arguing that "the issuance of this cert didn't impose risk on
> > anyone but this specific customer"
> > a)
Hi Ryan,
On 10/04/17 16:38, Ryan Sleevi wrote:
> 1) You're arguing that "the issuance of this cert didn't impose risk on
> anyone but this specific customer"
> a) What factors lead you to that decision?
Can you lay out for us a scenario where this issuance might impose risk
on someone else?
>
Hi Steve,
Some quick follow-ups:
1) You're arguing that "the issuance of this cert didn't impose risk on
anyone but this specific customer"
a) What factors lead you to that decision?
b) What process does Symantec have in place to make such determination?
c) Does such process continue to exi
11 matches
Mail list logo