Re: Time to distrust

Gijs Kruitbosch writes: >(Some) People who "do" Firefox UI read this group. If you have concrete/ >constructive suggestions, please file bugs or write to more topical mailing >lists - especially if you think there are things we should do "frontend"- >wise to improve

Re: Time to distrust

(With apologies for the off-topic drift) On 27/09/2016 12:49, Peter Gutmann wrote: Jakob Bohm writes: This tells me that Firefox OCSP defaults are *insecure* and reaffirms my impression that Firefox has completely dropped the ball on CRL handling (Since the security-on

Re: Time to distrust

Jakob Bohm writes: >This tells me that Firefox OCSP defaults are *insecure* and reaffirms my >impression that Firefox has completely dropped the ball on CRL handling >(Since the security-on setting is for OCSP only). No, it tells me that the Firefox developers applied

Re: Time to distrust

On 27/09/2016 09:31, Kurt Roeckx wrote: On 2016-09-27 01:18, Jakob Bohm wrote: It would perhaps be useful if you could dispute, using Firefox as an example, and considering the real deployment (not the theorhetical abstract of ways in which someone 'might' configure about:flags, but no one can

Re: Time to distrust

On 2016-09-27 01:18, Jakob Bohm wrote: It would perhaps be useful if you could dispute, using Firefox as an example, and considering the real deployment (not the theorhetical abstract of ways in which someone 'might' configure about:flags, but no one can and still have the same experience), the

Re: Time to distrust

On 23/09/2016 18:46, Ryan Sleevi wrote: On Friday, September 23, 2016 at 9:15:48 AM UTC-7, Jakob Bohm wrote: they are nowhere as bad as proponents of extreme centralization schemes claim. Citation needed. It would seem that you're not familiar with the somewhat well-accepted industry state

Re: Time to distrust

and what that might look like--beyond the obvious impact it has to current cert holders.   Original Message   From: Ryan Sleevi Sent: Friday, September 23, 2016 10:27 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Time to distrust On Friday, September 23, 2016 at 6:03:01 AM UTC-7

Re: Time to distrust

On 23/09/16 17:15, Jakob Bohm wrote: > Mechanisms such as OneCRL tend to be horribly incomplete. Just in the > past few months there has been repeated mention on this list of revoked > certificates that were not on OneCRL, only on the CA CRLs. OneCRL is not intended to be a comprehensive list of

Re: Time to distrust

On Friday, September 23, 2016 at 9:15:48 AM UTC-7, Jakob Bohm wrote: >they are nowhere as bad as proponents of > extreme centralization schemes claim. Citation needed. It would seem that you're not familiar with the somewhat well-accepted industry state of the art. It would perhaps be useful if

Re: Time to distrust

On 23/09/2016 17:27, Ryan Sleevi wrote: On Friday, September 23, 2016 at 6:03:01 AM UTC-7, Peter Kurrasch wrote: * Revocation: If a particular cert has been revoked for any reason, I should be able to find that out so that I will know not to use it. Ideally this is handled automatically in

Re: Time to distrust

On 22/09/16 03:00, Peter Kurrasch wrote: > Well, well. Here we are again, Ryan, with you launching into a bullying, > personal attack on me instead of seeking to understand where I'm coming > from and why I say the things I say. Er, no. I am entirely comfortable with saying that if you found

Re: Time to distrust (was: Sanctions short of distrust)

Well, well. Here we are again, Ryan, with you launching into a bullying, personal attack on me instead of seeking to understand where I'm coming from and why I say the things I say. You may have noticed that I do

Re: Time to distrust (was: Sanctions short of distrust)

On Wednesday, September 21, 2016 at 12:05:49 PM UTC-7, Peter Kurrasch wrote: > I have a hard time seeing how any sort of white list solution will actually > mitigate any of the bad behavior exhibited by WoSign. This doesn't help understand where your disconnect is, or how we might educate and

Time to distrust (was: Sanctions short of distrust)

I have a hard time seeing how any sort of white list solution will actually mitigate any of the bad behavior exhibited by WoSign. From my perspective, I think we can make a pretty clear case that WoSign is a