On 17/09/2016 16:30, Florian Weimer wrote:
* Nick Lamb:
On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote:
does dns hijacking or dns cache poisoning count as mitm?
A careful CA validator does DNS only by making authoritative queries,
so they're not subject to cache poisoning since they
* Nick Lamb:
> On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote:
>> does dns hijacking or dns cache poisoning count as mitm?
>
> A careful CA validator does DNS only by making authoritative queries,
> so they're not subject to cache poisoning since they don't look at
> cached answers.
I'm
On 13/09/2016 11:50, Gervase Markham wrote:
On 12/09/16 19:02, Jakob Bohm wrote:
Wouldn't this fall under the general auditable requirement of being
careful in their practices and procedures.
Ask an auditor, and they will tell you that "be careful" is not an
auditable requirement.
I know fr
On 13/09/2016 11:50, Gervase Markham wrote:
Hi Jakob,
On 12/09/16 18:30, Jakob Bohm wrote:
Our current evidence seems to be an unfortunate mix of actual issues
(such as the github.io certificates), and semi-irrelevant smear, which
means we will need to separate the chaff from the wheat before M
On 12/09/16 19:02, Jakob Bohm wrote:
> Wouldn't this fall under the general auditable requirement of being
> careful in their practices and procedures.
Ask an auditor, and they will tell you that "be careful" is not an
auditable requirement.
Gerv
___
Hi Jakob,
On 12/09/16 18:30, Jakob Bohm wrote:
> Our current evidence seems to be an unfortunate mix of actual issues
> (such as the github.io certificates), and semi-irrelevant smear, which
> means we will need to separate the chaff from the wheat before Mozilla
> has a good basis for any decisio
On 12/09/2016 09:42, Gervase Markham wrote:
On 11/09/16 23:42, Lee wrote:
A careful CA validator does DNS only by making authoritative queries, so
they're not subject to cache poisoning since they don't look at cached
answers.
Would a not careful CA be flagged on their yearly audit?
It only
On 10/09/2016 14:45, Gervase Markham wrote:
On 09/09/16 11:53, Jakob Bohm wrote:
As I read the Wiki description of WoSign issue L: Arbitrary High port
validation, the description notes a case of port 8080 validation as an
instance of this.
If the BR and or CP/CPS indeed classify port 8080 as a
On 11/09/16 23:42, Lee wrote:
>> A careful CA validator does DNS only by making authoritative queries, so
>> they're not subject to cache poisoning since they don't look at cached
>> answers.
>
> Would a not careful CA be flagged on their yearly audit?
It only might, if doing non-authoritative qu
On 9/11/16, Patrick Figel wrote:
> On 11/09/16 22:05, Lee wrote:
>>> In order to spoof a CA's domain validation request, an attacker
>>> would need to be in a position to MitM the connection between the
>>> CA and the targeted domain.
>>
>> does dns hijacking or dns cache poisoning count as mitm?
On Sunday, 11 September 2016 23:42:18 UTC+1, Lee wrote:
> Me personally? Not at all. I'm just asking if they _do_ have DNSSEC
> for their domains is there a way to leverage that to get a cert via an
> encrypted channel or at least do the domain validation via an
> encrypted channel instead of us
On 9/11/16, Nick Lamb wrote:
> On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote:
>> does dns hijacking or dns cache poisoning count as mitm?
>
> A careful CA validator does DNS only by making authoritative queries, so
> they're not subject to cache poisoning since they don't look at cached
On 11/09/16 22:05, Lee wrote:
>> In order to spoof a CA's domain validation request, an attacker
>> would need to be in a position to MitM the connection between the
>> CA and the targeted domain.
>
> does dns hijacking or dns cache poisoning count as mitm?
I was mentioning this in order to demon
On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote:
> does dns hijacking or dns cache poisoning count as mitm?
A careful CA validator does DNS only by making authoritative queries, so
they're not subject to cache poisoning since they don't look at cached answers.
I think a successful DNS hi
On 9/11/16, Patrick Figel wrote:
> On 10/09/16 22:37, Lee wrote:
>> Right - I figured that out about 30 seconds after reading an email
>> about allowing verification on ports 80 and 443. But you only need
>> to get the initial certificate one time - after that you should be
>> able to renew using
On 10/09/16 22:37, Lee wrote:
> Right - I figured that out about 30 seconds after reading an email
> about allowing verification on ports 80 and 443. But you only need
> to get the initial certificate one time - after that you should be
> able to renew using port 443 and I didn't see anything i
On 9/10/16, Peter Bowen wrote:
> On Sat, Sep 10, 2016 at 9:14 AM, Lee wrote:
>> On 9/10/16, Gervase Markham wrote:
>>> On 09/09/16 11:53, Jakob Bohm wrote:
>>
>> Does Mozilla feel that using 'clear text' protocols to validate
>> domains is adequate security?
>> https://cabforum.org/2016/08/05/ba
On Sat, Sep 10, 2016 at 9:14 AM, Lee wrote:
> On 9/10/16, Gervase Markham wrote:
>> On 09/09/16 11:53, Jakob Bohm wrote:
>
> Does Mozilla feel that using 'clear text' protocols to validate
> domains is adequate security?
> https://cabforum.org/2016/08/05/ballot-169-revised-validation-requirements
On 9/10/16, Gervase Markham wrote:
> On 09/09/16 11:53, Jakob Bohm wrote:
>> As I read the Wiki description of WoSign issue L: Arbitrary High port
>> validation, the description notes a case of port 8080 validation as an
>> instance of this.
>>
>> If the BR and or CP/CPS indeed classify port 8080
On 09/09/16 11:53, Jakob Bohm wrote:
> As I read the Wiki description of WoSign issue L: Arbitrary High port
> validation, the description notes a case of port 8080 validation as an
> instance of this.
>
> If the BR and or CP/CPS indeed classify port 8080 as a valid web port
> for domain control c
As I read the Wiki description of WoSign issue L: Arbitrary High port
validation, the description notes a case of port 8080 validation as an
instance of this.
However I seem to have seen (cannot find it now) that at least WoSign,
and possibly others considers port 8080 one of the 3 valid
non-arbi
21 matches
Mail list logo