On 28/10/16 16:11, Patrick Figel wrote:
> #7
> Some non-TLS-Server-Auth SHA-1 certificates chaining up to "Certum CA"
> (Asseco Data Systems S.A.). Most appear to be S/MIME or TLS client auth
> certificates, but I don't think the intermediates have any relevant
> technical constraints. I'm not
On 28/10/16 16:11, Patrick Figel wrote:
> I found a number of SHA-1 certificates chaining up to CAs trusted by
> Mozilla that have not been brought up on this list or on Bugzilla yet.
> Apologies in case I missed prior discussion for any of these, and kudos
> to censys for making this search
> On Oct 29, 2016, at 2:23 PM, Han Yuwei wrote:
>
> 在 2016年10月28日星期五 UTC+8下午9:23:01,wangs...@gmail.com写道:
>> We are not intended to cover-up anything since we had disclosed every change
>> to the Chinese version CP/CPS at once after the auditor reviewed.
>> The
在 2016年10月28日星期五 UTC+8下午9:23:01,wangs...@gmail.com写道:
> We are not intended to cover-up anything since we had disclosed every change
> to the Chinese version CP/CPS at once after the auditor reviewed.
> The “ROOTCA(SM2)” CA in $1.1.3 of CPS ver4.3 is equivalent to the “SM2 ROOT
> Certificate” CA
On Sat, Oct 29, 2016 at 2:29 PM, Percy wrote:
> So 400 million Chinese users[1] are left vulnerable to MITM by even a casual
> attacker and we cannot do anything about it!?
As stated previously, it is not for one browser to tell another how to
behave and the CA/Browser
Gerv,
I believe I found the new updated report still has intentional deception.
Issue P: Use of SM2 Algorithm (Nov 2015) WoSign stated that it's only used for
testing purposes.
However, on the official website (https://www.wosign.com/about/Why_WoSign.htm)
WoSign stated that
So 400 million Chinese users[1] are left vulnerable to MITM by even a casual
attacker and we cannot do anything about it!?
[1]: http://se.360.cn/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the
entire company into question. And such trust, in my view, should be
evaluated when WoSign/StartCom submit their re-inclusion requests in the
future.
Percy Alpha(PGP
On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote:
> Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the
> entire company into question. And such trust, in my view, should be
> evaluated when WoSign/StartCom submit their re-inclusion requests in the
> future.
You can
On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote:
> On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote:
> > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the
> > entire company into question. And such trust, in my view, should be
> > evaluated when
On 27/10/16 23:43, Han Yuwei wrote:
> Since Mozilla's working language is English (Not sure about this),
That is true.
> it's your responsibility to provide an accurate translation of CPS.
That is also true. However, we don't require that the English version be
the master copy.
Gerv
11 matches
Mail list logo