On 10/02/2017 05:42, Ryan Sleevi wrote:
On Thu, Feb 9, 2017 at 3:39 PM, Jakob Bohm via dev-security-policy
> wrote:
Additional issue #2: The information at https://pki.goog/ about how to
report
On Thu, Feb 9, 2017 at 9:56 PM, Richard Wang via dev-security-policy
wrote:
> I can't see this sentence
> " I highlight this because we (the community) see the occasional remark like
> this; most commonly, it's directed at organizations in particular
I think Mozilla should have a very clear policy for:
(1) If a company that not a public trusted CA acquired a trusted root key,
what the company must do?
(2) If a company is a public trusted CA that acquired a trusted root key, what
the company must do?
(3) If a company is a public trusted CA,
I can't see this sentence
" I highlight this because we (the community) see the occasional remark like
this; most commonly, it's directed at organizations in particular countries, on
the basis that we shouldn't trust "them" because they're in one of "those
countries". However, the Mozilla
On Thu, Feb 9, 2017 at 7:41 AM, Gervase Markham via
dev-security-policy wrote:
> On 09/02/17 14:32, Gijs Kruitbosch wrote:
>> Would Mozilla's root program consider changing this requirement so that
>> it *does* require public disclosure, or are there
On Thu, Feb 9, 2017 at 3:39 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> Additional issue #2: The information at https://pki.goog/ about how to
> report misissuance directs visitors to a generic reporting page for
> code vulnerabilities, which (by
On 09/02/2017 20:55, Ryan Hurst wrote:
Peter,
Thank you very much for your, as always, thorough review.
Let me start by saying I agree there is an opportunity for improving the
policies around how key transfers such your recent transfer and Google's are
handled.
It is my hope we can,
Kathleen Wilson於 2017年2月3日星期五 UTC+8上午6時36分54秒寫道:
> On Tuesday, December 13, 2016 at 2:36:15 PM UTC-8, Kathleen Wilson wrote:
> > Thanks to all of you who have reviewed and commented on this request from
> > Government of Taiwan, Government Root Certification Authority (GRCA), to
> > include
On Thursday, 9 February 2017 03:08:14 UTC, Ryan Sleevi wrote:
> 19) Can you confirm that Certsuperior, Certisign, CrossCert, and Certisur
> are the only Delegated Third Parties utilized by Symantec, across all
> Symantec operated CAs that are trusted by Mozilla products?
Maybe Ryan has better
Ryan,
Thank you for the quick reply. My comments and questions are inline.
On Thu, Feb 9, 2017 at 11:55 AM, Ryan Hurst via dev-security-policy
wrote:
> Peter,
>
> Thank you very much for your, as always, thorough review.
>
> Let me start by saying I agree
On 09/02/2017 18:20, Jakob Bohm wrote:
On 09/02/2017 10:59, Gervase Markham wrote:
On 08/02/17 11:25, Jakob Bohm wrote:
My logic is that adding additional entropy to a serial number whose
length is fully controlled by CA procedures can increase the
mitigations against SHA-1 weaknesses. For
Thank you for the link, Gerv. That was a very interesting watch. Curious
correlation [post video] between Earnst and Young re:Wosign and Earnst and
Young re: CrossCert (although I assume this CrossCert relationship was only
forthcoming after your talk).
And the gent around the 38
Peter,
Thank you very much for your, as always, thorough review.
Let me start by saying I agree there is an opportunity for improving the
policies around how key transfers such your recent transfer and Google's are
handled.
It is my hope we can, through our respective recent experiences
Peter,
Thank you very much for your, as always, thorough review.
Let me start by saying I agree there is an opportunity for improving the
policies around how key transfers such your recent transfer and Google's
are handled.
It is my hope we can, through our respective recent experiences
On 09/02/2017 10:59, Gervase Markham wrote:
On 08/02/17 11:25, Jakob Bohm wrote:
My logic is that adding additional entropy to a serial number whose
length is fully controlled by CA procedures can increase the
mitigations against SHA-1 weaknesses. For example if the existing CA
setup uses all
On 09/02/17 14:32, Gijs Kruitbosch wrote:
> Would Mozilla's root program consider changing this requirement so that
> it *does* require public disclosure, or are there convincing reasons not
> to? At first glance, it seems like 'guiding' CAs towards additional
> transparency in the CA
16 matches
Mail list logo