On Wed, 28 Aug 2019 11:51:37 -0700 (PDT)
Josef Schneider via dev-security-policy
wrote:
> Not legally probably and this also depends on the jurisdiction. Since
> an EV cert shows the jurisdiction, a user can draw conclusions from
> that.
Yes it is true that crimes are illegal. This has not
On 29/08/2019 10:58, Nick Lamb wrote:
> On Wed, 28 Aug 2019 11:51:37 -0700 (PDT)
> Josef Schneider via dev-security-policy
> wrote:
>
>> Not legally probably and this also depends on the jurisdiction. Since
>> an EV cert shows the jurisdiction, a user can draw conclusions from
>> that.
>
> Yes
On Thu, Aug 29, 2019 at 10:38 AM Ryan Sleevi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, Aug 29, 2019 at 1:15 PM Jeremy Rowley via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Thanks for posting this Curt. We investigated and
Yeah - these types of weird continuity requirements are all over the place and
the reason the consolidation has taken this long. A lot of the effort has been
trying to figure out how to replace things tied to old hardware with updated
systems, essentially rebuilding things (like the timestamp
Thanks for posting this Curt. We investigated and posted an incident report on
Bugzilla. The root cause was related to pre-certs and an error in generating
certificates for them. We're fixing the issue (should be done shortly). I
figured it'd be good to document here why pre-certs fall under
On Thu, Aug 29, 2019 at 1:15 PM Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Thanks for posting this Curt. We investigated and posted an incident
> report on Bugzilla. The root cause was related to pre-certs and an error in
> generating certificates for
On Thu, 29 Aug 2019 17:05:43 +0200
Jakob Bohm via dev-security-policy
wrote:
> The example given a few messages above was a different jurisdiction
> than those two easily duped company registries.
I see. Perhaps Vienna, Austria has a truly exemplary registry when it
comes to such things. Do you
This string is about Mozilla’s announced plan to remove the EV UI from Firefox
in October. Over time, this will tend to eliminate confirmed identity
information about websites from the security ecosystem, as EV website owners
may decide it’s not worth using a n EV certificate if browsers
On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> > In this case, the use of EV certificates, and the presumption of
> > reputation, would lead to actively worse security.
> >
> > Did I misunderstand the scenario?
>
> Don't argue
On Thursday, August 29, 2019 at 3:10:49 PM UTC-7, Ryan Sleevi wrote:
> On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > > In this case, the use of EV certificates, and the presumption of
> > > reputation, would lead to
Am Donnerstag, 29. August 2019 10:59:40 UTC+2 schrieb Nick Lamb:
> On Wed, 28 Aug 2019 11:51:37 -0700 (PDT)
> Josef Schneider via dev-security-policy
> wrote:
>
> > Not legally probably and this also depends on the jurisdiction. Since
> > an EV cert shows the jurisdiction, a user can draw
On Thursday, August 29, 2019 at 12:17:22 PM UTC-7, Ryan Sleevi wrote:
> On Thu, Aug 29, 2019 at 2:49 PM Kirk Hall via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Sure, I’m happy to explain, using Bank of America as an example.
>
>
> Kirk,
>
> Thanks for
On Thursday, August 29, 2019 at 11:49:16 AM UTC-7, Kirk Hall wrote:
> On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote:
> > On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote:
> > > This string is about Mozilla’s announced plan to remove the EV UI
Let me try that again since I didn't explain my original post very well.
Totally worth it since I got a sweet Yu-gi-oh reference out of fit.
What happened at DigiCert is that the OCSP service failed to return a signed
response for a certificate where a pre-certificate existed by a certificate
Oh, I wasnt arguing that this isnt an issue. The opposite in fact. I was
documenting why it is an issue ie, that a ca can't argue this isnt a
compliance concern. It comes up a lot but I dont remember seeing it here.
From: Ryan Sleevi
Sent: Thursday, August 29, 11:38 AM
Subject: Re: DigiCert
On 29/08/2019 19:47, Nick Lamb wrote:
> On Thu, 29 Aug 2019 17:05:43 +0200
> Jakob Bohm via dev-security-policy
> wrote:
>
>> The example given a few messages above was a different jurisdiction
>> than those two easily duped company registries.
>
> I see. Perhaps Vienna, Austria has a truly
On Thu, 29 Aug 2019 13:33:26 -0400
Lee via dev-security-policy
wrote:
> That it isn't my financial institution. Hopefully I'd have the
> presence of mind to save the fraud site cert, but I'd either find the
> business card of the person I've been dealing with there or find an
> old statement,
On Thursday, August 29, 2019 at 11:01:27 AM UTC-7, Jonathan Rudenberg wrote:
> On Thu, Aug 29, 2019, at 13:39, Kirk Hall via dev-security-policy wrote:
> > This string is about Mozilla’s announced plan to remove the EV UI from
> > Firefox in October. Over time, this will tend to eliminate
On Thu, Aug 29, 2019 at 2:49 PM Kirk Hall via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Sure, I’m happy to explain, using Bank of America as an example.
Kirk,
Thanks for providing this example. Could you help me understand how it
helps determine that things are
These so called "extended" validation vetting checks on companies for
extended validation certificates are supposed to provide the consumer
on the website with an high level of assurance that the company has
been properly validated but the fact is that these so called
"extended" validation vetting
On 8/29/2019 11:07 AM, Nick Lamb via dev-security-policy wrote:
...
If you _work_ for such an institution [e.g.,a bank], the best thing
you could do to
protect your customers against Phishing, a very popular attack that
TLS is often expected to mitigate, is offer WebAuthn
You also could
Yes. That was the point of my post. There is a requirement fo return an ocsp
repsonse for a pre cert where the cert hasn't issued because of the Mozilla
policy. Hence our failure was a Mozilla policy violation even if no practical
system can use the response because no actual cert (without a
On Thu, Aug 29, 2019 at 8:54 PM Kirk Hall via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> What the heck does it mean when sometimes you say you are posting "in a
> personal capacity" and sometimes you don't?
It sounds like you were very prescient in your inability to
On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> > Could you point to the browsing phishing filters and anti-phishing
> services
> > that do? It might be an opportunity for you to find out how they deal
> with
> > this, and report
On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote:
> On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > > Could you point to the browsing phishing filters and anti-phishing
> > services
> > > that do? It
On Thursday, August 29, 2019 at 5:28:29 PM UTC-7, Ryan Sleevi wrote:
> On Thu, Aug 29, 2019 at 8:23 PM Kirk Hall via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote:
> > > On Thu, Aug 29, 2019 at 6:26
Also filed at https://bugzilla.mozilla.org/show_bug.cgi?id=1577652
On 2019.08.28 we read Apple’s bug report at
https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 about DigiCert’s OCSP
responder returning incorrect results for a precertificate. This prompted us to
run our own investigation.
On Thu, Aug 29, 2019 at 8:23 PM Kirk Hall via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thursday, August 29, 2019 at 5:07:03 PM UTC-7, Ryan Sleevi wrote:
> > On Thu, Aug 29, 2019 at 6:26 PM Kirk Hall via dev-security-policy <
> >
On Thu, Aug 29, 2019 at 02:14:10PM -0700, Kirk Hall via dev-security-policy
wrote:
> For EV certificates, the appeal for website owners over the past 10 years
> has been that they get a distinctive EV UI that they believe protects
> their consumers and their brands (again, don't argue with me but
(forking this to a new subject)
On Thu, Aug 29, 2019 at 5:54 PM Kirk Hall via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> What the heck does it mean when sometimes you say you are posting "in a
> personal capacity" and sometimes you don't? To me, it always appears that
30 matches
Mail list logo
