This is great. Thanks Richard!
For OneCRL and the EE certs, establishing parameters around when an EE is
eligible for inclusion would give guidance to CAs about when to report
revocations. Is the OneCRL intended for when the cert is compromised because
of a breach of the CA? Or can high pr
Hi all,
We in the Mozilla PKI team have been discussing ways to improve revocation
checking in our PKI stack, consolidating a bunch of ideas from earlier work
[1][2] and some maybe-new-ish ideas. I've just pressed "save" on a new wiki
page with our initial plan:
https://wiki.mozilla.org/CA:Re
On 08/01/2014 01:52 AM, Ryan Sleevi wrote:
> On Thu, July 31, 2014 4:31 pm, Ondrej Mikle wrote:
>> This is interesting. I checked TLS 1.2 RFC 5246 whether Finished message
>> should
>> work this way, but I'm not sure. I think you mean that
>> "Hash(handshake_messages)" should detect this, right
On Thu, July 31, 2014 4:31 pm, Ondrej Mikle wrote:
> This is interesting. I checked TLS 1.2 RFC 5246 whether Finished message
> should
> work this way, but I'm not sure. I think you mean that
> "Hash(handshake_messages)" should detect this, right? But it's still just
> hash,
> thus again not
On 07/31/2014 07:37 PM, Kurt Roeckx wrote:
> On Thu, Jul 31, 2014 at 05:15:58PM +0200, Ondrej Mikle wrote:
>> On 07/31/2014 09:54 AM, Kurt Roeckx wrote:
>>> On 2014-07-31 01:29, Ondrej Mikle wrote:
I should probably add that a MitM attacker like an ISP can generally
tamper with
cert
Comodo has applied to include the “COMODO RSA Certification Authority”,
“USERTrust RSA Certification Authority”, and “USERTrust ECC
Certification Authority” root certificates and turn on all three trust
bits and enable EV treatment for the new roots.
Comodo, a private corporation, is a commerc
On 7/25/14, 3:11 PM, Kathleen Wilson wrote:
== Background ==
We have begun removal of 1024-bit roots with the following 2 bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=936304
-- Remove Entrust.net, GTE CyberTrust, and ValiCert 1024-bit root
certificates from NSS
https://bugzilla.mozilla.o
On Thu, Jul 31, 2014 at 05:15:58PM +0200, Ondrej Mikle wrote:
> On 07/31/2014 09:54 AM, Kurt Roeckx wrote:
> > On 2014-07-31 01:29, Ondrej Mikle wrote:
> >> I should probably add that a MitM attacker like an ISP can generally
> >> tamper with
> >> certificate chains sent in TLS handshake anyway, b
On 7/30/2014 3:14 PM, David E. Ross wrote:
> On 7/30/2014 12:17 PM, Kathleen Wilson wrote:
>> On 7/28/14, 11:00 AM, Brian Smith wrote:
>>> I suggest that, instead of including the cross-signing certificates in
>>> the NSS certificate database, the mozilla::pkix code should be changed
>>> to look up
On 07/31/2014 09:54 AM, Kurt Roeckx wrote:
> On 2014-07-31 01:29, Ondrej Mikle wrote:
>> I should probably add that a MitM attacker like an ISP can generally tamper
>> with
>> certificate chains sent in TLS handshake anyway, but AIA fetching would
>> allow an
>> adversary more hops away on a diff
Hubert Kario wrote:
> Brian Smith wrote:
>> It depends on your definition of "help." I assume the goal is to
>> encourage websites to migrate from 1024-bit signatures to RSA-2048-bit
>> or ECDSA-P-256 signatures. If so, then including the intermediates in
>> NSS so that all NSS-based applications
Hi,
There seems to be some problem with emails getting
through the list, for some participants, on some occasions.
In the recent thread on this list, entitled
"Proposal: Advocate to get Section 9.3.1 (Reserved Certificate Policy
Identifiers) made mandatory"
Gerv pointed out t
- Original Message -
> From: "Kurt Roeckx"
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Sent: Thursday, 31 July, 2014 9:54:45 AM
> Subject: Re: Dynamic Path Resolution in AIA CA Issuers
>
> On 2014-07-31 01:29, Ondrej Mikle wrote:
> > I should probably add that a MitM attacker li
Hello,
There can be a few different view:
a) weakens security, because lazy administrators, who don't install the
intermediate.
At my worplace, we always try to tell IT people install it.
b) strengthens security because the browser fills the gaps with the AIA url,
not the enduser clicks on s
- Original Message -
> From: "Brian Smith"
> To: "Kai Engert"
> Cc: mozilla-dev-security-pol...@lists.mozilla.org
> Sent: Wednesday, 30 July, 2014 11:02:46 PM
> Subject: Re: Removal of 1024 bit CA roots - interoperability
>
> On Mon, Jul 28, 2014 at 12:05 PM, Kai Engert wrote:
> > On Mo
On 2014-07-31 01:29, Ondrej Mikle wrote:
I should probably add that a MitM attacker like an ISP can generally tamper with
certificate chains sent in TLS handshake anyway, but AIA fetching would allow an
adversary more hops away on a different continent to tamper with the connection.
How would a
Hi Matt.
I agree with Jeremy on the version support (thanks Jeremy) in that we will
always need to be in compliance with the latest guidelines. This requires
active participation in the CABForum (We have two members attend regularly
all meetings including the face to face meetings) and many more
17 matches
Mail list logo