Re: New wiki page on certificate revocation plans

On 04/08/14 18:16, Erwann Abalea wrote: I imagine you have access to more detailed information (OCSP URL, date/time, user location, ...), could some of it be open? Not necessarily; I suspect this data was gathered using Firefox Telemetry, where we try very hard to avoid violating a user's

Re: Removal of 1024 bit CA roots - interoperability

On 05/08/14 09:34, Rob Stradling wrote: Kathleen, to work around the classic NSS path building behaviour you observed yesterday, we will issue another cross-certificate to USERTrust Legacy Secure Server CA, with a newer notBefore date, from our AddTrust External CA Root built-in root. Then, you

Re: Removal of 1024 bit CA roots - interoperability

- Original Message - From: Kurt Roeckx k...@roeckx.be To: Hubert Kario hka...@redhat.com Cc: Kathleen Wilson kwil...@mozilla.com, mozilla-dev-security-pol...@lists.mozilla.org Sent: Tuesday, August 5, 2014 12:44:13 AM Subject: Re: Removal of 1024 bit CA roots - interoperability

Re: Removal of 1024 bit CA roots - interoperability

On 2014-08-05 14:22, Hubert Kario wrote: 0.05% of sites doesn't mean 0.05% of users, especially if we look at local, not global, user share. Some of them are high profile sites, e.g.: volkswagen.at, dell.com, cadillaceurope.com, www.portaldasfinancas.gov.pt It's not because they have an https

Re: New wiki page on certificate revocation plans

On Tue, Aug 5, 2014 at 2:02 AM, Gervase Markham g...@mozilla.org wrote: On 04/08/14 18:16, Erwann Abalea wrote: OCSP is painful and costly to optimize, x509labs shows great availability and good performance for most CA/location combination, but this is in contradiction with real user

RE: New wiki page on certificate revocation plans

I think most CAs use CDNs to help serve OCSP responses quite fast and reliably. A breakdown of failure rates based on certificate provider could provide insight on what's going on. Is gathering this information too close to violating a user's privacy for Mozilla? Any chance of peering into

Re: CFCA Root Inclusion Request

On 7/29/14, 2:00 PM, Kathleen Wilson wrote: All, Thank you to those of you who have reviewed and commented on this inclusion request from CFCA. I will appreciate your opinions in response to my questions below regarding how to move forward with this request. Note that the “CFCA GT CA” root was

Re: CFCA Root Inclusion Request

On Tue, August 5, 2014 10:26 am, Kathleen Wilson wrote: On 7/29/14, 2:00 PM, Kathleen Wilson wrote: All, Thank you to those of you who have reviewed and commented on this inclusion request from CFCA. I will appreciate your opinions in response to my questions below regarding how to

Re: Regarding Mozilla auditors choosen standards

‎Hi Wallas,Setting aside Ryan's petulance, if I may, I think the simple answer to all your questions can be stated thusly: no one is in charge and we depend on people doing the right things.Mostly I think that works out OK but there's just no escaping that much of the PKI system ‎relies on nothing

Re: CFCA Root Inclusion Request

I agree with Ryan: new audit by new auditor. Since PWC did a mediocre job last time why would we expect a different result this time?   Original Message   From: Ryan Sleevi Sent: Tuesday, August 5, 2014 5:41 PM To: Kathleen Wilson Reply To: ryan-mozdevsecpol...@sleevi.com Cc: