On Mon, Apr 13, 2015 at 8:19 PM, Matt Palmer wrote:
> To my mind, if a CA isn't trustworthy enough to be trusted to issue
> certificates for every site on the Internet, they shouldn't be trusted to
> issue certificates for *any* site on the Internet. In the case of the
> proposed name constraint
On Mon, Apr 13, 2015 at 06:15:52PM -0500, Peter Kurrasch wrote:
> Let's use an example. Suppose CNNIC issues a cert for whitehouse[dot]gov
> and let's further suppose that CNNIC includes this cert in the CT data
> since they have agreed to do that. What happens next?
>
> Where I'm going with thi
Let's use an example. Suppose CNNIC issues a cert for whitehouse[dot]gov and
let's further suppose that CNNIC includes this cert in the CT data since they
have agreed to do that. What happens next?
Where I'm going with this is that I'm trying to figure out if agreeing to
support CT is a hollow
Kathleen Wilson wrote:
> ACTION #4
> Workarounds were implemented to allow mozilla::pkix to handle the things
> listed here:
> https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix
Hi Kathleen,
Thanks for including this in the CA communication.
That list of workarou
On 11/04/15 01:05, Brian Smith wrote:
> If a US-based CA were in a similar situation, would we consider name
> constraining them to *.com, *.org, *.net, *.us?
If it were a US government CA, we could certainly constrain to .gov and
.mil.
> No, because that's not
> much of a constraint. For people
On 09/04/15 21:12, yuhongbao_...@hotmail.com wrote:
> What about Mozilla's own aus3.mozilla.org certificate for which the SHA-1
> intermediate was pinned?
I'm afraid I don't understand the question, or how it relates to the CA
Communication. Can you clarify?
Gerv
___
Dear all,
I've informed the Deutsche post team this morning to replace the certificate
(as I was on vacation last week and wanted to double check the issue prior
to sending). It's a shame that the CN field within the Microsoft Active
Directory Certificate Services (MSADCS) product allows a space,
Ryan Sleevi schrieb:
> On Fri, April 10, 2015 7:49 am, Jürgen Brauckmann wrote:
>> Is this just a survey, or does the question imply a new Mozilla policy
>> which requires CAs to actively force their customers to stop using old,
>> non-expired SHA-1 certificates?
>>
>> The latter would be quit
8 matches
Mail list logo