On Thu, May 26, 2016 at 1:58 PM, Phillip Hallam-Baker
wrote:
> What has encryption got to do with it?
The "bad" raised was unrelated to certificates, publicly trusted or
otherwise. As Nick also pointed out, a number of the "bad" is just as
accomplish through other means
You are right to point out that many of those scenarios could be accomplished
with a self-signed cert or indeed no cert at all. The decision to use a good
cert or the likelihood of a good cert being used in any given scenario is not
necessarily that important. What matters is that once we find
> On Thu, May 26, 2016 at 6:17 PM, Kathleen Wilson
> wrote:
>
>> Hi All,
>>
>> I have been asked if it is OK to post job listings in
>> mozilla.dev.security.policy. Surprisingly, I don't recall ever being asked
>> that question before, and I am not aware of a written policy
I could tolerate a policy like that, and it's always possible to revisit it
if it turns out to be abused, or causes people to unsubscribe (which I
would recommend Mozilla watching, especially right after postings go out).
One suggested change:
> * The Subject of the posting begins with "Job: "
Hi All,
I have been asked if it is OK to post job listings in
mozilla.dev.security.policy. Surprisingly, I don't recall ever being asked that
question before, and I am not aware of a written policy about the content of
postings to mozilla.dev.security.policy.
So, here is a proposal:
~~
Jobs
On Thu, May 26, 2016 at 7:40 AM, Peter Kurrasch wrote:
> My suggestion is to frame the issue as: What is reasonable to expect of a
> CA if somebody sees bad stuff going on? How should CA's be notified? What
> sort of a response is warranted and in what timeframe? What
It strikes me that some people might not have a good idea how people use certs to do bad things. As the token bad guy in this forum I'll take it upon myself to share some examples of how I might use a perfectly good cert in a "bad" way:* Create a phishing site to harvest login credentials from
On Thursday 26 May 2016 05:13:43 Peter Gutmann wrote:
> Richard Z writes:
> >If any criminal can easily get EV certificates what is the point of
> >https?
> The point of HTTPS is twofold:
>
> 1. Convince users that the Internet is safe to do business on
> (financial
On Wed, May 25, 2016 at 6:50 AM, wrote:
> If I understand you correctly, you are saying that CAs should not be doing
> any "internet policing" or "content policing" when they receive credible
> reports their certs are being used by phishers, malware providers, etc. --
>
9 matches
Mail list logo