Kurt Roeckx wrote:
> Since the previous audit wasn't one that covered a whole year, I
> expect the new audit to start where the previous one stopped and
> have it a year from that point.
this might be more of a question for cabforum but why do audits have to be
non-overlapping?
i would think
On Tue, 18 Oct 2016 15:49:26 -0700
Gervase Markham wrote:
> On 18/10/16 15:42, Ryan Hurst wrote:
> > I do not understand the desire to require StartCom / WoSign to not
> > utilize their own logs as part of the associated quorum policy.
>
> My original logic was that it could
On 18/10/16 23:49, Gervase Markham wrote:
> On 18/10/16 15:42, Ryan Hurst wrote:
>> I do not understand the desire to require StartCom / WoSign to not
>> utilize their own logs as part of the associated quorum policy.
>
> My original logic was that it could be seen that the log owner is
>
On 18/10/16 16:04, Han Yuwei wrote:
> For the CT support, is there any plan to implement it into effect in
> Firefox? And if implemented, what would happen if server's
> certificate don't have enough SCTs?
The mechanism is being implemented. When it's closer to being
implemented, there will be a
在 2016年10月19日星期三 UTC+8上午6:42:18,Ryan Hurst写道:
> All,
>
> I do not understand the desire to require StartCom / WoSign to not utilize
> their own logs as part of the associated quorum policy.
>
> Certificate Transparency's idempotency is for not dependent on the practices
> of the operator. By
On 18/10/16 15:42, Ryan Hurst wrote:
> I do not understand the desire to require StartCom / WoSign to not
> utilize their own logs as part of the associated quorum policy.
My original logic was that it could be seen that the log owner is
trustworthy. However, you are right that CT does not
On 18/10/16 14:33, Ryan Sleevi wrote:
> I think there's some confusion there. CNNIC's audits "expire" on Feb
> "29" 2017 (I say "29" because of ambiguity on "1 year"). That is,
> within 3 months of Feb "29", 2017, CNNIC would be expected to provide
> a new audit, which covers February 29, 2016
Just a reminder: people participating here more than occasionally are
encouraged to add themselves to:
https://wiki.mozilla.org/CA:Policy_Participants
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
All,
I do not understand the desire to require StartCom / WoSign to not utilize
their own logs as part of the associated quorum policy.
Certificate Transparency's idempotency is for not dependent on the practices of
the operator. By requiring the use of a third-party log (in this case
On Tue, Oct 18, 2016 at 01:35:59PM -0700, Gervase Markham wrote:
> On 18/10/16 12:46, Kurt Roeckx wrote:
> > Are you saying you're expecting an audit report from November 2015
> > to November 2016, and so have the period from November to March
> > covered twice?
>
> There seems to be a persistent
On Tue, Oct 18, 2016 at 2:33 PM, Ryan Sleevi wrote:
>
> I think there's some confusion there. CNNIC's audits "expire" on Feb "29"
> 2017 (I say "29" because of ambiguity on "1 year"). That is, within 3 months
> of Feb "29", 2017, CNNIC would be expected to provide a new audit,
On Tuesday, October 18, 2016 at 1:36:37 PM UTC-7, Gervase Markham wrote:
> On 18/10/16 12:46, Kurt Roeckx wrote:
> > Are you saying you're expecting an audit report from November 2015
> > to November 2016, and so have the period from November to March
> > covered twice?
>
> There seems to be a
On 18/10/16 12:46, Kurt Roeckx wrote:
> Are you saying you're expecting an audit report from November 2015
> to November 2016, and so have the period from November to March
> covered twice?
There seems to be a persistent misunderstanding here.
https://cert.webtrust.org/SealFile?seal=2092=pdf
On Tue, Oct 18, 2016 at 10:02:00AM -0700, Gervase Markham wrote:
> On 18/10/16 09:03, Kurt Roeckx wrote:
> > You said the period was until February 29, 2016. I assume the next
> > period starts on March 1, 2016 and is for 1 year. I don't expect it to
> > from from March to November, it would be an
On 18/10/16 19:15, Ryan Sleevi wrote:
> On Tuesday, October 18, 2016 at 10:52:19 AM UTC-7, Rob Stradling wrote:
>> AIUI, it's permissible to "un-revoke" any certificate via OCSP, but it's
>> only permissible to "un-revoke" a certificate via CRL if it was revoked
>> with the reason code
On Tuesday, October 18, 2016 at 11:42:17 AM UTC-7, Eric Mill wrote:
> I guess there's actually an RFC for something like this?
> https://tools.ietf.org/html/rfc5914 But I haven't looked at it in depth to
> see whether it's a good solution for this problem. I also don't think it
> requires an RFC
On Monday, October 17, 2016 at 4:19:34 PM UTC-7, Jakob Bohm wrote:
> On 16/10/2016 09:59, Adrian R. wrote:
> > Hello
> >
> > i read in the news (but not here on m.d.s.p) that a few days ago Globalsign
> > revoked one of their intermediary roots and then un-revoked it (well, the
> > revocation is
The first thing that comes to mind is to define an intermediate
representation of per-root constraints, that Mozilla can distribute
alongside certdata.txt.
The simplest piece would be name constraints, but incorporating things like
CT constraints and date-based constraints would clearly be
Hi Hanno. The questions that you and others have posted are entirely
reasonable. Sorry for the delay. Robin intends to post a reply this week.
On 15/10/16 16:56, Hanno Böck wrote:
> Hello,
>
> I think I have asked two reasonable questions here.
> Can we get an answer?
>
> On Tue, 4 Oct 2016
On Tuesday, October 18, 2016 at 10:52:19 AM UTC-7, Rob Stradling wrote:
> AIUI, it's permissible to "un-revoke" any certificate via OCSP, but it's
> only permissible to "un-revoke" a certificate via CRL if it was revoked
> with the reason code certificateHold.
Which "permissible" are we talking
Tom,
On the topic of tooling I have a console tool, and library, that can be used to
parse and filter various certificate stores, you can find it here:
https://github.com/PeculiarVentures/tl-create
Ryan
___
dev-security-policy mailing list
On 18 October 2016 at 08:00, Jakob Bohm wrote:
> On 18/10/2016 14:35, Gervase Markham wrote:
>>
>> On 17/10/16 16:35, Jakob Bohm wrote:
>>>
>>> In the not so distant past, the Mozilla root program was much more
>>> useful due to different behavior:
>>>
>>> 1. Mozilla
On 17/10/16 15:36, Gervase Markham wrote:
> On 16/10/16 08:59, Adrian R. wrote:
>> is this revival/un-revocation of an intermediary CA allowed by the
>> BRs?
>
> I agree that the wording is a little loose but I think the intended
> purpose of the clause in question was as Peter interprets it -
On 18/10/16 06:02, Peter Bowen wrote:
> I think making it clear which entries in certdata.txt have additional
> constraints would be very helpful.
Here's a start:
https://wiki.mozilla.org/CA:Root_Store_Trust_Mods
I believe the ANSSI root has now been removed and so CNNIC is the only
one
Measure with a micrometer, mark with chalk and cut with an axe... it's the best
you can do.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Hi Peter,
On 18/10/16 06:02, Peter Bowen wrote:
> I think making it clear which entries in certdata.txt have additional
> constraints would be very helpful. Is it maybe possible to do so by
> adding new attributes to the NSS_TRUST object instead of simply
> putting it on a webpage? That way it
On 18/10/16 09:03, Kurt Roeckx wrote:
> You said the period was until February 29, 2016. I assume the next
> period starts on March 1, 2016 and is for 1 year. I don't expect it to
> from from March to November, it would be an 8 month period.
Surely if audits last one year, one would be auditing
On 2016-10-18 17:26, Gervase Markham wrote:
On 18/10/16 07:17, Kurt Roeckx wrote:
On 2016-10-18 14:51, Gervase Markham wrote:
The audit report CNNIC has submitted covers the period from November 2,
2015 to February 29, 2016. Therefore, we would expect them to be
starting the process of
在 2016年10月18日星期二 UTC+8下午10:38:07,Inigo Barreira写道:
> Hi all,
>
>
> I´ve been reading some emails that need clarification form both sides.
>
> Firstly I´d like to remind, if I´m not wrong, that Kathleen proposed an
> action plan for distrusting StartCom, which has been taken as the final
>
Hi Inigo,
On 18/10/16 07:34, Inigo Barreira wrote:
> So, regarding the situation of StartCom I think that some people has
> lost what happened and it´s considering Wosign and Startcom the same.
Kathleen may also respond, but my understanding is that (based on her
consideration of the arguments
On 18/10/16 07:17, Kurt Roeckx wrote:
> On 2016-10-18 14:51, Gervase Markham wrote:
>>
>> The audit report CNNIC has submitted covers the period from November 2,
>> 2015 to February 29, 2016. Therefore, we would expect them to be
>> starting the process of getting another yearly audit in about 2
On 18/10/16 06:00, Jakob Bohm wrote:
> Non-https TLS is not (and should not be) a separate trust bit from
> https, but sometimes the logic applicable to trust policies, BRs etc.
> will be slightly different if one doesn't ignore non-https use of TLS.
> I have encountered arguments and policies
Hi all,
I´ve been reading some emails that need clarification form both sides.
Firstly I´d like to remind, if I´m not wrong, that Kathleen proposed an
action plan for distrusting StartCom, which has been taken as the final
decission, but with a small option to regain the trust for StartCom
On 2016-10-18 14:51, Gervase Markham wrote:
The audit report CNNIC has submitted covers the period from November 2,
2015 to February 29, 2016. Therefore, we would expect them to be
starting the process of getting another yearly audit in about 2 weeks
anyway, although it won't be done until next
Ryan, can you tell us something about Google's plans concerning WoSign and
StartCom?
cheers
Mathias
On Son, 2016-10-16 at 11:55 -0700, Ryan Sleevi wrote:
> On Saturday, October 15, 2016 at 3:18:22 PM UTC-7, Eric Mill wrote:
> >
> > On Sat, Oct 15, 2016 at 4:31 AM, Peter Gutmann
On 18/10/2016 14:35, Gervase Markham wrote:
On 17/10/16 16:35, Jakob Bohm wrote:
In the not so distant past, the Mozilla root program was much more
useful due to different behavior:
1. Mozilla managed the root program based on an assumption that relying
parties would use the common standard
On 17/10/16 16:26, Kathleen Wilson wrote:
> ones who use NSS validation. I’m not sure what we can do about other
> consumers of the NSS root store, other than publish what we are doing
> and hope those folks read the news and update their version of their
> root store as they see appropriate for
Hi Ryan,
Kathleen has responded, but here are my two cents:
On 14/10/16 13:21, Ryan Sleevi wrote:
> It seems to accomplish this, you're willing to continue to trust that
> WoSign will not demonstrate any of the past behaviours it already
> demonstrated - such as backdating and misissuance, but
On Tuesday, 18 October 2016 00:27:09 UTC+1, Kathleen Wilson wrote:
> I’m not sure what I could reasonably require (and enforce) of the CA in
> regards to communicating with their customers.
As I understand it QiHoo 360 says they intend to co-operate in order to
eventually get the new StartCom
39 matches
Mail list logo