In general, I'm in strong agreement with this change, for all the reasons
described. One nit to pick with the proposed draft text:
On Tue, Jan 24, 2017 at 03:02:45PM +, Gervase Markham wrote:
> So the draft text might be something like:
>
> "CAs must provide English versions of all
On Mon, Jan 23, 2017 at 04:01:58PM -0800, Peter Bowen wrote:
> On Mon, Jan 23, 2017 at 3:32 PM, Kathleen Wilson wrote:
> > Does section 7.1.4.2 of the CA/Browser Forum's Baseline Requirements only
> > apply to end-entity certificates?
> >
> > If yes, where does it specify
Why not just make the changes at the CAB Forum? That's the purpose of the
CAB Forum afterall - to discuss these policies. Seems like it would be
better to add restrictions there first before creating a separate policy.
-Original Message-
From: dev-security-policy
I disagree. If the CA has requested removal of the root and added it to
OneCRL, then I don't see how there is an obligation to continue operating
the root under the Mozilla policy. If the browser doesn't update the root
store/revocation list to remove the root, then the browser is accepting the
Hi Hanno,
On Tue, 24 Jan 2017 10:38:01 +0100
Hanno B__ck wrote:
> Hello,
>
> I have a few observations to share about this incident, not sure how
> relevant they are.
Thanks for sharing these. I found them interesting.
> There are 4 "example.com" certificates related to
On 24/01/17 16:26, Richard Barnes wrote:
My gut reaction is 0+1, maybe 2.
- The CAB Forum should specify the overall envelope of what is acceptable
in the Web PKI
- Firefox will enforce restrictions that are mores strict than the BRs
requirements
The BRs say that SHA-1 has been unacceptable
On 24/01/17 16:19, Rob Stradling wrote:
On 24/01/17 16:11, Richard Barnes wrote:
If the root was removed in Firefox 51, and they were issuing SHA-1 off
of it before 51 shipped, then they were issuing SHA-1 certificates under
a root trusted by Firefox.
You can use SHA-1 under a pulled root,
On 24/01/17 16:08, Peter Bowen wrote:
>> Indeed, if they issued these before yesterday, this seems like a problem.
>
> I'm a little surprised to read this. This SHA-1 "private" hierarchy
> is not new news and has been discussed in various forums over the year
> or 18 months. At least one other
On 24/01/17 16:11, Richard Barnes wrote:
If the root was removed in Firefox 51, and they were issuing SHA-1 off
of it before 51 shipped, then they were issuing SHA-1 certificates under
a root trusted by Firefox.
You can use SHA-1 under a pulled root, but it has to actually be pulled
first.
I
On Tue, Jan 24, 2017 at 11:08 AM, Peter Bowen wrote:
> On Tue, Jan 24, 2017 at 8:00 AM, Richard Barnes
> wrote:
> > On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham
> wrote:
> >>
> >> This helpful spreadsheet shows that they were
On Tue, Jan 24, 2017 at 8:05 AM, Gervase Markham wrote:
> On 24/01/17 15:48, Peter Bowen wrote:
>> I think it would be completely reasonable for Mozilla to require a
>> commonName in an update to the policy. I thought it was there, but a
>> CA pushed back on a cablint error
On Tue, Jan 24, 2017 at 8:00 AM, Richard Barnes wrote:
> On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham wrote:
>>
>> This helpful spreadsheet shows that they were removed in Firefox 47 and
>> 51 respectively:
>>
On 24/01/17 15:48, Peter Bowen wrote:
> I think it would be completely reasonable for Mozilla to require a
> commonName in an update to the policy. I thought it was there, but a
> CA pushed back on a cablint error about not having one a while ago and
> I wasn't able to find any proof it was
On 24/01/17 16:00, Richard Barnes wrote:
> Except of course the non-zero slice of users that haven't updated yet.
True, although I think it's unreasonable to give CAs a dependency on the
quality of our automatic update infrastructure. We can have a discussion
about whether "checked into master"
On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham wrote:
> On 24/01/17 14:11, w...@gmail.com wrote:
> > I was searching on crt.sh and I found something confusing by accident.
> > View this page : https://crt.sh/?Identity=%25=7198
> > I can see many SHA-1 certificates issued
On 24/01/17 15:48, Gervase Markham wrote:
Rob: is the "Trusted by Mozilla" stuff based on the root store on
Mozilla's master branch?
Hi Gerv. Yes, I aim to keep crt.sh's view of "Trusted by Mozilla" in
sync with mozilla-central [1]. [1] was last updated a few days ago, and
I pushed the
On 24/01/17 14:11, w...@gmail.com wrote:
> I was searching on crt.sh and I found something confusing by accident.
> View this page : https://crt.sh/?Identity=%25=7198
> I can see many SHA-1 certificates issued in 2016 and one is issued in 2017.
Your list is a list of certificates issued by
On Tue, Jan 24, 2017 at 12:28 AM, Inigo Barreira wrote:
> Yes, I´m also agree. This was also taken into account when writting the ETSI
> standards, and for the CA certs, the minumun is what Peter has indicated
> plus the common name. We indicate that "... shall contain at
I was searching on crt.sh and I found something confusing by accident.
View this page : https://crt.sh/?Identity=%25=7198
I can see many SHA-1 certificates issued in 2016 and one is issued in 2017.
I think it was banned before so someone could tell me why they can issue these
SHA-1 certificates?
On 24/01/17 14:11, w...@gmail.com wrote:
I was searching on crt.sh and I found something confusing by accident.
View this page : https://crt.sh/?Identity=%25=7198
I can see many SHA-1 certificates issued in 2016 and one is issued in 2017.
I think it was banned before so someone could tell me
A discussion inspired by
https://github.com/mozilla/pkipolicy/issues/5
Should Mozilla's root store policy contain any list of approved and/or
disapproved algorithms/key sizes, or not? Possible positions include at
least:
0) No; what algorithms and/or key sizes are supported by Firefox and/or
NSS
The proposal is to require that all CP and CPS documents be provided in
English, in addition to whatever original language they were written in.
The reason for this is that the working language of the Mozilla root
program is English, and Mozilla's root program staff cannot be expected
to read the
Mozilla has started using the Common CA Database to track root
certificates in its root program, and the intermediate certificates
which chain up to those roots. This has led to substantial changes to
the practical processes that CAs must follow. In addition, it is hoped
and anticipated that other
On 24/01/17 09:08, Nick Lamb wrote:
> That's absolutely key to understanding why this trick works. Such an
> understanding is completely absent from the patent, because the
> patent isn't describing what the Baseline Requirements call a Request
> Token but only a Random Value which it calls the
On Thursday, January 19, 2017 at 6:05:22 PM UTC-8, Jakob Bohm wrote:
> On 20/01/2017 00:35, Nick Lamb wrote:
> > On Thursday, 19 January 2017 20:20:24 UTC, Jakob Bohm wrote:
> >> Google's CT initiative in its current form has serious privacy problems
> >> for genuine certificate holders. I
Hello,
I have a few observations to share about this incident, not sure how
relevant they are.
There are 4 "example.com" certificates related to this incident.
There are 114 "O=test" certificates that I assume are related to this
incident. This includes all certificates with a "Not Before" date
On Tuesday, 24 January 2017 04:40:12 UTC, Jeremy Rowley wrote:
> And why wouldn't a request token fit the patent's interpretation of a "Pass
> String"? The only definition I saw in the patent was something generated by
> the validating entity and forwarded to the requester.
The digest of the key
Yes, I´m also agree. This was also taken into account when writting the ETSI
standards, and for the CA certs, the minumun is what Peter has indicated
plus the common name. We indicate that "... shall contain at least the
following attributes ": countryName, organizationName and commonName
28 matches
Mail list logo