> On May 17, 2017, at 07:24, Gervase Markham via dev-security-policy
> wrote:
>
> On 16/05/17 02:26, userwithuid wrote:
>> After skimming the responses and checking a few CAs, I'm starting to
>> wonder: Wouldn't it be easier to just add another mandatory
For adding Richard Wang back to StartCom UK director is for the completion
separation, this is a temporally adding as director for signing bank document
to change the bank signer person from Richard Wang to New CEO Inigo. It will be
removed soon once the bank signer change is done.
Mr. Jon Luk
Ryan Sleevi via dev-security-policy
writes:
>>Pragmatically, does anything known break on the extra byte there?
>
>Yes. NSS does. Because NSS properly implements 5280.
I would say that's probably more a flaw in NSS then. Does anyone's
implementation
Matthew Hardeman via dev-security-policy
writes:
>One question: the choice of 20 bytes of serial number is an unusual length
>for an integer type. It's not a nice clean power of 2. It doesn't align to
>any native integer data type length on any platform
On Monday, August 7, 2017 at 2:36:10 PM UTC-7, Itzhak Daniel wrote:
> On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote:
> > 7. At Quihoo: Actually get rid of Richard Wang, not just change his
> >title from CEO to COO.
>
> I didn't map the new hierarchy of the "Spanish"
On Tuesday, August 8, 2017 at 6:31:34 AM UTC+9, Jakob Bohm wrote:
> On 07/08/2017 23:05, Vincent Lynch wrote:
> > Jakob,
> >
> > I don't see what is wrong with Jonathan reporting these issues. The authors
> > and ratifiers of the BRs made the choice to specify these small details.
> > While a
On Tuesday, August 8, 2017 at 12:51:40 AM UTC+9, Matthew Hardeman wrote:
> It is what it is, I'm sure, but that definition in RFC5280 is rather tortured
> and leads to ambiguity as to whether or not the leading 0x00 is. In fact, I
> would say that it is not part of the integer value but rather
On Tuesday, August 8, 2017 at 5:27:13 AM UTC+9, Jakob Bohm wrote:
> On 07/08/2017 22:12, Alex Gaynor wrote:
> > You seem to be suggesting that the thoroughness of testing is somehow
> > related to how long it takes.
> >
> > I'd expect any serious (or even not particularly serious...) to have a
>
On Monday, August 7, 2017 at 5:20:13 PM UTC-5, Ryan Sleevi wrote:
> This is entirely unnecessary and would present serious stability issues due
> to backwards compatibility.
>
> It may not be appropriate for this thread - discussing specific misissuances
> - but there is zero benefit from
> Do we really want the CA community to be filled with bureaucratic
> enforcement of harsh punishments for every slight misstep? This is the
> important question that any organization (in this case this community)
> needs to ask itself whenever new surveillance abilities make it possible
> to
On Tuesday, August 8, 2017 at 5:18:21 AM UTC+9, Jakob Bohm wrote:
> On 07/08/2017 16:54, Peter Bowen wrote:
> > On Mon, Aug 7, 2017 at 12:53 AM, Franck Leroy via dev-security-policy
> > wrote:
> >> Hello
> >>
> >> I checked only one but I think they are all
On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote:
> 7. At Quihoo: Actually get rid of Richard Wang, not just change his
>title from CEO to COO.
I didn't map the new hierarchy of the "Spanish" StartCom CA ("StartCom CA Spain
Sociedad Limitada"), having trouble registering to
On 07/08/2017 23:05, Vincent Lynch wrote:
Jakob,
I don't see what is wrong with Jonathan reporting these issues. The authors
and ratifiers of the BRs made the choice to specify these small details.
While a minor encoding error is certainly not as alarming as say, issuing
an md5 signed
> On Aug 7, 2017, at 16:57, Jakob Bohm via dev-security-policy
> wrote:
>
> On 07/08/2017 22:47, Jonathan Rudenberg wrote:
>> “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder
>> URL that has a HTTPS URI scheme. This is not valid,
Jakob,
I don't see what is wrong with Jonathan reporting these issues. The authors
and ratifiers of the BRs made the choice to specify these small details.
While a minor encoding error is certainly not as alarming as say, issuing
an md5 signed certificate, it is still an error and is worth
On 07/08/2017 22:47, Jonathan Rudenberg wrote:
“IdenTrust ACES CA 2” has issued five certificates with an OCSP responder URL
that has a HTTPS URI scheme. This is not valid, the OCSP responder URI is
required to have the plaintext HTTP scheme according to Baseline Requirements
section
> On Aug 7, 2017, at 16:47, Jonathan Rudenberg via dev-security-policy
> wrote:
>
> “IdenTrust ACES CA 2” has issued five certificates with an OCSP responder URL
> that has a HTTPS URI scheme. This is not valid, the OCSP responder URI is
> required to
“IdenTrust ACES CA 2” has issued five certificates with an OCSP responder URL
that has a HTTPS URI scheme. This is not valid, the OCSP responder URI is
required to have the plaintext HTTP scheme according to Baseline Requirements
section 7.1.2.2(c).
Here’s the list of certificates:
On 07/08/2017 22:12, Alex Gaynor wrote:
You seem to be suggesting that the thoroughness of testing is somehow
related to how long it takes.
I'd expect any serious (or even not particularly serious...) to have a
comprehensive automated test suite that can verify that the software is
regression
On 07/08/2017 16:54, Peter Bowen wrote:
On Mon, Aug 7, 2017 at 12:53 AM, Franck Leroy via dev-security-policy
wrote:
Hello
I checked only one but I think they are all the same.
The integer value of the serial number is 20 octets, but when encoded into
You seem to be suggesting that the thoroughness of testing is somehow
related to how long it takes.
I'd expect any serious (or even not particularly serious...) to have a
comprehensive automated test suite that can verify that the software is
regression free and correct in minutes or hours. If
On 07/08/2017 18:07, Hanno Böck wrote:
On Mon, 7 Aug 2017 15:59:07 +
Ben Wilson via dev-security-policy
wrote:
FWIW - In the case of Telecom Italia, they have a commercial CA
product has a bug in it that occasionally causes this issue. They
may need
On 07/08/2017 11:21, Franck Leroy wrote:
Hello
I see many reactions that are not in line with the reality because you don’t
have all the history on the subject.
I’ll try to summarize.
Approximately one year ago Inigo was CTO of Izenpe (CA of the Basque Country)
and he left this company in
To play the devil's advocate...
If everything is as Mr. Leroy of Certinomis points out, I don't see the problem
with the cross-sign.
In that version of events, the vast majority of the issues in the new PKI (test
certs, etc) had already been revoked and measures put in place to prevent that
Trust is something you *gain*.
I want to believe the internet has come a long way from PGP signing parties.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On Mon, 7 Aug 2017 15:59:07 +
Ben Wilson via dev-security-policy
wrote:
> FWIW - In the case of Telecom Italia, they have a commercial CA
> product has a bug in it that occasionally causes this issue. They
> may need some time for the software to be
FWIW - In the case of Telecom Italia, they have a commercial CA product has
a bug in it that occasionally causes this issue. They may need some time
for the software to be fixed/replaced.
-Original Message-
From: dev-security-policy
It is what it is, I'm sure, but that definition in RFC5280 is rather tortured
and leads to ambiguity as to whether or not the leading 0x00 is. In fact, I
would say that it is not part of the integer value but rather an explicit sign
flag required by the encoding mechanism.
Wouldn't it have
(inserted missed word; off to get coffee now)
On Mon, Aug 7, 2017 at 7:54 AM, Peter Bowen wrote:
> On Mon, Aug 7, 2017 at 12:53 AM, Franck Leroy via dev-security-policy
> wrote:
>> Hello
>>
>> I checked only one but I think they are all
On Mon, Aug 7, 2017 at 12:53 AM, Franck Leroy via dev-security-policy
wrote:
> Hello
>
> I checked only one but I think they are all the same.
>
> The integer value of the serial number is 20 octets, but when encoded into
> DER a starting 00 may be
Sorry, you're right -- I'd misunderstood the issue with Python. (FWIW, I'm
one of the maintainers of the Python ssl module, and I anticipate us having
a fix for IDNs by the next release).
Alex
On Sun, Aug 6, 2017 at 8:38 PM, Nick Lamb via dev-security-policy <
Hello
I see many reactions that are not in line with the reality because you don’t
have all the history on the subject.
I’ll try to summarize.
Approximately one year ago Inigo was CTO of Izenpe (CA of the Basque Country)
and he left this company in order to join StartCom.
Not long after he
Hello
I checked only one but I think they are all the same.
The integer value of the serial number is 20 octets, but when encoded into DER
a starting 00 may be necessary to mark the integer as a positive value :
0 1606: SEQUENCE {
4 1070: SEQUENCE {
83: [0] {
101:
33 matches
Mail list logo