Ryan Hurst via dev-security-policy
writes:
>Unfortunately, the PKCS#12 format, as supported by UAs and Operating Systems
>is not a great candidate for the role of carrying keys anymore. You can see
>my blog post on this topic here: http://unmitigatedrisk.com/?p=543
It's even worse than that, I
On Mon, Dec 18, 2017 at 03:04:11PM -0800, Ian Carroll via dev-security-policy
wrote:
>
> I do wonder how many users actually make the connection that the country code
> next to the company name is in fact a country code.
And even if you do make the connection, it's not always obvious
even in wh
On Monday, December 18, 2017 at 4:54:24 PM UTC-5, Andrew wrote:
> On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote:
> > Thank you Ryan for raising this question, and to everyone who has been
> > contributing in a constructive manner to the discussion. A number of
> > excellent p
On Mon, Dec 18, 2017 at 4:09 PM, Wayne Thayer wrote:
> Thank you Ryan for raising this question, and to everyone who has been
> contributing in a constructive manner to the discussion. A number of
> excellent points have been raised on the effectiveness of EV in general and
> on the practicality
On Sun, Dec 10, 2017 at 9:15 AM, YairE via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Thank you for your notes,
> Here are the answers to your points.
>
> all the "bad" points about the CPS were addressed:
> Both CPS's are now changed to ver 4.1
>
Looks good, thank you.
On Monday, December 18, 2017 at 3:54:24 PM UTC-6, Andrew wrote:
> On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote:
> > Thank you Ryan for raising this question, and to everyone who has been
> > contributing in a constructive manner to the discussion. A number of
> > excellent p
On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote:
> Thank you Ryan for raising this question, and to everyone who has been
> contributing in a constructive manner to the discussion. A number of
> excellent points have been raised on the effectiveness of EV in general and
> on th
Thank you Ryan for raising this question, and to everyone who has been
contributing in a constructive manner to the discussion. A number of
excellent points have been raised on the effectiveness of EV in general and
on the practicality of solving the problems that exist with EV.
While we have conc
My apologies for bringing up an analogy to cars for purposes of explaining,
as it's otherwise opened up an analogical rathole.
The answer to your question about IDNs is probably best for a separate
thread (as it doesn't seem to bear relevance to EV), and your question
about whether it encourages p
IDN abuses are far more hostile, to my mind, than EV positive indicators.
At least within certain locales.
Why is IDN even displayed in styled form if the client locale belongs to a
jurisdiction or language for which non-roman characters would be abnormal?
Additionally, many vehicles provide non-
That is, indeed, a good question.
I've also questioned simultaneously questioning users' reliance on the UI
while suggesting that no user looks to the UI.
If the user does not see or make decisions on the basis of the UI, it seems
leaving it present is no harder a conclusion to arrive at than rem
On Mon, Dec 18, 2017 at 1:43 PM, Andrew via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> Correct me if I'm wrong, but isn't the sole argument for removing EV UI
> based on the premise that attack #2 in the list above is worse than attack
> #1? So much worse in fact, that
On Mon, Dec 18, 2017 at 1:26 PM, Andrew via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote:
> > It also perpetuates the myopic and flawed view as a phishing mitigation,
> > whose reliance is upon users check
As I see it, there are essentially two entirely different forms of identity
assurance that TLS certificates are intended to provide:
- To assure the user that the domain name displayed in the address bar is
controlled by the same entity who controls the server they are communicating
with (Domai
On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote:
> It also perpetuates the myopic and flawed view as a phishing mitigation,
> whose reliance is upon users checking it (again, user hostile)
Ryan, several times now you've characterized the expectation that users check
that the n
On Mon, Dec 18, 2017 at 9:30 AM, cornelia.enke66--- via dev-security-policy
wrote:
>
> Update on the long-term countermeasures:
> At the first point - sorry for the delay. I missed to post my answer on
> Fryday.
>
> We The occurred error caused by a human error we decided as a long-term
> protecti
On Sun, Dec 17, 2017 at 6:38 PM, Peter Kurrasch via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Again I will state that it's in the best interests of CA's to improve
> their EV issuing guidelines and practices. While CA's no doubt enjoy
> charging a premium for EV service
On Sun, Dec 17, 2017 at 4:45 PM, Peter Kurrasch via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Second, the actual value in EV as far as I can see is in having that human
> readable name in addition to the domain name. A successful plan of attack
> will need convincing na
> On 15/12/17 16:02, Ryan Hurst wrote:
> > So I have read this thread in its entirety now and I think it makes
sense for it
> to reset to first principles, specifically:
> >
> > What are the technological and business goals trying to be achieved,
> > What are the requirements derived from those go
Am Dienstag, 12. Dezember 2017 11:10:00 UTC+1 schrieb cornel...@swisssign.com:
> 1)How your CA first became aware of the problem (e.g. via a problem report
> submitted to your Problem Reporting Mechanism, a discussion in
> mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and
The Microsoft Volume Licensing Service Center (VLSC) is definitely affected, at
least from my recent experience - i've been struggling with their service for
the past week because the email address validations from Microsoft VLSC seem to
be intercepted/blocked somewhere - i'm having difficulties
21 matches
Mail list logo