Done:
https://bugzilla.mozilla.org/show_bug.cgi?id=1515564
It ended up being about 1200 certs total that we are hearing can’t be replaced
because of blackout periods.
From: Ryan Sleevi
Sent: Wednesday, December 19, 2018 11:05 AM
To: Jeremy Rowley
Cc: r...@sleevi.com; mozilla-dev-se
On Wed, Dec 19, 2018 at 05:20:59PM +, Jeremy Rowley via dev-security-policy
wrote:
> One of the big factors should be the risk to the industry/community if the
> certificates aren’t revoked. Perhaps we can identify what the risk to the
> community is in revocation delays first? There’s no ne
Look forward to seeing and discussing once the full scope of the request is
shared.
On Wed, Dec 19, 2018 at 12:21 PM Jeremy Rowley
wrote:
> We will post the full list of exceptions today.
>
>
>
> One of the big factors should be the risk to the industry/community if the
> certificates aren’t rev
I threw together a quick Go library for using this API to see how it works
in a larger app.
https://github.com/adamdecaf/pwnedkeys
On Wed, Dec 19, 2018 at 3:34 AM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Wed, Dec 19, 2018 at 11:30:47AM +0100, Kurt
We will post the full list of exceptions today.
One of the big factors should be the risk to the industry/community if the
certificates aren’t revoked. Perhaps we can identify what the risk to the
community is in revocation delays first? There’s no need to know the exact
certs to talk about
While I appreciate you sharing what you have, as I tried to capture in my
previous message, I don't believe there can be any discussion or
consideration in earnest without the full and final information. I don't
think it's reasonable to drip in information piece meal, given the impact
and affect th
On Wed, Dec 19, 2018 at 11:30:47AM +0100, Kurt Roeckx via dev-security-policy
wrote:
> I'm not sure how you feel about listing keys where you don't have the
> private key for, but are known to be compromised anyway. One potential
> source for such information might be CRLs where the reason for rev
Hi Matt. This is great. A few comments inline...
On 19/12/2018 09:00, Matt Palmer via dev-security-policy wrote:
> Hi Ryan,
>
> On Tue, Dec 18, 2018 at 08:24:48PM -0800, Ryan Hurst via dev-security-policy
> wrote:
>> My first thought is by using SPKI you have limited the service
>> unnecessari
On 2018-12-19 10:55, Matt Palmer wrote:
On Wed, Dec 19, 2018 at 10:08:51AM +0100, Kurt Roeckx via dev-security-policy
wrote:
On 2018-12-18 11:44, Matt Palmer wrote:
It's currently loaded with great piles of Debian weak keys (from multiple
architectures, etc), as well as some keys I've picked u
On 18/12/2018 16:41, Ryan Sleevi wrote:
> On Tue, Dec 18, 2018 at 7:41 AM Rob Stradling wrote:
> On 14/12/2018 21:06, Wayne Thayer via dev-security-policy wrote:
>
> > I think it;s worth calling out that Let's Encrypt has implemented
> what
> > appears to be a relatively simp
On Wed, Dec 19, 2018 at 10:08:51AM +0100, Kurt Roeckx via dev-security-policy
wrote:
> On 2018-12-18 11:44, Matt Palmer wrote:
> > It's currently loaded with great piles of Debian weak keys (from multiple
> > architectures, etc), as well as some keys I've picked up at various times.
> > I'm also d
On 19/12/2018 04:14, Peter Bowen wrote:
> On Tue, Dec 18, 2018 at 6:52 PM Jeremy Rowley via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Ballot 202 failed. I’m not sure how it’s relevant other than to indicate
>> there was definite disagreement about whether underscor
Ryan Hurst via dev-security-policy
writes:
>My first thought is by using SPKI you have limited the service unnecessarily
>to X.509 related keys, I imagined something like this covering PGP, JWT as
>well as other formats. It would be nice to see the scope increased
>accordingly.
You can't do it
On 2018-12-18 11:44, Matt Palmer wrote:
It's currently loaded with great piles of Debian weak keys (from multiple
architectures, etc), as well as some keys I've picked up at various times.
I'm also developing scrapers for various sites where keys routinely get
dropped.
You might for instance al
Hi Ryan,
On Tue, Dec 18, 2018 at 08:24:48PM -0800, Ryan Hurst via dev-security-policy
wrote:
> My first thought is by using SPKI you have limited the service
> unnecessarily to X.509 related keys, I imagined something like this
> covering PGP, JWT as well as other formats. It would be nice to se
15 matches
Mail list logo