On Wed, Jul 10, 2019 at 6:11 PM Wayne Thayer wrote:
> On Wed, Jul 10, 2019 at 2:31 PM Phillip Hallam-Baker <
> ph...@hallambaker.com> wrote:
>
>> On Wed, Jul 10, 2019 at 4:54 PM Wayne Thayer via dev-security-policy <
>> dev-security-policy@lists.mozilla.org> wrote:
>>
>>> Russ,
>>>
>>> >
>>>
On Wed, Jul 10, 2019 at 11:43 AM Scott Rea via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Mozilla’s new process, based on its own admission, is to ignore technical
> compliance and instead base its decisions on some yet to be disclosed
> subjective criterion which is
On Wed, Jul 10, 2019 at 2:31 PM Phillip Hallam-Baker
wrote:
> On Wed, Jul 10, 2019 at 4:54 PM Wayne Thayer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Russ,
>>
>> >
>> Perhaps one of us is confused because I think we're saying the same thing
>> -
>> that rules
On Wed, Jul 10, 2019 at 4:54 PM Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Russ,
>
> >
> Perhaps one of us is confused because I think we're saying the same thing -
> that rules around inclusion of Logotype extensions in publicly-trusted
> certs should
Russ,
On Wed, Jul 10, 2019 at 11:41 AM housley--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, July 5, 2019 at 7:53:45 PM UTC-4, Wayne Thayer wrote:
> > Based on this discussion, I propose adding the following statement to the
> > Mozilla Forbidden
On Wed, Jul 10, 2019 at 2:41 PM housley--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, July 5, 2019 at 7:53:45 PM UTC-4, Wayne Thayer wrote:
> > Based on this discussion, I propose adding the following statement to the
> > Mozilla Forbidden Practices wiki
Dear Ryan,
In outlining the two paths that I presented at the end of my previous
email, I made sure to illustrate the choice between them as one that comes
repeatedly -- a conscious choice that every time produces a small,
incremental improvement, often through a tiresome and onerous process.
Dear Ryan,
Thanks very much for this very insightful email. There really is a lot that
I and others don't know about how these decisions are made.
The silver lining here is that we agree on where some of the gaps are in
this process, and that Mozilla, Google and others are working on filling in
On Wed, Jul 10, 2019 at 3:17 PM Nadim Kobeissi
wrote:
> Many times in this discussion, we have all been offered a choice between
> two paths. The first path would be to examine difficult problems and
> shortcomings together and attempting to present incremental--often
> onerous--improvements.
On Wed, Jul 10, 2019 at 2:41 PM housley--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> People find logos very helpful. That is why many browsers display a tiny
> logo in the toolbar.
>
Are you talking the favicon? An attacker controlled resource which should
not be
On 7/9/19 3:17 PM, Ryan Sleevi wrote:
On Tue, Jul 9, 2019 at 5:50 PM Kathleen Wilson via dev-security-policy
I propose that to handle this situation, the CA may enter the
subordinate CA's current audit statements and use the Public Comment
field to indicate that the new certificate will be
On Wed, Jul 10, 2019 at 2:15 PM Nadim Kobeissi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Indeed I would much rather focus on the rest of the elements in the Mozilla
> Root Store Policy (
>
>
On Friday, July 5, 2019 at 7:53:45 PM UTC-4, Wayne Thayer wrote:
> Based on this discussion, I propose adding the following statement to the
> Mozilla Forbidden Practices wiki page [1]:
>
> ** Logotype Extension **
> Due to the risk of misleading Relying Parties and the lack of defined
>
Dear Ryan,
Thank you very much for pointing out that in the examples listed by Fabio,
none of them actually control the private key. I did not know this and
assumed that the opposite would be the case for at least some of the
entities listed.
I am indeed a new participant and I have an
I appreciate the ground work Fabio put into this thus far, and want to
see further discussion on it.
I think the safest way to quantity and frame the discussion is asking if
a CA (or subCA) has a vested interest in surveillance, other business
interest, or government ties which would put a CA to
On Wed, Jul 10, 2019 at 1:07 PM Nadim Kobeissi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I would like to support the statements made by both Fabio and Scott to the
> extent that if Mozilla is to go forward with this decision, then I fully
> expect them to review
On Wed, Jul 10, 2019 at 12:29 PM fabio.pietrosanti--- via
dev-security-policy wrote:
> Said that, given the approach that has been following with DarkMatter
> about "credible evidence" and "people safety" principles, i would strongly
> argue that Mozilla should take action against the subject
Hi Scott,
Below is my personal view on it, I acknowledge that it is highly subjective.
For one, people and companies in the UAE could get certs from non-UAE CAs.
I live in Sweden, yet I have certs from Norwegian, British, and American
CAs.
Another issue I have is that I think there is a
I would like to support the statements made by both Fabio and Scott to the
extent that if Mozilla is to go forward with this decision, then I fully
expect them to review their existing CAs and to revoke onto OneCRL every
one of them that has some news report of blog post linking them to
nefarious
G’day Folks,
DigitalTrust first learned of the Mozilla decision via Reuters. We believe this
is emblematic of Mozilla’s approach to our application which appears to have
been predetermined from the outset.
We believe yesterday’s decision is unfair and demonstrates an anti-UAE bias
where a
Dear Nex,
I doubt that anyone seriously believes that "reporters are lying out of their
teeth." It is far more likely that the reporters are working within the realm
of reason and covering things as they see them. So far all the actors in this
appear to be behaving in ways that make sense
I understand the Nadim points, there's a lot of subjective biased "popular
judgement".
While from a security standpoint perspective "better safe than sorry" is a good
statement, from a rights and fairness perspective that's a very bad.
So further conversation is needed.
Following DarkMatter
I understand the Nadim points, there's a lot of subjective biased "popular
judgement".
While from a security standpoint perspective "better safe than sorry" is a good
statement, from a rights and fairness perspective that's a very bad.
So further conversation is needed.
Following DarkMatter
Even if we stipulated that all those accounts were fully accurate, all
those reports are about a separate business that happens to be owned by the
same owner.
Furthermore, in as far as none of those directly speak to their ability to
own or manage a publicly trusted CA, I would regard those
I think that dismissing as baseless investigations from 9 different
reporters, on 3 different newspapers (add one more, FP, if consider
this[1]) is misleading. Additionally, it is just false to say all the
articles only relied on anonymous sources (of which they have many, by
the way), but there
25 matches
Mail list logo
