RE: DigiCert OCSP services returns 1 byte

2019-08-27 Thread Jeremy Rowley via dev-security-policy
Our super unpublished RFC. Sadly no. We're still investigating, but it looks like it has to do with pre-certs and the way the system responds if when the actual cert never issued. We're working on an incident report. Funny enough (and not in the ha-ha way), the system works if the pre-cert

Re: DigiCert OCSP services returns 1 byte

2019-08-27 Thread Peter Gutmann via dev-security-policy
Curt Spann via dev-security-policy writes: >I created the following bug: >https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 Maybe it's an implementation of OCSP SuperDietLite, 1 = revoked, 0 = not revoked. In terms of it being unsigned, you can get the same effect by setting respStatus =

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Leo Grove via dev-security-policy
> > There are also opportunities for browsers here. I have to admit I > primarily use Google Chrome, rather than Firefox, so my observations may be > a little tainted, but I see various places where signals far more valuable > than the green lock could be implemented. Consider that most

DigiCert OCSP services returns 1 byte

2019-08-27 Thread Curt Spann via dev-security-policy
Hello, I created the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread James Burton via dev-security-policy
Resend again to fix spelling errors and add extra details The correct way to vet a UK company would be to: 1. The CA checks Companies House to check if the company is incorporated. 2. The CA sends a letter with verification code to the company address listed on Companies House. 3. The CA requests

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread James Burton via dev-security-policy
Companies House ( http://resources.companieshouse.gov.uk/serviceInformation.shtml#compInfo) says "We carry out basic checks on documents received to make sure that they have been fully completed and signed, but we do not have the statutory power or capability to verify the accuracy of the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Jakob Bohm via dev-security-policy
On 27/08/2019 08:03, Peter Gutmann wrote: > Jakob Bohm via dev-security-policy > writes: > >> and >> both took advantage of weaknesses in two >> government registries > > They weren't "weaknesses in government

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Cynthia Revström via dev-security-policy
> > Because no actual proof that DV versus EV makes no difference in the > current (not ancient or anecdotal) situation has been posted. > > To me that sounds like you are suggesting that we prove that nothing happened, which is pretty much impossible. Why don't you or the CAs offering EV prove

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-27 Thread Peter Gutmann via dev-security-policy
Jakob Bohm via dev-security-policy writes: > and > both took advantage of weaknesses in two >government registries They weren't "weaknesses in government registries", they were registries working as designed, and as