On 19 June 2017 at 08:28, Samuel Pinder via dev-security-policy
wrote:
> Therefore the newly re-issued
> certificate *will* end up with it's private key compromised *again*,
> no matter how well it may be obfuscated in the application, it is
> still against
This is an extremely good point. I wonder:
1. If Mozilla should ask/require CAs to perform this check.
2. If Mozilla should ask/require CAs to invest in the capability to
make this check for future requests in the future (where we would
require responses within a certain time period.)
-tom
On
Thanks Jakob, I think you summed things up well.
-tom
On 27 July 2018 at 01:46, Jakob Bohm via dev-security-policy
wrote:
> On 26/07/2018 23:04, Matthew Hardeman wrote:
>>
>> On Thu, Jul 26, 2018 at 2:23 PM, Tom Delmas via dev-security-policy <
>> dev-security-policy@lists.mozilla.org> wrote:
On 27 February 2018 at 10:23, Alex Gaynor via dev-security-policy
wrote:
> A reasonable compromise that jumps out to me is allowing extensions to make
> an otherwise-secure connection fail, but not allow them to rehabilitate an
> insecure connection. This
On 28 February 2018 at 11:37, Jeremy Rowley via dev-security-policy
wrote:
> What kind of transparency would the Mozilla community like around this
> issue? There aren't many more facts than I shared above, but there is a lot
> of speculation. Let me know
On Mon, 15 Oct 2018 at 04:51, Paul Wouters via dev-security-policy
wrote:
>
> On Oct 14, 2018, at 21:09, jsha--- via dev-security-policy
> wrote:
> >
> > There’s a paper from 2013 outlining a fragmentation attack on DNS that
> > allows an off-path attacker to poison certain DNS results using
PKP is a footgun. Deploying it without being prepared for the
situations you've described is ill-advised. There's a few options
available for organizations who want to pin, in increasing order of
sophistication:
Enforce Certificate Transparency. You're not locked into any CA or
key, only that
On Thu, Aug 15, 2019, 7:46 AM Doug Beattie via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Peter,
>
> Do you have any empirical data to backup the claims that there is no
> benefit
> from EV certificates? From the reports I've seen, the percentage of
> phishing and
On Fri, 23 Aug 2019 at 22:53, Daniel Marschall via dev-security-policy
wrote:
>
> Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane:
> > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote:
> >
> > Whatever the merits of EV (and perhaps there are some -- I'm not
>
On Fri, 23 Aug 2019 at 05:00, Leo Grove via dev-security-policy
wrote:
>
> On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote:
> > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote:
> > > I can tell you that anti-phishing services and browser phishing filters
10 matches
Mail list logo