Re: DarkMatter Concerns
On Tuesday, July 9, 2019 at 11:46:05 PM UTC+2, Matthew Hardeman wrote: > ownership: Francisco Partners. It is difficult for me to see the > difference, objectively speaking. agree, but I think Francisco partners was ... rubbing the wrong way, too; and I think that issue was let go way too easily. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: DarkMatter Concerns
On Tuesday, July 9, 2019 at 11:23:11 PM UTC+2, Matthew Hardeman wrote: > Truly horrid organizations and/or individuals passively own all kinds of > assets. A strong management team that can be trusted to keep commitments to > sound the alarm if the organization goes off track is one way to address that. I think it's less about a single person than about an alleged firewalling of entities that end up being not firewalled at all, but all owned by the same person in the end. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Certinomis Issues
> But does EN 319 401, as it existed in 2016/2017 incorporate a clause to > apply all "future" updates to the CAB/F regulations or otherwise cover > all BRs applicable to the 2016/2017 timespan? Interesting question. Would it have to explicitly claim to incorporate any future updates? Or would it have to explicitly *deny* to be applied to future updates? My personal interpretation would be to assume compliance at PIT and including potential future amendments, unless explicitly stated otherwise. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Certinomis Issues
On Thursday, May 2, 2019 at 1:11:20 AM UTC+2, Wayne Thayer wrote: > Correct - 319 411 was (and still is) the Mozilla audit requirement. > > [1] https://bug937589.bmoattachments.org/attachment.cgi?id=8898169 Thanks for the clarification Wayne. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Certinomis Issues
> 2017 assessment report > LSTI didn't issue to Certinomis any "audit attestation" for the browsers in > 2017. The document Wayne references is a "Conformity Assessment Report" for > the eIDAS regulation. I had a look at the 2017 report, and unless I misread, it implies conformity to ETSI EN 319 401 (Est vérifiée également la conformité aux normes: EN 319 401), whereas EN 319 401 states, "The present document is aiming to meet the general requirements to provide trust and confidence in electronic transactions including, amongst others, applicable requirements from Regulation (EU) No 910/2014 [i.2] and those from CA/Browser Forum [i.4].", so I'm not sure how that squares with saying it wasn't an audit taking CA/BF regulations into account? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Symantec: Update
On Wednesday, May 10, 2017 at 7:59:37 PM UTC+2, Itzhak Daniel wrote: > The next step, if Symantec wish to continue to use their current PKI in the > future, should be logging (ASAP) *all* of the certificates they issued to a > CT log, then we'll know how deep is the rabbit hole. already the case since '15 https://security.googleblog.com/2015/10/sustaining-digital-certificate-security.html although I'm not certain if this applied only to certs issued under the Symantec brand. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys
Maybe I'm alone in this but, while entertaining, I'm taken aback a bit if this is official Symantec communication in a forum like m.d.s.p. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites
> Not for those sorts of differences. There are in an IDN context: > http://unicode.org/reports/tr39/ wasn't aware of that TS, thanks! ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites
> I've been wondering if CT is a good tool for things like safe > browsing to monitor possible phishing sites and possibly detect > them faster. Are there general proposals yet on how to distinguish phishing vs legitimate when it comes to domains? (like apple.com vs app1e.com vs mom'n'pop farmer's myapple.com) Thanks, Nico ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy