Matthew Hardeman wrote:
> On Wednesday, December 13, 2017 at 5:52:16 PM UTC-6, Peter Gutmann wrote:
>> In all of these cases, the device is going to be a safer place to generate
>> keys than the CA, in particular because (a) the CA is another embedded
>> controller somewhere so probably no better
Peter Gutmann wrote:
> Ryan Sleevi writes:
>
>> What is the goal of the root program? Should there be a higher bar for
>> removing CAs than adding them? Does trust increase or decrease over time?
>
> Another thing I'd like to bring up is the absolute silence of the CAB forum
>
Gervase Markham wrote:
> On 07/10/16 04:21, Peter Gutmann wrote:
>> That still doesn't necessarily answer the question, Google have their CRLSets
>> but they're more ineffective than effective in dealing with revocations
>> (according to GRC, they're 98% ineffective,
>>
Dean Coclin wrote:
> First Data's customers don't use browsers so Firefox can disable SHA-1
> tomorrow
> and not affect them.
So why to have your CA certificate trusted in Firefox's cert DB?
> First Data has asked for a reasonable extension which doesn't affect browsers.
If it does not "affect
Peter Gutmann wrote:
> Rob Stradling writes:
>
>> Easy. It doesn't make a sound. Unrevoked certificates don't make sounds
>> either.
>
> What I was really asking, in a tongue-in-cheek way, was whether there was any
> indication of how successfully the information
Peter Bowen wrote:
On Sun, Mar 22, 2015 at 4:18 PM, Kathleen Wilson kwil...@mozilla.com wrote:
admin@domain
administrator@domain
webmaster@domain
hostmaster@domain
postmaster@domain
What do you all think?
(Note this is also in Baseline Requirements section 11.1.1)
Ryan Sleevi wrote:
Given that sites in consideration already have multiple existing ways to
mitigate these threats (among them, Certificate Transparency, Public Key
Pinning, and CAA),
Any clients which already make use of CAA RRs in DNS?
Or did you mean something else with the acronym CAA?
Gervase Markham wrote:
A question which occurred to me, and I thought I'd put before an
audience of the wise:
* What advantages, if any, do client certs have over number-sequence
widgets such as e.g. the HSBC Secure Key, used with SSL?
Kathleen Wilson wrote:
In the case of EV certs, Mozilla is still checking the CRL when the OCSP URI
is not provided.
Which CRL? Where does it come from?
Though, I believe the plan is to stop checking CRL in the
future...
https://bugzilla.mozilla.org/show_bug.cgi?id=585122#c34
Instead of
Kaspar Brand wrote:
Another 10 days have passed without any apparent sign of Mozilla's
willingness to address the case of the non-existence of an OCSP
responder for the Cybertrust SureServer EV CA.
And since CRL support was dropped in recent Firefox/Seamonkey releases there's
no revocation
10 matches
Mail list logo