Re: [FORGED] Re: CA generated keys

Matthew Hardeman wrote: > On Wednesday, December 13, 2017 at 5:52:16 PM UTC-6, Peter Gutmann wrote: >> In all of these cases, the device is going to be a safer place to generate >> keys than the CA, in particular because (a) the CA is another embedded >> controller somewhere so probably no better

Re: StartCom & Qihoo Incidents

Peter Gutmann wrote: > Ryan Sleevi writes: > >> What is the goal of the root program? Should there be a higher bar for >> removing CAs than adding them? Does trust increase or decrease over time? > > Another thing I'd like to bring up is the absolute silence of the CAB forum >

Re: Incidents involving the CA WoSign

Gervase Markham wrote: > On 07/10/16 04:21, Peter Gutmann wrote: >> That still doesn't necessarily answer the question, Google have their CRLSets >> but they're more ineffective than effective in dealing with revocations >> (according to GRC, they're 98% ineffective, >>

Re: SHA-1 exception First Data

Dean Coclin wrote: > First Data's customers don't use browsers so Firefox can disable SHA-1 > tomorrow > and not affect them. So why to have your CA certificate trusted in Firefox's cert DB? > First Data has asked for a reasonable extension which doesn't affect browsers. If it does not "affect

Re: Incidents involving the CA WoSign

Peter Gutmann wrote: > Rob Stradling writes: > >> Easy. It doesn't make a sound. Unrevoked certificates don't make sounds >> either. > > What I was really asking, in a tongue-in-cheek way, was whether there was any > indication of how successfully the information

Re: address prefixes allowed for domain control validation

Peter Bowen wrote: On Sun, Mar 22, 2015 at 4:18 PM, Kathleen Wilson kwil...@mozilla.com wrote: admin@domain administrator@domain webmaster@domain hostmaster@domain postmaster@domain What do you all think? (Note this is also in Baseline Requirements section 11.1.1)

Re: Name Constraints

Ryan Sleevi wrote: Given that sites in consideration already have multiple existing ways to mitigate these threats (among them, Certificate Transparency, Public Key Pinning, and CAA), Any clients which already make use of CAA RRs in DNS? Or did you mean something else with the acronym CAA?

Re: Client certs

Gervase Markham wrote: A question which occurred to me, and I thought I'd put before an audience of the wise: * What advantages, if any, do client certs have over number-sequence widgets such as e.g. the HSBC Secure Key, used with SSL?

Re: Netcraft blog, violations of CABF Baseline Requirements, any consequences?

Kathleen Wilson wrote: In the case of EV certs, Mozilla is still checking the CRL when the OCSP URI is not provided. Which CRL? Where does it come from? Though, I believe the plan is to stop checking CRL in the future... https://bugzilla.mozilla.org/show_bug.cgi?id=585122#c34 Instead of

Re: Netcraft blog, violations of CABF Baseline Requirements, any consequences?

Kaspar Brand wrote: Another 10 days have passed without any apparent sign of Mozilla's willingness to address the case of the non-existence of an OCSP responder for the Cybertrust SureServer EV CA. And since CRL support was dropped in recent Firefox/Seamonkey releases there's no revocation