Thanks for pointing this out Ryan and Dimitris. You are both correct: we
should direct Taiwan GRCA to change their request from including the root
to including only the subordinate CAs that comply with the Mozilla policy.
The option of adding the non-compliant subordinate CAs to OneCRL does not
On 26/1/2018 11:54 μμ, Ryan Sleevi via dev-security-policy wrote:
> Has any consideration been given to adopt a similar policy as discussed
> with the Government of Korea application -
> https://bugzilla.mozilla.org/show_bug.cgi?id=1226100#c38
Just to avoid any possible mis-reading of:
"If
On Fri, Jan 12, 2018 at 2:27 PM, Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thursday, June 1, 2017 at 5:03:15 PM UTC-7, Kathleen Wilson wrote:
> > On Friday, May 26, 2017 at 9:32:57 AM UTC-7, Kathleen Wilson wrote:
> > > On Wednesday, March 15, 2017
This root inclusion request is currently in the public discussion phase [1]
After reviewing Taiwan GRCA's CP, CPS and related documents [2], I have the
following comments:
==Good==
1. GRCA has requested that this root be constrained to issuing certificates for
.tw domains.
2. The BR Self
On Thursday, June 1, 2017 at 5:03:15 PM UTC-7, Kathleen Wilson wrote:
> On Friday, May 26, 2017 at 9:32:57 AM UTC-7, Kathleen Wilson wrote:
> > On Wednesday, March 15, 2017 at 5:01:13 PM UTC-7, Kathleen Wilson wrote:
> > All,
> >
> > I requested that this CA perform a BR Self Assessment, and
On Friday, May 26, 2017 at 9:32:57 AM UTC-7, Kathleen Wilson wrote:
> On Wednesday, March 15, 2017 at 5:01:13 PM UTC-7, Kathleen Wilson wrote:
> All,
>
> I requested that this CA perform a BR Self Assessment, and they have attached
> their completed BR Self Assessment to the bug here:
>
On Wednesday, March 15, 2017 at 5:01:13 PM UTC-7, Kathleen Wilson wrote:
>
> So, if there are no further questions or comments about this CA's request,
> then I will close this discussion and recommend approval in the bug.
>
All,
I requested that this CA perform a BR Self Assessment, and
All,
My apologies for taking so long to get back to this discussion about the
Government of Taiwan's (GRCA's) request to include their Government Root
Certification Authority root certificate, and turn on the Websites and Email
trust bits.
Note that GRCA has suggested that this root be
Gervase Markham via dev-security-policy
writes:
>Peter: you are going to have to re-summarise your question. And then, if you
>are asking why Mozilla code works in a certain way, mozilla.dev.security or
>mozilla.dev.tech.crypto are almost certainly far
On 11/02/17 12:13, Peter Gutmann wrote:
> Is no-one at Mozilla able to explain why they did this? It's a nontrivial
> piece of code to implement, surely someone must know what the thinking was
> behind doing it this way?
Peter: you are going to have to re-summarise your question. And then, if
Kathleen Wilson於 2017年2月3日星期五 UTC+8上午6時36分54秒寫道:
> On Tuesday, December 13, 2016 at 2:36:15 PM UTC-8, Kathleen Wilson wrote:
> > Thanks to all of you who have reviewed and commented on this request from
> > Government of Taiwan, Government Root Certification Authority (GRCA), to
> > include
Kathleen Wilson writes:
>Indeed, and as per your comment here:
>https://bugzilla.mozilla.org/show_bug.cgi?id=1056341#c24
So just to satisfy my curiosity, it's been known ever since top-down
construction was first advocated by PKI loon^H^H^Htheoreticians:
On Tuesday, December 13, 2016 at 2:36:15 PM UTC-8, Kathleen Wilson wrote:
> Thanks to all of you who have reviewed and commented on this request from
> Government of Taiwan, Government Root Certification Authority (GRCA), to
> include their renewed Government Root Certification Authority root
>
On Thursday, December 15, 2016 at 10:56:52 AM UTC-8, Brian Smith wrote:
> It is important to fix the DoS issue with the path building when there
> are many choices for the same subject. SKI/AKI matching only fixes the
> DoS issue for benign cases, not malicious cases. Therefore some way of
>
Kathleen Wilson wrote:
> How about the following?
That sounds right to me.
It is important to fix the DoS issue with the path building when there
are many choices for the same subject. SKI/AKI matching only fixes the
DoS issue for benign cases, not malicious cases.
In regards to updating
https://wiki.mozilla.org/CA:How_to_apply#Root_certificates_with_the_same_subject_and_different_keys
?
How about the following?
~~
The standards allow for two CA certificates to have the same subject names but
different subject public keys. Please try to avoid this,
On Tue, Dec 13, 2016 at 12:36 PM, Kathleen Wilson wrote:
> Question: Do I need to update
> https://wiki.mozilla.org/CA:How_to_apply#Root_certificates_with_the_same_subject_and_different_keys
> ?
That description seems to have been written to describe the behavior
of the
Bonsoir,
Le mardi 13 décembre 2016 23:36:15 UTC+1, Kathleen Wilson a écrit :
[...]
> Question: Do I need to update
> https://wiki.mozilla.org/CA:How_to_apply#Root_certificates_with_the_same_subject_and_different_keys
> ?
There could be something trying to enforce that root certificates sharing
Thanks to all of you who have reviewed and commented on this request from
Government of Taiwan, Government Root Certification Authority (GRCA), to
include their renewed Government Root Certification Authority root certificate,
and turn on the Websites and Email trust bits.
To summarize this
On Saturday, December 10, 2016 at 3:30:09 AM UTC+2, Erwann Abalea wrote:
> I don't think there is a bug in IIS here. IIRC, you discovered that IIS
> doesn't send the self-issued certificate when loaded with the 2 self-signed
> root certs and the self-issued cert (1st gen signing 2nd gen). And
On Friday, December 9, 2016 at 1:43:27 AM UTC+2, Brian Smith wrote:
> Some people claimed some software may be unable to cope with two
> different CA certificates with the same subject DNs. Nobody claimed
> that Firefox is unable to cope with two CA certificates having the
> same subject DN. It
On Thursday, December 8, 2016 at 10:21:53 PM UTC+2, Gervase Markham wrote:
> On 05/12/16 21:10, Wen-Cheng Wang wrote:
> > I mean BR Audit is specifically for CAs that provide SSL
> > certificates. Therefore, it is not possible to conduct on those
> > subordinate CAs that do not provide SSL
Bonsoir,
Le mardi 6 décembre 2016 09:31:48 UTC+1, Wen-Cheng Wang a écrit :
> Hi Jacob,
>
> I think you get confused by My colleague Li-Chun's email because he mentioned
> a lot about using self-issued certificates for key-rollover, AIA certificate
> chaining support, and the bug of Microsoft
Gervase Markham wrote:
> Just to help me be clear: the request is for the inclusion of a root
> with the same DN as a previous root, which will still be included after
> the addition? Or the problem with duplicate DNs occurs further down the
> hierarchy?
Some people claimed
On 05/12/16 21:10, Wen-Cheng Wang wrote:
> I mean BR Audit is specifically for CAs that provide SSL
> certificates. Therefore, it is not possible to conduct on those
> subordinate CAs that do not provide SSL certificates,
AIUI, that's not actually true. As we found out recently when discussing
Hi Jacob,
I think you get confused by My colleague Li-Chun's email because he mentioned a
lot about using self-issued certificates for key-rollover, AIA certificate
chaining support, and the bug of Microsoft IIS (note: not IE browser) in
handling self-issued certificates. All these are
Hi Gervase,
On Monday, December 5, 2016 at 9:00:53 PM UTC+8, Gervase Markham wrote:
> On 04/12/16 08:17, Wen-Cheng Wang wrote:
> > You are wight, there are several subordinate CAs under our Government
> > Root CA. Our Government Root CA and all its subordinate have WebTrust
> > for CA audits.
On 04/12/2016 06:00, capuchin...@gmail.com wrote:
Jakob Bohm於 2016年12月4日星期日 UTC+8上午1時23分16秒寫道:
You have made a fundamental technical mistake.
I do not understand that why do you said that we made a fundamental technical
mistake? As I had participated in drafting RFC 5280, I am sure that our
On 04/12/16 08:17, Wen-Cheng Wang wrote:
> You are wight, there are several subordinate CAs under our Government
> Root CA. Our Government Root CA and all its subordinate have WebTrust
> for CA audits. However, among those subordinate CAs, only GCA will
> issue SSL certificates. Therefore, only
Wen-Cheng Wang writes:
>Actually, we have tested the capabilities of many browsers in the wild and
>found they can live peacefully with our PKIX-compliant root certs.
Ah, OK. That's the right way to do it.
>They are not so weak as you might think.
I bet I can create
On Sunday, December 4, 2016 at 11:56:13 PM UTC+8, Peter Bowen wrote:
> On Sun, Dec 4, 2016 at 7:26 AM, Wen-Cheng Wang wrote:
> > Gervase Markham於 2016年12月4日星期日 UTC+8下午6時27分55秒寫道:
> >> On 03/12/16 17:42, Peter Bowen wrote:
> >> > As to the inclusion request, I think Mozilla should reject this
> >>
On Sunday, December 4, 2016 at 11:56:13 PM UTC+8, Peter Bowen wrote:
> On Sun, Dec 4, 2016 at 7:26 AM, Wen-Cheng Wang wrote:
> > Gervase Markham於 2016年12月4日星期日 UTC+8下午6時27分55秒寫道:
> >> On 03/12/16 17:42, Peter Bowen wrote:
> >> > As to the inclusion request, I think Mozilla should reject this
> >>
On Sunday, December 4, 2016 at 11:56:13 PM UTC+8, Peter Bowen wrote:
> On Sun, Dec 4, 2016 at 7:26 AM, Wen-Cheng Wang wrote:
> > Gervase Markham於 2016年12月4日星期日 UTC+8下午6時27分55秒寫道:
> >> On 03/12/16 17:42, Peter Bowen wrote:
> >> > As to the inclusion request, I think Mozilla should reject this
> >>
On Sunday, December 4, 2016 at 5:58:56 PM UTC+8, Peter Gutmann wrote:
> Wen-Cheng Wang writes:
>
> >However, that does not means our PKIX (RFC-5280) conforimg implementation
> >will cause errors or bugs to current implementations of browsers.
>
> Given all the bizarre stuff that ended up in the
On Sun, Dec 4, 2016 at 7:26 AM, 王文正 wrote:
> Gervase Markham於 2016年12月4日星期日 UTC+8下午6時27分55秒寫道:
>> On 03/12/16 17:42, Peter Bowen wrote:
>> > As to the inclusion request, I think Mozilla should reject this
>> > request and add a clear rule to the Mozilla CA policy that each
Gervase Markham於 2016年12月4日星期日 UTC+8下午6時27分55秒寫道:
> On 03/12/16 17:42, Peter Bowen wrote:
> > As to the inclusion request, I think Mozilla should reject this
> > request and add a clear rule to the Mozilla CA policy that each CA
> > must have a unique DN. The DN should be a primary key for the
Gervase Markham於 2016年12月4日星期日 UTC+8下午6時18分48秒寫道:
> Hi Wen-Cheng,
>
> On 04/12/16 06:12, 王文正 wrote:
> > Requiring that Key rollover must be accompanied by DN rotation will
> > contradict with the PKIX standard and the original X.509 standard.
>
> Leaving aside the particular situation we are
On 03/12/16 17:42, Peter Bowen wrote:
> As to the inclusion request, I think Mozilla should reject this
> request and add a clear rule to the Mozilla CA policy that each CA
> must have a unique DN. The DN should be a primary key for the trust
> store and no two entries should have the same DN.
Hi Wen-Cheng,
On 04/12/16 06:12, 王文正 wrote:
> Requiring that Key rollover must be accompanied by DN rotation will
> contradict with the PKIX standard and the original X.509 standard.
Leaving aside the particular situation we are in, in general the Web PKI
uses X.509 and other standards as a
capuchin...@gmail.com writes:
>However, that does not means our PKIX (RFC-5280) conforimg implementation
>will cause errors or bugs to current implementations of browsers.
Given all the bizarre stuff that ended up in the PKIX spec, it would be quite
easy to create a fully
Peter Bowen於 2016年12月4日星期日 UTC+8上午1時43分00秒寫道:
> On Sat, Dec 3, 2016 at 9:22 AM, Jakob Bohm wrote:
> >
> > Using two different public keys with the same exact full distinguished
> > name is generally not expected to work. Some implementations may use
> > additional checks (such as the key
Jakob Bohm於 2016年12月4日星期日 UTC+8上午1時23分16秒寫道:
>
> You have made a fundamental technical mistake.
I do not understand that why do you said that we made a fundamental technical
mistake? As I had participated in drafting RFC 5280, I am sure that our
implementation fully conforms to RFC 5280 and of
lcchen.ci...@gmail.com writes:
>I explained the rollover certificate process outlined in RFC 4210 by signing
>the old public key with the new private key and the new public key with the
>old private key.
Uhh, that stuff was a gedanken experiment dreamed up by some folks
On Thu, Sep 22, 2016 at 12:57 AM, wrote:
> Peter Bowen於 2016年9月20日星期二 UTC+8下午11時53分29秒寫道:
>> On Fri, Sep 16, 2016 at 2:00 PM, Kathleen Wilson wrote:
>> >
>> > * CA Hierarchy: Diagram of CA Hierarchy: http://grca.nat.gov.tw/
>> > All subordinate CAs are
On Sat, Dec 3, 2016 at 9:22 AM, Jakob Bohm wrote:
> On 03/12/2016 09:34, lcchen.ci...@gmail.com wrote:
>>
>> In CA/Browser Forum 34th F2F meeting, the minutes is in
>> https://cabforum.org/2015/03/11/2015-03-11-minutes-of-cupertino-f2f-meeting-34/.
>> Li-Chun Chen (me) of
On 03/12/2016 09:34, lcchen.ci...@gmail.com wrote:
Kathleen Wilson於 2016年11月15日星期二 UTC+8上午9時20分09秒寫道:
All,
I will greatly appreciate it if you will review this request from Government of
Taiwan, Government Root Certification Authority (GRCA) to include their
Government Root Certification
Kathleen Wilson於 2016年11月15日星期二 UTC+8上午9時20分09秒寫道:
> All,
>
> I will greatly appreciate it if you will review this request from Government
> of Taiwan, Government Root Certification Authority (GRCA) to include their
> Government Root Certification Authority root certificate, and turn on the
>
All,
I will greatly appreciate it if you will review this request from Government of
Taiwan, Government Root Certification Authority (GRCA) to include their
Government Root Certification Authority root certificate, and turn on the
Websites and Email trust bits. This root cert will eventually
Peter Bowen於 2016年9月20日星期二 UTC+8下午11時53分29秒寫道:
> On Fri, Sep 16, 2016 at 2:00 PM, Kathleen Wilson wrote:
> >
> > * CA Hierarchy: Diagram of CA Hierarchy: http://grca.nat.gov.tw/
> > All subordinate CAs are operated by Taiwan Government organizations.
> > GCA is responsible
This request from Government of Taiwan, Government Root Certification Authority
(GRCA), is to include their Government Root Certification Authority root
certificate, and turn on the Websites and Email trust bits. This root cert will
eventually replace the previous GRCA root certificate that was
50 matches
Mail list logo