Re: Deficiencies in the Web PKI and Mozilla's shepherding thereof, exposed by the WoSign affair

On 4 October 2016 at 06:12, Eric Rescorla wrote: > with the exception of the end-entity > certificate which MUST be first. After testing, this part seems to be the component that stops my idea. I could build paths to arbitrary roots with extra chains contained in the list... but

Re: Deficiencies in the Web PKI and Mozilla's shepherding thereof, exposed by the WoSign affair

On Mon, Oct 3, 2016 at 9:44 PM, Peter Bowen wrote: > On Mon, Oct 3, 2016 at 5:24 PM, Jakob Bohm wrote: > > On 03/10/2016 20:41, Kyle Hamilton wrote: > >> WoSign is known to be cross-signed by several independent CAs (as well > as > > > >> 2. There is

Re: Deficiencies in the Web PKI and Mozilla's shepherding thereof, exposed by the WoSign affair

Hi Kyle, On 03/10/16 19:41, Kyle Hamilton wrote: > WoSign is known to be cross-signed by several independent CAs (as well as 1 > CA which is no longer deemed to be independent). If it wished to bypass > any attempt to distrust it, all it would have to do is be cross-signed by > another CA.

Re: Deficiencies in the Web PKI and Mozilla's shepherding thereof, exposed by the WoSign affair

On Mon, Oct 3, 2016 at 5:24 PM, Jakob Bohm wrote: > On 03/10/2016 20:41, Kyle Hamilton wrote: >> WoSign is known to be cross-signed by several independent CAs (as well as > >> 2. There is only One Certificate Path that can be proven in TLS, which >> prevents risk management

Re: Deficiencies in the Web PKI and Mozilla's shepherding thereof, exposed by the WoSign affair

On 3 October 2016 at 19:24, Jakob Bohm wrote: > On 03/10/2016 20:41, Kyle Hamilton wrote: >> 2. There is only One Certificate Path that can be proven in TLS, which >> prevents risk management by end-entities. >> > > Are you sure, I thought the standard TLS protocol