Re: [FORGED] Re: How Certificates are Verified by Firefox

On 2019-12-09 11:44, Ben Laurie wrote: On Wed, 4 Dec 2019 at 22:13, Ryan Sleevi wrote: Yes, I am one of the ones who actively disputes the notion that AIA considered harmful. I'm (plesantly) surprised that any CA would be opposed to AIA (i.e. supportive of "considered harmful", since it's inh

Re: [FORGED] Re: How Certificates are Verified by Firefox

is >> an >> idea whose time has come. >> >> -Tim >> >> > -Original Message----- >> > From: dev-security-policy < >> dev-security-policy-boun...@lists.mozilla.org> >> On >> > Behalf Of Wayne Thayer via dev-security-policy &

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Mon, 2 Dec 2019 at 20:28, Wayne Thayer wrote: > Why not "AIA chasing considered harmful"? The current state of affairs is > that most browsers [other than Firefox] will go and fetch the intermediate > if it's not cached. This manifests itself as sites not working in Firefox, > and users switch

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Sun, Dec 8, 2019 at 7:14 PM Eric Mill wrote: > On Thu, Dec 5, 2019 at 12:34 PM Ryan Sleevi via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> From looking at better security, the 'ideal' path is that modern clients >> are only trusting modern (new) roots, which neve

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Thu, Dec 5, 2019 at 12:34 PM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > From looking at better security, the 'ideal' path is that modern clients > are only trusting modern (new) roots, which never issued old crappy certs. > That is, the path "D -> A ->

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Thu, Dec 5, 2019 at 10:42 AM Nick Lamb wrote: > On Wed, 4 Dec 2019 17:12:50 -0500 > Ryan Sleevi via dev-security-policy > wrote: > > > Yes, I am one of the ones who actively disputes the notion that AIA > > considered harmful. > > As not infrequently happens I can't agree with Ryan here. AIA

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Wed, 4 Dec 2019 17:12:50 -0500 Ryan Sleevi via dev-security-policy wrote: > Yes, I am one of the ones who actively disputes the notion that AIA > considered harmful. As not infrequently happens I can't agree with Ryan here. AIA chasing in browsers is a non-trivial privacy leak AND doesn't mat

Re: [FORGED] Re: How Certificates are Verified by Firefox

soning >> > behind it is not as widely understood as it needs to be, even among TLS >> > experts. >> > >> > I'm very appreciative of Firefox's efforts in this area. Leveraging the >> > knowledge of all the publicly disclosed ICAs to improve chai

Re: How Certificates are Verified by Firefox

gt; was >> > > disputed at the TLS session at IETF 105, which shows that the >> reasoning >> > > behind it is not as widely understood as it needs to be, even among >> TLS >> > > experts. >> > > >> > > I'm very appreci

Re: How Certificates are Verified by Firefox

fox's efforts in this area. Leveraging > the > > > knowledge of all the publicly disclosed ICAs to improve chain-building > is > > > an > > > idea whose time has come. > > > > > > -Tim > > > > > > > -Original Message-

Re: [FORGED] Re: How Certificates are Verified by Firefox

> > idea whose time has come. > > > > -Tim > > > > > -Original Message- > > > From: dev-security-policy < > dev-security-policy-boun...@lists.mozilla.org > > > > > On > > > Behalf Of Wayne Thayer via dev-security-polic

Re: [FORGED] Re: How Certificates are Verified by Firefox

se time has come. > > -Tim > > > -Original Message- > > From: dev-security-policy > > On > > Behalf Of Wayne Thayer via dev-security-policy > > Sent: Monday, December 2, 2019 3:29 PM > > To: Ben Laurie > > Cc: mozilla-dev-security-policy > ; &

RE: [FORGED] Re: How Certificates are Verified by Firefox

; To: Ben Laurie > Cc: mozilla-dev-security-policy ; > Peter Gutmann > Subject: Re: [FORGED] Re: How Certificates are Verified by Firefox > > Why not "AIA chasing considered harmful"? The current state of affairs is that > most browsers [other than Firefox] will go

Re: [FORGED] Re: How Certificates are Verified by Firefox

Why not "AIA chasing considered harmful"? The current state of affairs is that most browsers [other than Firefox] will go and fetch the intermediate if it's not cached. This manifests itself as sites not working in Firefox, and users switching to other browsers. You may be further dismayed to lear

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Thu, 28 Nov 2019 at 20:22, Peter Gutmann wrote: > Ben Laurie via dev-security-policy > writes: > > >In short: caching considered harmful. > > Or "cacheing considered necessary to make things work"? If you happen to visit a bazillion sites a day. > In particular: > > >caching them and fill

Re: [FORGED] Re: How Certificates are Verified by Firefox

Ben Laurie via dev-security-policy writes: >In short: caching considered harmful. Or "cacheing considered necessary to make things work"? In particular: >caching them and filling in missing ones means that failure to present >correct cert chains is common behaviour. Which came first? Was ca

Re: How Certificates are Verified by Firefox

One of the things that was quite annoying when developing CT was browser behaviour wrt intermediates - caching them and filling in missing ones means that failure to present correct cert chains is common behaviour. Which means that anything that _doesn't_ see a lot of certs has quite a low chance o

How Certificates are Verified by Firefox

If you are one of the many people who have wondered how exactly Firefox handles some aspect of certificate processing, you may be interested to know that we have recently updated the information on our wiki: https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification I hope you find thi