On 2019-12-09 11:44, Ben Laurie wrote:
On Wed, 4 Dec 2019 at 22:13, Ryan Sleevi wrote:
Yes, I am one of the ones who actively disputes the notion that AIA
considered harmful.
I'm (plesantly) surprised that any CA would be opposed to AIA (i.e.
supportive of "considered harmful", since it's inh
is
>> an
>> idea whose time has come.
>>
>> -Tim
>>
>> > -Original Message-----
>> > From: dev-security-policy <
>> dev-security-policy-boun...@lists.mozilla.org>
>> On
>> > Behalf Of Wayne Thayer via dev-security-policy
&
On Mon, 2 Dec 2019 at 20:28, Wayne Thayer wrote:
> Why not "AIA chasing considered harmful"? The current state of affairs is
> that most browsers [other than Firefox] will go and fetch the intermediate
> if it's not cached. This manifests itself as sites not working in Firefox,
> and users switch
On Sun, Dec 8, 2019 at 7:14 PM Eric Mill wrote:
> On Thu, Dec 5, 2019 at 12:34 PM Ryan Sleevi via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> From looking at better security, the 'ideal' path is that modern clients
>> are only trusting modern (new) roots, which neve
On Thu, Dec 5, 2019 at 12:34 PM Ryan Sleevi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> From looking at better security, the 'ideal' path is that modern clients
> are only trusting modern (new) roots, which never issued old crappy certs.
> That is, the path "D -> A ->
On Thu, Dec 5, 2019 at 10:42 AM Nick Lamb wrote:
> On Wed, 4 Dec 2019 17:12:50 -0500
> Ryan Sleevi via dev-security-policy
> wrote:
>
> > Yes, I am one of the ones who actively disputes the notion that AIA
> > considered harmful.
>
> As not infrequently happens I can't agree with Ryan here. AIA
On Wed, 4 Dec 2019 17:12:50 -0500
Ryan Sleevi via dev-security-policy
wrote:
> Yes, I am one of the ones who actively disputes the notion that AIA
> considered harmful.
As not infrequently happens I can't agree with Ryan here. AIA chasing in
browsers is a non-trivial privacy leak AND doesn't mat
soning
>> > behind it is not as widely understood as it needs to be, even among TLS
>> > experts.
>> >
>> > I'm very appreciative of Firefox's efforts in this area. Leveraging the
>> > knowledge of all the publicly disclosed ICAs to improve chai
gt; was
>> > > disputed at the TLS session at IETF 105, which shows that the
>> reasoning
>> > > behind it is not as widely understood as it needs to be, even among
>> TLS
>> > > experts.
>> > >
>> > > I'm very appreci
fox's efforts in this area. Leveraging
> the
> > > knowledge of all the publicly disclosed ICAs to improve chain-building
> is
> > > an
> > > idea whose time has come.
> > >
> > > -Tim
> > >
> > > > -Original Message-
> > idea whose time has come.
> >
> > -Tim
> >
> > > -Original Message-
> > > From: dev-security-policy <
> dev-security-policy-boun...@lists.mozilla.org
> > >
> > On
> > > Behalf Of Wayne Thayer via dev-security-polic
se time has come.
>
> -Tim
>
> > -Original Message-
> > From: dev-security-policy >
> On
> > Behalf Of Wayne Thayer via dev-security-policy
> > Sent: Monday, December 2, 2019 3:29 PM
> > To: Ben Laurie
> > Cc: mozilla-dev-security-policy
> ;
&
; To: Ben Laurie
> Cc: mozilla-dev-security-policy
;
> Peter Gutmann
> Subject: Re: [FORGED] Re: How Certificates are Verified by Firefox
>
> Why not "AIA chasing considered harmful"? The current state of affairs is
that
> most browsers [other than Firefox] will go
Why not "AIA chasing considered harmful"? The current state of affairs is
that most browsers [other than Firefox] will go and fetch the intermediate
if it's not cached. This manifests itself as sites not working in Firefox,
and users switching to other browsers.
You may be further dismayed to lear
On Thu, 28 Nov 2019 at 20:22, Peter Gutmann
wrote:
> Ben Laurie via dev-security-policy
> writes:
>
> >In short: caching considered harmful.
>
> Or "cacheing considered necessary to make things work"?
If you happen to visit a bazillion sites a day.
> In particular:
>
> >caching them and fill
Ben Laurie via dev-security-policy
writes:
>In short: caching considered harmful.
Or "cacheing considered necessary to make things work"? In particular:
>caching them and filling in missing ones means that failure to present
>correct cert chains is common behaviour.
Which came first? Was ca
One of the things that was quite annoying when developing CT was browser
behaviour wrt intermediates - caching them and filling in missing ones
means that failure to present correct cert chains is common behaviour.
Which means that anything that _doesn't_ see a lot of certs has quite a low
chance o
If you are one of the many people who have wondered how exactly Firefox
handles some aspect of certificate processing, you may be interested to
know that we have recently updated the information on our wiki:
https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification
I hope you find thi
18 matches
Mail list logo