On 30/12/2018 14:18, Nick Lamb wrote:
On Thu, 27 Dec 2018 22:43:19 +0100
Jakob Bohm via dev-security-policy
wrote:
You must be traveling in a rather limited bubble of PKIX experts, all
of whom live and breathe the reading of RFC5280. Technical people
outside that bubble may have easily
On Thu, 27 Dec 2018 16:56:39 -0800
Peter Bowen via dev-security-policy
wrote:
> - The character Asterisk (U+002A, '*') is not allowed in dNSName SANs
> per the same rule forbidding Low Line (U+005F, '_'). RFC 5280 does
> say: "Finally, the semantics of subject alternative names that
> include
On Thu, 27 Dec 2018 22:43:19 +0100
Jakob Bohm via dev-security-policy
wrote:
> You must be traveling in a rather limited bubble of PKIX experts, all
> of whom live and breathe the reading of RFC5280. Technical people
> outside that bubble may have easily misread the relevant paragraph in
>
On Thu, Dec 27, 2018 at 9:04 AM Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, 27 Dec 2018 15:30:01 +0100
> Jakob Bohm via dev-security-policy
> wrote:
>
> > The problem here is that the prohibition lies in a complex legal
> > reading of multiple
dev-security-policy
Sent: Thursday, December 27, 2018 2:43 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Use cases of publicly-trusted certificates
On 27/12/2018 18:03, Nick Lamb wrote:
> On Thu, 27 Dec 2018 15:30:01 +0100
> Jakob Bohm via dev-security-policy
&g
On 27/12/2018 18:03, Nick Lamb wrote:
> On Thu, 27 Dec 2018 15:30:01 +0100
> Jakob Bohm via dev-security-policy
> wrote:
>
>> The problem here is that the prohibition lies in a complex legal
>> reading of multiple documents, similar to a situation where a court
>> rules that a set of laws has an
On Thu, Dec 27, 2018 at 12:12 PM Wayne Thayer wrote:
> On Wed, Dec 26, 2018 at 2:42 PM Peter Bowen via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> In the discussion of how to handle certain certificates that no longer
>> meet
>> CA/Browser Forum baseline
On Thu, Dec 27, 2018 at 8:34 AM Ryan Sleevi via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, Dec 27, 2018 at 11:12 AM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Yes, you are consistently mischaracterizing everything
On 27/12/2018 17:28, Ryan Sleevi wrote:
On Thu, Dec 27, 2018 at 11:12 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Yes, you are consistently mischaracterizing everything I post.
My question was a refinement of the original question to the one case
On Thu, 27 Dec 2018 15:30:01 +0100
Jakob Bohm via dev-security-policy
wrote:
> The problem here is that the prohibition lies in a complex legal
> reading of multiple documents, similar to a situation where a court
> rules that a set of laws has an (unexpected to many) legal
> consequence.
I
On Thu, Dec 27, 2018 at 11:12 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Yes, you are consistently mischaracterizing everything I post.
>
> My question was a refinement of the original question to the one case
> where the alternative in the original
The main reason that publicly trusted certificates are used by
organizations for all infrastructure (internal and external) is that it's
far cheaper than building and maintaining an internal PKI.
On Thu, Dec 27, 2018 at 4:14 PM Jakob Bohm via dev-security-policy <
On 27/12/2018 17:13, Jakob Bohm wrote:
On 27/12/2018 17:02, Rob Stradling wrote:
On 27/12/2018 15:38, Jakob Bohm via dev-security-policy wrote:
For example, the relevant EKU is named "id-kp-serverAuth" not "id-kp-
browserWwwServerAuth" . WWW is mentioned only in a comment under the
OID
On 27/12/2018 17:02, Rob Stradling wrote:
On 27/12/2018 15:38, Jakob Bohm via dev-security-policy wrote:
For example, the relevant EKU is named "id-kp-serverAuth" not "id-kp-
browserWwwServerAuth" . WWW is mentioned only in a comment under the
OID definition.
Hi Jakob.
Are you suggesting
On 27/12/2018 16:55, Ryan Sleevi wrote:
On Thu, Dec 27, 2018 at 10:41 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
He described three combined conditions to be met. You've described a
situation "What if you meet two, but not three". I believe that was
On 27/12/2018 15:38, Jakob Bohm via dev-security-policy wrote:
> For example, the relevant EKU is named "id-kp-serverAuth" not "id-kp-
> browserWwwServerAuth" . WWW is mentioned only in a comment under the
> OID definition.
Hi Jakob.
Are you suggesting that comments in ASN.1 specifications are
On Thu, Dec 27, 2018 at 10:41 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> > He described three combined conditions to be met. You've described a
> > situation "What if you meet two, but not three". I believe that was
> > originally captured in his
On Thu, Dec 27, 2018 at 10:38 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> PKIX clearly uses definitions that make it clear that the same PKI
> should be used for most/all TLS implementations for the public Internet,
> and this is indeed the common
On 27/12/2018 16:24, Ryan Sleevi wrote:
> On Thu, Dec 27, 2018 at 9:34 AM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> On 26/12/2018 22:42, Peter Bowen wrote:
>>> In the discussion of how to handle certain certificates that no longer
>> meet
>>>
On 27/12/2018 16:16, Ryan Sleevi wrote:
On Thu, Dec 27, 2018 at 9:30 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Also it isn't the "Web PKI". It is the "Public TLS PKI", which is not
confined to Web Browsers surfing online shops and social networks,
On Thu, Dec 27, 2018 at 9:34 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 26/12/2018 22:42, Peter Bowen wrote:
> > In the discussion of how to handle certain certificates that no longer
> meet
> > CA/Browser Forum baseline requirements, Wayne asked
On Thu, Dec 27, 2018 at 9:30 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Also it isn't the "Web PKI". It is the "Public TLS PKI", which is not
> confined to Web Browsers surfing online shops and social networks, and
> hasn't
> been since at least the
On 26/12/2018 22:42, Peter Bowen wrote:
> In the discussion of how to handle certain certificates that no longer meet
> CA/Browser Forum baseline requirements, Wayne asked for the "Reason that
> publicly-trusted certificates are in use" by the customers. This seems to
> imply that Mozilla has an
On 27/12/2018 13:39, Nick Lamb wrote:
> As a relying party I read this in the context of the fact that we're
> talking about names that are anyway prohibited.
>
The problem here is that the prohibition lies in a complex legal reading
of multiple documents, similar to a situation where a court
As a relying party I read this in the context of the fact that we're talking about names that are anyway prohibited.Why would you need a publicly trusted certificate that specifies a name that is publicly prohibited?I guess the answer is "But it works on Windows". And Windows is welcome to
In the discussion of how to handle certain certificates that no longer meet
CA/Browser Forum baseline requirements, Wayne asked for the "Reason that
publicly-trusted certificates are in use" by the customers. This seems to
imply that Mozilla has an opinion that the default should not be to use
26 matches
Mail list logo
