On Tue, Mar 24, 2015 at 8:52 PM, Kathleen Wilson kwil...@mozilla.com wrote:
... which includes local-parts of admin, ...
Perhaps better as which are limited to or some such? Includes makes
it sound non-exhaustive.
--
https://annevankesteren.nl/
___
On 24/03/15 19:58, Florian Weimer wrote:
snip
There's also an ongoing effort to defang CT and make the data much
less useful, so CT could turn meaningless fairly soon.
Huh?
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
* Florian Weimer:
* Kai Engert:
The discovery of any unconstrained and unrevoked intermediate CA
certificate that isn't controlled by the root CA organization results in
the immediate removal of the root CA from the Mozilla CA list.
In this case, wouldn't this require the removal of the
On 25/03/15 10:12, Florian Weimer wrote:
* Rob Stradling:
On 24/03/15 19:58, Florian Weimer wrote:
snip
There's also an ongoing effort to defang CT and make the data much
less useful, so CT could turn meaningless fairly soon.
Huh?
The work on name redaction worries me.
I wondered if
* Rob Stradling:
On 24/03/15 19:58, Florian Weimer wrote:
snip
There's also an ongoing effort to defang CT and make the data much
less useful, so CT could turn meaningless fairly soon.
Huh?
The work on name redaction worries me.
___
On Fri, Mar 20, 2015 at 11:48 PM, Peter Kurrasch fhw...@gmail.com wrote:
I do still think it would be a good idea to get the word out so that
concerned admins can fix their sites before things suddenly stop working.
If they use the developer edition of Firefox they'll discover this in
time. I
* Gervase Markham:
On 25/03/15 10:27, Florian Weimer wrote:
* The CNNIC CPS is incorrect, and they no longer run an
Entrust-sponsored sub-CA.
I believe this is the correct answer. Quoting Bruce Morton in this thread:
Please note that the intermediate certificate which Entrust issued to
On Wednesday, March 25, 2015 at 6:28:34 AM UTC-4, Florian Weimer wrote:
* Florian Weimer:
* Kai Engert:
The discovery of any unconstrained and unrevoked intermediate CA
certificate that isn't controlled by the root CA organization results in
the immediate removal of the root CA from
On 25/03/15 10:27, Florian Weimer wrote:
* The CNNIC CPS is incorrect, and they no longer run an
Entrust-sponsored sub-CA.
I believe this is the correct answer. Quoting Bruce Morton in this thread:
Please note that the intermediate certificate which Entrust issued to
CNNIC expired in 2012
On Wed, Mar 25, 2015 at 10:10 AM, Kathleen Wilson kwil...@mozilla.com wrote:
All,
I appreciate your thoughtful and constructive feedback on this situation.
The suggestions regarding the CNNIC root certificates that I've interpreted
from this discussion are as follows. These are listed in no
All,
I appreciate your thoughtful and constructive feedback on this situation.
The suggestions regarding the CNNIC root certificates that I've
interpreted from this discussion are as follows. These are listed in no
particular order, and are not necessarily mutually exclusive.
A) Remove both
On Wed, March 25, 2015 10:18 am, Peter Bowen wrote:
E) Enable existing CNNIC-issued certificates to continue to work but
block new ones. Two possible ways this could be done:
1) Code a cutoff date, and treat any certificate with a not_before
date after the cutoff date as untrusted.
2)
On Wed, Mar 25, 2015 at 12:20 PM, Gervase Markham g...@mozilla.org wrote:
On 25/03/15 17:45, Ryan Sleevi wrote:
That is, in a hypothetical world where E1 is pursued (for any CA), the CA
can simply backdate the certificate. They'd be non-compliant with the
Baseline Requirements, presumably, but
Peter Bowen pzbo...@gmail.com wrote:
One possible solution is to require that all certificates for CAs that
issue Subscriber certificates (those without CA:TRUE) have zero path
length constraint in the basic constraints extension. All CAs with
certificates with a longer allowed path length or
On 25/03/15 17:45, Ryan Sleevi wrote:
That is, in a hypothetical world where E1 is pursued (for any CA), the CA
can simply backdate the certificate. They'd be non-compliant with the
Baseline Requirements, presumably, but that is somewhat how we got here in
the first place.
So purely on a
B) Take away EV treatment (green bar) from the China Internet Network
Information Center EV Certificates Root certificate. Note that the
CNNIC ROOT certificate is not enabled for EV treatment.
The lock indicating a secure connection can be taken away completely,
while still leaving
Someone correct me if I'm wrong, but my understanding of the Superfish debacle
is that sites that have EV certs would get the green bar treatment on other
devices but not on the Lenovo devices where Superfish was installed. The
implication, then, is that the green bar provides no improvement
On Wed, Mar 25, 2015 at 6:24 PM, Peter Kurrasch fhw...@gmail.com wrote:
Someone correct me if I'm wrong, but my understanding of the Superfish
debacle is that sites that have EV certs would get the green bar treatment on
other devices but not on the Lenovo devices where Superfish was
On 24/03/15 21:12, Peter Kurrasch wrote:
As to who should be forced to constrain, this is controversial. I would
argue that everyone should be forced, but that has certain problems. One
can argue that only government-run and certain other CA's should be
forced but then we are put in the
Le mercredi 25 mars 2015 07:02:06 UTC+1, Daniel Micay a écrit :
* Browser people detected this misissuance
This one, but not at least several others issued by this CA.
Are you still talking about facts? Then please provide other mississued
certificates.
* CAs don't want to go out of
* Daniel Micay:
In other words, if you want the responsible choice to be made in these
cases then you should be contacting news publications to shame Mozilla
into doing the right thing - not a Mozilla mailing list.
Ugh, surely there has to be a better way.
I sometimes get carried away and
On Wed, March 25, 2015 7:52 pm, Peter Kurrasch wrote:
I'm not suggesting I have a firm answer in mind, but I am saying that
while we're focusing on CNNIC it doesn't seem right that the actual
perpetrator suffers no consequence.Â
Peter,
Hopefully my first reply to Kathleen's message has
Perhaps I chose my words poorly because my intention actually was to avoid
having to pass judgment at all. Instead of saying to a CA we don't trust you
enough, please constrain I was hoping for something along the lines of
everybody is asked to constrain to make the internet safer for everyone.
23 matches
Mail list logo