> > This discussion should consider what's best for Mozilla's users. Perhaps
> > that aligns precisely with the minimum requirements in the EVGs, or perhaps
> > it doesn't. Mozilla are free to specify additional requirements if they
> > feel the need to do so, just as Microsoft did recently...
>
On Mon, May 16, 2016 at 6:06 AM, Rob Stradling wrote:
> On 16/05/16 01:43, Peter Bowen wrote:
>
> This discussion should consider what's best for Mozilla's users. Perhaps
> that aligns precisely with the minimum requirements in the EVGs, or perhaps
> it doesn't. Mozilla
On 16/05/16 01:13, Kathleen Wilson wrote:
> 3) If a website is using its SSL certificate to mask injection of malware and
> evidence of that is presented to the issuing CA, is that sufficient misuse
> for the CA to be required to revoke the certificate?
Counter-question to many of these: who
Gerv wrote,
"Counter-question to many of these: who defines what is malware, and who
made them king?"
The contract that the CA enters into with the subscriber should have done
that.
Subscriber Agreements should have language in them that says something to
the effect, "We can revoke your
The new reports are at the following new links. A couple columns were added:
'Parent Name', 'SHA-256 Fingerprint'.
https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts
https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCertsCSV
I have also updated the links in
On 13/05/16 22:09, Richard Barnes wrote:
Thanks for explaining the specifics, Rob. To restate and check my
understanding, this is a "Y-shaped" scenario, with the following CAs (by
CN):
(1) AddTrust External CA Root (included, owned by Comodo)
(2) UTN-USERFirst-Hardware (included, owned by
On 16/05/16 17:20, Kathleen Wilson wrote:
This discussion should consider what's best for Mozilla's users. Perhaps
that aligns precisely with the minimum requirements in the EVGs, or perhaps
it doesn't. Mozilla are free to specify additional requirements if they
feel the need to do so, just as
On Mon, May 16, 2016 at 09:20:40AM -0700, Kathleen Wilson wrote:
> In regards to Mozilla policy, maybe we should consider adding text about
> Mozilla's expectations for CAs when they find out that a TLS/SSL
> certificate that they issued is being used to do bad things.
Mozilla should expect that
Thanks Kathleen.
PublicAllIntermediateCertsCSV is missing quite a few entries compared to
my own CSV export of the "All Public Intermediate Certs" report.
I've reviewed the differences. It looks like you're now omitting
incomplete records and records for intermediates that didn't actually
On Monday, May 16, 2016 at 11:27:21 AM UTC-7, Kathleen Wilson wrote:
> The new reports are at the following new links. A couple columns were added:
> 'Parent Name', 'SHA-256 Fingerprint'.
>
> https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts
>
On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote:
> On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote:
>
> > Some CAs may choose to not issue to sites known to inject malware, but
> > this outside the scope of the SSL requirements. The EV Guidelines it
> > very clear that the
On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote:
> "By providing more reliable third-party verified identity and address
> information regarding the business, EV Certificates may help to [...]
> Assist law enforcement organizations in their investigations of
> phishing and other online
On 16/05/16 01:43, Peter Bowen wrote:
Some CAs may choose to not issue to sites known to inject malware, but
this outside the scope of the SSL requirements. The EV Guidelines it
very clear that the reputation and actions of the Subject are not in
scope:
Peter, I'd just like to point out that
Matt Palmer writes:
>On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote:
>> knowingly issuing/tolerating certificates for sites known to inject
>> malware is
>> * contrary to user expectaions
>
>[Citation needed]
So you're saying users expect CAs to certify malware
On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote:
> Some CAs may choose to not issue to sites known to inject malware, but
> this outside the scope of the SSL requirements. The EV Guidelines it
> very clear that the reputation and actions of the Subject are not in
> scope:
knowingly
15 matches
Mail list logo