Re: Is Firefox SHA-1 Deprecation Policy configurable?

2016-09-17 Thread sjw
I think that's the security.pki.sha1_enforcement_level pref [1][2]. Regards, Jonas [1] https://bugzilla.mozilla.org/show_bug.cgi?id=942515#c35 [2] https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/ Am 16.09.2016 um 16:53 schrieb therickf...@gma

Re: WoSign Issue L and port 8080

2016-09-17 Thread Florian Weimer
* Nick Lamb: > On Sunday, 11 September 2016 21:05:12 UTC+1, Lee wrote: >> does dns hijacking or dns cache poisoning count as mitm? > > A careful CA validator does DNS only by making authoritative queries, > so they're not subject to cache poisoning since they don't look at > cached answers. I'm

Re: Cerificate Concern about Cloudflare's DNS

2016-09-17 Thread Florian Weimer
* Ben Laurie: > On 10 September 2016 at 15:43, Erwann Abalea wrote: >> Ironically, since you're not the Subscriber, you cannot request for >> the revocation of this certificate, at least not directly to the >> CA. If you want this certificate to be revoked, you need to ask >> Cloudflare. > > Sure

Re: Cerificate Concern about Cloudflare's DNS

2016-09-17 Thread Florian Weimer
* Peter Bowen: > On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote: >> So when I delegated the DNS service to Cloudflare, Cloudflare have >> the privilege to issue the certificate by default? Can I understand >> like that? > > I would guess that they have a clause in their terms of service or > c

Re: Cerificate Concern about Cloudflare's DNS

2016-09-17 Thread Patrick Figel
On 17/09/16 16:38, Florian Weimer wrote: > * Peter Bowen: > >> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei >> wrote: >>> So when I delegated the DNS service to Cloudflare, Cloudflare >>> have the privilege to issue the certificate by default? Can I >>> understand like that? >> >> I would guess

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-09-17 Thread Peter Bowen
On Wed, Aug 3, 2016 at 2:45 PM, Kathleen Wilson wrote: > This request from Guangdong Certificate Authority (GDCA) is to include the > "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and > enabled EV treatment. > > * CA Hierarchy: This root certificate has internally-operate

Re: Cerificate Concern about Cloudflare's DNS

2016-09-17 Thread Matt Palmer
On Sat, Sep 17, 2016 at 04:38:50PM +0200, Florian Weimer wrote: > * Peter Bowen: > > > On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote: > >> So when I delegated the DNS service to Cloudflare, Cloudflare have > >> the privilege to issue the certificate by default? Can I understand > >> like that