360 team hacks Chrome

2017-03-06 Thread Richard Wang via dev-security-policy
Pwn2Own 2016: Chinese Researcher Hacks Google Chrome within 11 minutes http://www.prnewswire.com/news-releases/pwn2own-2016-chinese-researcher-hacks-google-chrome-within-11-minutes-300237705.html Best Regards, Richard ___ dev-security-policy mailing

Re: 360 team hacks Chrome

2017-03-06 Thread Eric Mill via dev-security-policy
I'll include Richard Barnes' response to cabfpublic here too, for completeness: -- Forwarded message -- From: "Richard Barnes via Public" Date: Mar 6, 2017 8:58 AM Subject: Re: [cabfpub] 360 team hacks Chrome To: "CA/Browser Forum Public Discussion List"

Mozilla Root Store Policy 2.4.1

2017-03-06 Thread Gervase Markham via dev-security-policy
The next stage in the improvement of the Mozilla Root Store Policy is version 2.4.1. This is version 2.4, but rearranged significantly to have a more topic-based ordering and structure to it. I have also made editorial changes to clean up and clarify language, and improved the Markdown markup.

Re: 360 team hacks Chrome

2017-03-06 Thread Richard Wang via dev-security-policy
Sorry, I posted an old news that I just saw it. Please ignore it. Best Regards, Richard > On 6 Mar 2017, at 21:45, Richard Wang via dev-security-policy > wrote: > > Pwn2Own 2016: Chinese Researcher Hacks Google Chrome within 11 minutes >

Re: Mozilla Root Store Policy 2.4.1

2017-03-06 Thread Ryan Sleevi via dev-security-policy
Hi Gerv, I'm assuming as with previous discussions, you'd like to keep the discussion on the list. Overall: I would suggest every "should" be replaced with either a "must" or a "shall" RFC2119 style, to avoid any "best practice" vs "required mandate" confusion. 1.1 Scope Item 2: Bullet 1:

Re: Google Trust Services roots

2017-03-06 Thread Ryan Hurst via dev-security-policy
[Trying to resend without the quoted email to get through the spam filter] First, let me apologize for the delay in my response, I have had a draft of this letter in my inbox for a while and have just been unable to get back to it and finish it due to scheduling conflicts. I promise to address

Re: Google Trust Services roots

2017-03-06 Thread Peter Bowen via dev-security-policy
Ryan, I appreciate you finally sending responses. I hope you appreciate that they are clearly not adequate, in my opinion. Please see the comments inline. On Mon, Mar 6, 2017 at 6:02 PM, Ryan Hurst wrote: > First, let me apologize for the delay in my response, I have had a

Re: Google Trust Services roots

2017-03-06 Thread Peter Bowen via dev-security-policy
One more question, in addition to the ones in my prior response: On Mon, Mar 6, 2017 at 6:02 PM, Ryan Hurst wrote: > rmh: I just attached two opinion letters from our auditors, I had previously > provided these to the root programs directly but it took some time to get >

Re: Google Trust Services roots

2017-03-06 Thread Ryan Hurst via dev-security-policy
> Gerv: Which EV OID are you referring to, precisely? I was referring to the GlobalSign EV Certificate Policy OID (1.3.6.1.4.1.4146.1.1) but more concretely I meant any and all EV related OIDs, including the CAB Forum OID of 2.23.140.1.1. > Gerv: Just to be clear: GlobalSign continues to