Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-04-01 Thread urijah--- via dev-security-policy
I think page 8 of their manual at least partially explains how and what "QuickInvite" is. The whole document is rather interesting... https://www.geotrust.com/geocenter/resources/partnercenter-user-guide.pdf On Saturday, April 1, 2017 at 6:01:23 AM UTC-4, Nick Lamb wrote: > On Friday, 31 March

Re: Next CA Communication

2017-04-01 Thread Gervase Markham via dev-security-policy
On 31/03/17 22:20, Kathleen Wilson wrote: > Please let me know asap if you see any problems, typos, etc. in this > version. Now that policy 2.4.1 has been published, we should update Action 3 to say the following at the top: Versions 2.4 and 2.4.1 of Mozilla's CA Certificate Policy have been

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-04-01 Thread Gervase Markham via dev-security-policy
Hi Daniel, We appreciate your additional input into determining the exact scope of this problem. On 31/03/17 19:37, Daniel Baxter (Aractus) wrote: > With all due respect this reply is the most ridiculous load of > nonsense I've ever read. However, please keep the tone civil. If it's nonsense,

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-04-01 Thread Nick Lamb via dev-security-policy
On Friday, 31 March 2017 17:27:34 UTC+1, tarah.s...@gmail.com wrote: > I'm Tarah. I am the Principal Security Advocate and Senior Director of > Engineering at Symantec Website Security (the certificate authority. Hello Tarah, Regular readers of m.d.s.policy will not be surprised that the news

Re: Symantec Issues List

2017-04-01 Thread Ryan Sleevi via dev-security-policy
On Sat, Apr 1, 2017 at 12:57 AM, Peter Bowen wrote: > (Wearing my personal hat) > > Ryan, > > I haven't reviewed the audit reports myself, but I'll assume all you > wrote is true. However, I think it is important to consider it in the > appropriate context. > The GeoRoot

Re: Criticism of Google Re: Google Trust Services roots

2017-04-01 Thread Gervase Markham via dev-security-policy
On 31/03/17 20:26, Peter Kurrasch wrote: > The revised example is not entirely what I had in mind (more on that > in a minute) but as written now is mostly OK by me. I do have a > question as to whether the public discussion as mentioned must take > place before the actual transfer? In other