Re: Symantec Conclusions and Next Steps

2017-04-28 Thread Eric Mill via dev-security-policy
On Fri, Apr 28, 2017 at 4:16 AM, Richard Wang via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > This Google decision’s problem is some big websites used a domain that not > listed in Alexa 1M suffered disruption, for example, Qihoo 360’s search > site and online gaming

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-28 Thread Peter Kurrasch via dev-security-policy
"Incomplete understanding"? That's rich.There is no reliance on certs as a protection mechanism. Rather, the use of certs/encryption help to facilitate my bad acts. If I'm doing malvertising I basically must use

Re: Symantec Conclusions and Next Steps

2017-04-28 Thread Percy via dev-security-policy
On Friday, April 28, 2017 at 1:19:01 AM UTC-7, Richard Wang wrote: > Hi Ryan, > > > > For your question “Do you believe that, during the discussions about how to > respond to WoSign's issues, the scope of impact was underestimated?”, the > answer is YES. > > > > After Oct 21 2016, WoSign

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-28 Thread Peter Kurrasch via dev-security-policy
I'll be the first to admit that the example I put together is far from ideal. Perhaps a shortcoming is the lack of any explicit mention regarding the knowledge, skill, competence, etc. of the cert requester--or

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

2017-04-28 Thread Ryan Sleevi via dev-security-policy
On Fri, Apr 28, 2017 at 9:48 AM, Peter Kurrasch wrote: > > Suppose I want to set up a system to be used for spam, malware > distribution, and phishing but, naturally, I want to operate undetected. > First step is to find a (legitimate) server that is already set up and is > not

Re: Symantec Conclusions and Next Steps

2017-04-28 Thread urijah--- via dev-security-policy
Richard, Did you communicate to your customers over the last 6 months that their existing certificates may become distrusted? Or did they find out when their sites stopped working in Chrome? On Friday, April 28, 2017 at 4:19:01 AM UTC-4, Richard Wang wrote: > Hi Ryan, > > > > For your

RE: Symantec Conclusions and Next Steps

2017-04-28 Thread Richard Wang via dev-security-policy
Hi Ryan, For your question “Do you believe that, during the discussions about how to respond to WoSign's issues, the scope of impact was underestimated?”, the answer is YES. After Oct 21 2016, WoSign stopped to issue SSL certificates from WoSign root (to be exactly, maybe few in October,

Re: Symantec Conclusions and Next Steps

2017-04-28 Thread Gervase Markham via dev-security-policy
If the Nets Norway intermediate is technically constrained only to domains that Nets Norway own or control, I have no problem with leaving it active. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org