Re: Use of Certificate/Public Key Pinning

2019-08-14 Thread Ryan Sleevi via dev-security-policy
On Tue, Aug 13, 2019 at 11:12 AM Nuno Ponte via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Dear m.d.s.p., > > I would like to bring into discussion the use of certificate/public key > pinning and the impacts on the 5-days period for certificate revocation > according to

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Jakob Bohm via dev-security-policy
On 14/08/2019 21:55, Peter Bowen wrote: On Wed, Aug 14, 2019 at 10:16 AM Jakob Bohm wrote: On 14/08/2019 18:18, Peter Bowen wrote: On thing I've found really useful in working on user experience is to discuss things using problem & solution statements that show the before and after. For

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Peter Gutmann via dev-security-policy
Jakob Bohm via dev-security-policy writes: >Problem example: >[...] You're explaining how it's supposed to work in theory, not in the real world. We have a decade of real-world data showing that it doesn't work, that there's no benefit from EV certificates apart from the one to CA's balance

Re: [FORGED] Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Peter Gutmann via dev-security-policy
Peter Bowen via dev-security-policy writes: >I have to admit that I'm a little confused by this whole discussion. While >I've been involved with PKI for a while, I've never been clear on the >problem(s) that need to be solved that drove the browser UIs and creation of >EV certificates. Oh,

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Peter Bowen via dev-security-policy
On Wed, Aug 14, 2019 at 10:16 AM Jakob Bohm wrote: > On 14/08/2019 18:18, Peter Bowen wrote: > > On thing I've found really useful in working on user experience is to > > discuss things using problem & solution statements that show the before > and > > after. For example, "It used to take 10

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Peter Bowen via dev-security-policy
On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > A policy of switching from positive to negative indicators of security > differences is no justification to switch to NO indication. And it > certainly doesn't help user

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Jakob Bohm via dev-security-policy
On 14/08/2019 18:18, Peter Bowen wrote: On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: A policy of switching from positive to negative indicators of security differences is no justification to switch to NO indication. And it

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-14 Thread Ryan Sleevi via dev-security-policy
On Wed, Aug 14, 2019 at 1:16 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > EV was originally an initiative to make the CAs properly vet OV > certificates, and to mark those CAs that had done a proper job. > EV issuing CAs were permitted to still sell the