RE: Reported Digicert key compromise but not revoked

2019-05-09 Thread Daniel Marschall via dev-security-policy
I personally do think that it matters to this forum. A CA - no matter what kind of certificates it issues - must take revocation requests seriously and act immediately, even if the email is sent to the wrong address. If an employee at the help desk is unable to forward revocation requests, or

Improvement suggestions for crt.sh (Hyperlinking OIDs + TLS features decoding)

2019-05-02 Thread Daniel Marschall via dev-security-policy
Hello, I have two improvement suggestions for the page crt.sh. I often stumble across extentions or other kind of OIDs which are not known/named by the system. For example the extention 1.3.6.1.5.5.7.1.24 (1) It would be great if all OIDs could automatically get a hyperlink pointing to

Re: Improvement suggestions for crt.sh (Hyperlinking OIDs + TLS features decoding)

2019-05-03 Thread Daniel Marschall via dev-security-policy
Hello Ryan, thank you for your reply! I actually saw the github link, but I was't sure in which repository I should open a ticket. As for the forum, I didn't knew it and I don't see a link at crt.sh I have posted an email there Take care, Daniel ___

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-13 Thread Daniel Marschall via dev-security-policy
I share the opinion with Jakob, except with the CVE. Please remove this change. It is unnecessary and kills the EV market. But if you insist on keeping that UI change, maybe you can at least give the lock symbol a different color if it is an EV cert?

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Daniel Marschall via dev-security-policy
Am Sonntag, 18. August 2019 07:18:56 UTC+2 schrieb Matt Palmer: > > [...] From what I can see so far, > browser vendors aren't "ending" EV certificates, a couple of them are merely > modifying their UIs guided by relevant research into the efficacy (or lack > thereof) of the current UI. > > -

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Daniel Marschall via dev-security-policy
Please tell me if I understand this correctly... Is it that DV and EV certificates now both show the same lock symbol? That would be a great harm in my opinion. And I do not understand why you want this change. I think EV is very important and I explain why. Let's look at following hypothetical

Re: Request to Include 4 Microsoft Root CAs

2019-08-19 Thread Daniel Marschall via dev-security-policy
Hello, Is there an EV Policy OID assigned? I can't find it. - Daniel Am Mittwoch, 14. August 2019 00:42:44 UTC+2 schrieb Wayne Thayer: > This request is for inclusion of the Microsoft RSA Root Certificate > Authority 2017, Microsoft ECC Root Certificate Authority 2017, Microsoft EV > RSA Root

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-16 Thread Daniel Marschall via dev-security-policy
I have a few more comments/annotations: (1) Pro EV persons argue "Criminals have problems getting an EV certificate, so most of them are using only DV certificates". Anti EV persons argue "Criminals just don't use EV certificates, because they know that end users don't look at the EV indicator

Re: CA handling of contact information when reporting problems

2019-08-20 Thread Daniel Marschall via dev-security-policy
Hello, I am a bit shocked about this case. The fact that this happened to someone would restrain myself from reporting key compromises. Even though it is the company's fault to protect their private key, their lawers still might sue the incident-reporter. A judge might not understand the PKI

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Daniel Marschall via dev-security-policy
Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: > On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: > > Whatever the merits of EV (and perhaps there are some -- I'm not > convinced either way) this data is negligible evidence of them. A DV > cert is

Re: An honest viewpoint: Move Extended Validation Information out of the URL bar

2019-09-08 Thread Daniel Marschall via dev-security-policy
> Okay... we know that people might now know what "TO" or "AX" means... Typo: I meant "people might not know" ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy