Re: dNSName containing '/' / low serial number entropy

2017-08-11 Thread Gijs Kruitbosch via dev-security-policy
On 11/08/2017 15:39, Policy Authority PKIoverheid wrote: 2. Why did DDY not implement the serial number entropy as required by the Baseline Requirements? 3. Was this detected by the auditor? If not, why not? ANSWER ON QUESTION 2: DDY concluded wrongly that ballot 164 was not applicable for

Re: On the value of EV

2017-12-19 Thread Gijs Kruitbosch via dev-security-policy
On 18/12/2017 21:54, Andrew wrote: On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote: Thank you Ryan for raising this question, and to everyone who has been contributing in a constructive manner to the discussion. A number of excellent points have been raised on the

Re: On the value of EV

2017-12-13 Thread Gijs Kruitbosch via dev-security-policy
On 13/12/2017 14:50, Tim Shirley wrote: I guess I’m also having a hard time appreciating how the presence of this information is a “cost” to users who don’t care about it. For one thing, it’s been there for years in all major browsers, so everyone has at least been conditioned to its

Re: Incident report - Misissuance of CISCO VPN server certificates by Microsec

2018-12-05 Thread Gijs Kruitbosch via dev-security-policy
On 05/12/2018 19:45, Wayne Thayer wrote: ..On Wed, Dec 5, 2018 at 1:58 PM dr. Sándor Szőke via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: 6./ Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. Microsec

Re: Incident report D-TRUST: syntax error in one tls certificate

2018-11-26 Thread Gijs Kruitbosch via dev-security-policy
(for the avoidance of doubt: posting in a personal capacity) On 23/11/2018 15:24, Enrico Entschew wrote: Timeline: 2018-11-12, 10:30 UTC Customer was contacted the first time. Customer runs an international critical trade platform for emissions. Immediate revocation of the certificate would

Re: Possible DigiCert in-addr.arpa Mis-issuance

2019-03-02 Thread Gijs Kruitbosch via dev-security-policy
On 02/03/2019 08:45, Cynthia Revström wrote: On 2019-03-02 01:49, George Macon via dev-security-policy wrote: One specific question on this point: Why did the software permit setting the approval scope to a public suffix (as defined by inclusion on the public suffix list)? Could validation

Re: DarkMatter Concerns

2019-07-11 Thread Gijs Kruitbosch via dev-security-policy
On 11/07/2019 03:38, Matthew Hardeman wrote: I used the parallel to racism in finance because it's exceedingly well documented that strong objective systems of risk management and decisioning led to better overall financial outcomes AND significantly opened the door to credit (aka trust) to

Finance analogies for root stores (was: Re: DarkMatter Concerns)

2019-07-22 Thread Gijs Kruitbosch via dev-security-policy
(I'm splitting the topic because at this point, continuing to discuss the analogy doesn't have a direct bearing on the inclusion or otherwise of DM) Replies inline. On 16/07/2019 23:23, Matthew Hardeman wrote: I submit that I disagree somewhat with Gijs' suggestion that Mozilla acts in the

Re: Website owner survey data on identity, browser UIs, and the EV UI

2019-09-22 Thread Gijs Kruitbosch via dev-security-policy
(For the avoidance of doubt, although I work for Mozilla, as noted on the wiki I post in a personal capacity) In addition to Ryan's excellent points, I wanted to briefly point out a few things related to your survey: On 22/09/2019 00:52, Kirk Hall wrote: (1) *97%* of respondents agreed or

Re: About upcoming limits on trusted certificates

2020-03-16 Thread Gijs Kruitbosch via dev-security-policy
On 14/03/2020 18:53, Nick Lamb wrote: my assumption is that at best such a patch would be in the big pile of volunteer stuff maybe nobody has time to look at. Tangential: perhaps there's an aspect of phrasing here that is confusing me, but this reads to me as suggesting we don't review/work