Re: Symantec Response L

2017-04-16 Thread Peter Bachman via dev-security-policy
The 2017 ACES CP excluding anything other than citizen to E-gov breaks certain use cases that are outside the scope of Mozilla, but not from the standpoint of a fully functional commercial c=US structure which I have developed since 1996 since I reached an agreement with GSA on how to proceed

Re: Symantec Response L

2017-04-16 Thread Peter Bachman via dev-security-policy
Since we use ACES certificates for sending healthcare information in a way that mimimizes MITM, I was surprised to read the following. "The Federal PKI has cross-certified other agencies and commercial CAs, which means their certificates will be trusted by clients that trust the Federal PKI.

Re: Symantec Response L

2017-04-17 Thread Peter Bachman via dev-security-policy
That very useful visualization can seen in Chrome and validates against the Identrust ACES 2 root. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Symantec Response L

2017-04-19 Thread Peter Bachman via dev-security-policy
I probably need some additional information to see if my partners can effectively share PHI at LOA 3 and I don't want to burden the list on whether the healthcare use cases defined by the Federal Health Architecture is covered by ACES 2017 Jan policy. It's very important that the community

Re: On the value of EV

2017-12-14 Thread Peter Bachman via dev-security-policy
@Jakob I was referring to the classical namespaces which have evolved since the 1980s. The NSF pilot project was based on a now obsolete version of X.500, Quipu, that world rooted with participating county directories. While I managed that part of the capital D Directory it was in the context

Re: On the value of EV

2017-12-14 Thread Peter Bachman via dev-security-policy
@Ryan “Since improving it as a technical means is an effective non-starter (e.g. introducing a new origin for only EV certs), the only fallback is to the cognitive means” EV is a convenient signal. I like it. The problem is the infrastructure that pits the Internet and it’s protocols with

Re: Francisco Partners acquires Comodo certificate authority business

2017-11-09 Thread Peter Bachman via dev-security-policy
On Tuesday, October 31, 2017 at 9:22:09 AM UTC-4, Kyle Hamilton wrote: > http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business I did a little spot check. So yes they hired a person who was involved with Entrust, so that is a plus. The website says it

On the value of EV

2017-12-12 Thread Peter Bachman via dev-security-policy
I think this is fundamentally an issue of the history of the DNS and X.500 architecture. Combined with social factors since 1996 when the original NSF Directory and DNS grant money ran out, and domains (which had been free) became this wild west name space, which has reached some predictable

ACES Sunset

2018-04-04 Thread Peter Bachman via dev-security-policy
https://www.idmanagement.gov/wp-content/uploads/sites/1171/uploads/gsa-aces-sunset-guide.pdf ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Sigh. stripe.ian.sh back with EV certificate for Stripe, Inc of Kentucky....

2018-04-12 Thread Peter Bachman via dev-security-policy
As a practical exercise in logic, pick any CA that issues EV Certificates and is CAB BR compliant. Look at the CA Certificate Policy Statement and Relying Party Agreement. It's irrelevant to cite the UX of the "normal" user without first look at the agreements and policy. For the most part it

c=US policy layer in development

2018-04-09 Thread Peter Bachman via dev-security-policy
https://groups.google.com/forum/#!forum/cus-policy-layer ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy