that chain only to the
CN = IGC/A Root and that would be trusted for server authentication by
browsers.
I tried to send a larger file just now (with more info), but I'd
forgotten that this list has a 40KB limit on attachments. Hopefully it
won't reject this .zip file...
--
Rob Stradling
Senior
1 says:
Except where explicitly stated otherwise, these requirements apply
only to relevant events that occur on or after the Effective Date.
Where is it written that 2048-bit certs that predate the BRs need to be
revoked by end of 2013?
--
Rob Stradling
Senior Research Development
On 20/12/13 17:40, Kathleen Wilson wrote:
On 12/13/13 4:03 AM, Rob Stradling wrote:
On 12/12/13 01:08, fhw...@gmail.com wrote:
That's the great part about this, Rob, you don't actually have to revoke
anything.
Peter, thanks for sharing your interpretation. What concerns me is that
the same
On 21/12/13 22:22, Kathleen Wilson wrote:
On 12/20/13 11:45 AM, Rob Stradling wrote:
To me, cert revocation means replying revoked via OCSP for that
cert's serial number, and also adding that cert's serial number to the
CRL.
I understand that new versions of browsers will stop accepting 1024
: No.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
the ECDH_ECDSA ciphers.
(However, hopefully everyone would prefer to use the ECDHE_ECDSA ciphers
instead).
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy
there yet, but there are some.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
and checks each certificate request.
FWIW, Kathleen has encouraged us to do this! [2]
[1] https://www.eff.org/observatory
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=653543#c0
4) Implement a hierarchy of internally-operated intermediate CAs for
single or related groups of RAs.
--
Rob
://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev
in an
orderly fashion?)
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited
-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited
posted this a while ago...
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/UZAAzhkGmRo/DFehCrTHRZkJ
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On 05/08/14 09:34, Rob Stradling wrote:
Kathleen, to work around the classic NSS path building behaviour you
observed yesterday, we will issue another cross-certificate to
USERTrust Legacy Secure Server CA, with a newer notBefore date, from
our AddTrust External CA Root built-in root.
Then, you
] https://www.imperialviolet.org/2012/02/05/crlsets.html
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford
there would reject the cert in this situation? (I
suspect not, but it's something to watch out for).
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy
of
the plan: you either get short lived certs or you get a long lived with
must-staple. They would provide the same security guarantees.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
On 05/09/14 10:55, Gervase Markham wrote:
On 05/09/14 10:47, Rob Stradling wrote:
snip
If the false positive rate drops to near-zero by 3 months after expiry,
then I think that could work. However, it would need to work equally
well for both long-lived certs and short-lived certs. Therefore
for DV, but it's clearly false for
EV and OV.
As for due diligence, BRs Section 11.2 clearly says that CAs are
required to verify organization info in accordance with Section 11.2 and
as documented in their CP/CPS.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating
secure Swiss gov sites are broken if you requires OCSP.
I contacted them directly and tried to explain why the OCSP service is a
requirement for a CA, but they do not react.
Maybe someone of the Mozilla security team could contact them again.
Regards,
Jonas
--
Rob Stradling
Senior Research
.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On 24/03/15 19:58, Florian Weimer wrote:
snip
There's also an ongoing effort to defang CT and make the data much
less useful, so CT could turn meaningless fairly soon.
Huh?
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
On 25/03/15 10:12, Florian Weimer wrote:
* Rob Stradling:
On 24/03/15 19:58, Florian Weimer wrote:
snip
There's also an ongoing effort to defang CT and make the data much
less useful, so CT could turn meaningless fairly soon.
Huh?
The work on name redaction worries me.
I wondered
-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On 14/04/15 13:09, Kurt Roeckx wrote:
On 2015-04-14 13:54, Rob Stradling wrote:
On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert
Thanks Chris. :-)
On 03/06/15 19:53, Chris Palmer wrote:
This is sweet. Thank you, Rob. :)
On Wed, Jun 3, 2015 at 5:56 AM, Rob Stradling rob.stradl...@comodo.com wrote:
Hi. I thought folks here might find this useful. It's a web interface that
lets you search for certs that have been
On 03/06/15 18:02, Eric Mill wrote:
On Wed, Jun 3, 2015 at 11:46 AM, Rob Stradling rob.stradl...@comodo.com
mailto:rob.stradl...@comodo.com wrote:
Even better if you were to open-source the code ;)
That's a conversation I've yet to have with my employer.
Strongly agree
You seem to be assuming that web site operators can't write shell
scripts, and don't care about their public names and public keys, and
snip
BTW, you probably won't be surprised to hear that I've been trying to
think of reasons to create a shell script called crt.sh. ;-)
--
Rob Stradling
Senior
at 8:56 AM, Rob Stradling rob.stradl...@comodo.com
wrote:
Hi. I thought folks here might find this useful. It's a web interface
that lets you search for certs that have been logged by CT.
https://crt.sh
Pronounced search. :-)
--
Rob Stradling
Senior Research Development Scientist
COMODO
a certificate
is publicly logged as being issued for my domains.
Indeed. It's on the todo list.
-- Eric
On Wed, Jun 3, 2015 at 8:56 AM, Rob Stradling rob.stradl...@comodo.com
mailto:rob.stradl...@comodo.com wrote:
Hi. I thought folks here might find this useful. It's a web
interface
Hi. I thought folks here might find this useful. It's a web interface
that lets you search for certs that have been logged by CT.
https://crt.sh
Pronounced search. :-)
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
slave, so even
if you could inject something like DROP TABLE certificate, it would
fail to execute.
Sent from my iPhone. Please excuse brevity.
On Jun 3, 2015, at 10:01, Rob Stradling rob.stradl...@comodo.com wrote:
On 03/06/15 14:43, Eric Mill wrote:
This is outstanding - simple
On 10/06/15 01:54, Matt Palmer wrote:
On Tue, Jun 09, 2015 at 10:44:58AM +0100, Rob Stradling wrote:
On 09/06/15 04:05, Clint Wilson wrote:
To further support your claims here, Chris, there are already tools coming out
which actively monitor domains in CT logs and can be set up
On 03/06/15 16:46, Rob Stradling wrote:
On 03/06/15 16:15, Richard Barnes wrote:
snip
David Keeler has done some work on visualizing certs that may be helpful.
http://people.mozilla.org/~dkeeler/certsplainer/
https://github.com/mozkeeler/certsplainer
I'll take a look. Thanks.
Hi Richard
On 10/06/15 12:17, Hubert Kario wrote:
On Tuesday 09 June 2015 10:53:37 Rob Stradling wrote:
On 08/06/15 15:09, Rob Stradling wrote:
On 08/06/15 14:54, Hubert Kario wrote:
On Wednesday 03 June 2015 09:43:23 Eric Mill wrote:
This is outstanding - simple, but totally what people need to start
is very important to us.
Gerv
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
to:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Rob Stradling
Sent: Tuesday, November 17, 2015 9:32 PM
To: Peter Gutmann <pgut...@cs.auckland.ac.nz>; Peter Bowen
<pzbo...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: [FORGED] Name
to help identify where
in the certificates the issues are occurring. Hopefully these changes
will help remove the noise.
Definitely. Thanks!
Thanks,
Peter
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating T
ozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust
5
[1]
https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_13_2015v3.pdf
[2]
https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportOwnedDomains.pdf
--
Rob Stradling
Senior Research & Development Scientist
COMODO
4698
[4] https://crt.sh/?q=evgabrieltest%2Ebbtest%2Ecom=1454
[5] https://crt.sh/?id=5934504
[6] https://crt.sh/?id=9324337
[7] https://crt.sh/?id=10162388
[8] https://crt.sh/?id=10162533
[9] https://crt.sh/?id=10162537
--
Rob Stradling
Senior Research &
On 14/10/15 18:16, Gervase Markham wrote:
On 14/10/15 13:47, Rob Stradling wrote:
(There are actually 187 rows, but 3 certs are counted twice)
And that's not perhaps because one copy is with a CT poison extension,
and the other is with an SCT?
That's extremely unlikely.
None of those 3
/files/TestCertificateIncidentReportUnregistered.pdf
I count 184 certs in [3], not 164.
(There are actually 187 rows, but 3 certs are counted twice)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
dev-secu
On 17/11/15 22:47, Peter Bowen wrote:
I've uploaded the original CSV file to
https://s3-us-west-2.amazonaws.com/pzb-public-files/invalid-dnsname.csv
I suspect it might work better than the CSV -> Google Sheets -> TSV path.
Thanks,
Peter
Thanks Peter.
--
Rob Stradling
Senior Re
On 17/11/15 17:54, Kurt Roeckx wrote:
On Tue, Nov 17, 2015 at 05:40:28PM +, Rob Stradling wrote:
Great. I tried importing the list into postgres but I couldn't persuade it
to accept the invalid character encodings, so I gave up.
When importing data in my postgres database I leave
On 03/06/15 19:48, Rob Stradling wrote:
> On 03/06/15 18:02, Eric Mill wrote:
>>
>> On Wed, Jun 3, 2015 at 11:46 AM, Rob Stradling <rob.stradl...@comodo.com
>> <mailto:rob.stradl...@comodo.com>> wrote:
>>
>> Even better if you were to open-sourc
split it out into
> little helpful modules. I hope me or my team will get to use it, and
> I'll definitely be pointing folks working on CT over to your repos!
>
> On Mon, Sep 7, 2015 at 9:05 AM, Rob Stradling <rob.stradl...@comodo.com
> <mailto:rob.stradl...@comodo.com>> wrote
of clear
>> value.
>
> I think in the code signing case, one option would be to issue a "call
> for interested parties" and try and figure out if a) anyone is using
> this stuff, and if so b) whether there's anyone out there who wants to
> work with us to make the
On 08/09/15 10:54, Rob Stradling wrote:
> Hi Gerv.
>
> It seems clear from [1] that Firefox (and Thunderbird?) does (or at
> least did) use the NSS code signing trust bit for the purpose of
> verifying that addons/extensions have been signed by publicly-trusted
> code signi
On 15/09/15 10:17, Gervase Markham wrote:
> On 11/09/15 22:06, Rob Stradling wrote:
>> On 11/09/15 13:05, Gervase Markham wrote:
>>> On 08/09/15 10:54, Rob Stradling wrote:
>>>> Assuming this is still Mozilla's plan, please would you clarify which
>>&g
On 17/09/15 12:19, Rob Stradling wrote:
> On 15/09/15 10:17, Gervase Markham wrote:
>> On 11/09/15 22:06, Rob Stradling wrote:
>>> On 11/09/15 13:05, Gervase Markham wrote:
>>>> On 08/09/15 10:54, Rob Stradling wrote:
>>>>> Assuming this is still M
wing about
precertificate (mis)issuance...
"The signature on the TBSCertificate indicates the certificate
authority's intent to issue a certificate. This intent is considered
binding (i.e., misissuance of the Precertificate is considered equal
to misissuance of the final certific
intermediates, what would be the point of Mozilla dropping that same
requirement?
There seems little point providing options that, in reality, CAs are
never permitted to choose.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust On
On 22/09/15 10:22, Brian Smith wrote:
Rob Stradling <rob.stradl...@comodo.com> wrote:
https://aka.ms/rootcert Section 4.A.12, for example, says...
"Rollover root certificates, or certificates which are intended to
replace previously enrolled but expired certificates, will not
level that are reflected in
the whole certificate chain."
The number of CAs that issue server authentication certs that are
intended to be used solely by Mozilla's software is, I suspect,
vanishingly small.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creatin
let's discuss these issues at the CAB Forum. Based on the spreadsheet,
I'm pretty sure lots of CAs would like to re-address the elimination of all
SANs except iPAddress and dNSANames.
-Original Message-
From: Rob Stradling [mailto:rob.stradl...@comodo.com]
Sent: Tuesday, November 17, 2015
Certificates to be
acceptable and supported in Mozilla products; with the following
exceptions.
- Mozilla does not and will not support DSA keys
- Mozilla does not currently support ECC curve P-521
So, at this point I vote for Proposal A.
+1
What do you all think?
Kathleen
--
Rob Stradling
lla.org/CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On 21/06/16 04:03, Jeremy Rowley wrote:
Whether they are currently issuing is irrelevant.
Indeed. Having no intent to issue certificates is not going to stop the
sort of attack that DigiNotar experienced!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating T
uot;child
intermediates" from the disclosure requirement, AFAICT. So I think the
KBC Group CAs do need to be disclosed to Salesforce.
[1]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
--
Rob Stradling
Senior Research &
t;k...@roeckx.be>; Richard Barnes
<rbar...@mozilla.com>; Jeremy Rowley <jeremy.row...@digicert.com>; Steve <steve.me...@gmail.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson <kwil...@mozilla.com>; Rob Stradling
<rob.stradl...@comodo.com>
Subject:
On 24/06/16 14:38, Rob Stradling wrote:
I've just updated https://crt.sh/mozilla-disclosures.
There's now a separate grouping for undisclosed intermediates for which
all observed paths to a trusted root have been "revoked".
A path is considered to be "revoked" if at le
nown to CT and that have not yet been disclosed to Salesforce.
(P.S. If you have any qualifying intermediate certificates that are not
yet known to CT, don't forget to disclose them to Salesforce!)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creatin
a.org).
[1]
https://wiki.mozilla.org/CA:SalesforceCommunity#Which_intermediate_certificate_data_should_CAs_add_to_Salesforce.3F
P.S. Once SHA-1 is no longer permitted in unexpired publicly-trusted TLS
certs, you'll be able to omit the (large) number of SHA-1 intermediate
certs from the whitelist
ty-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered O
On 24/02/16 10:20, Peter Gutmann wrote:
Rob Stradling <rob.stradl...@comodo.com> writes:
But if it's an old version of NSS or OpenSSL, then the community could help
find an exploitable bug.
If it's a remote-code-exec we could patch their firmware for them to support
SHA-256.
or OpenSSL, then the community could
help find an exploitable bug.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla
audits
and instead solve WorldPay's problem by having a Symantec yanked root
cross-certify a non-Symantec yanked root (or vice versa)...well...that'd
be a conversation worth having, don't you think?
On 25/02/16 09:55, Rob Stradling wrote:
On 24/02/16 22:53, Dean Coclin wrote:
Peter,
The same on
intentions in this matter?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On 24/02/16 14:40, Gervase Markham wrote:
Hi Rob,
These are extremely good questions. I have some of the answers.
On 24/02/16 10:16, Rob Stradling wrote:
Gerv, I would really like to see more technical details about the PKI
software in WorldPay's terminals before offering an opinion
certs used by sites with extremely high numbers of users.
At the time, Firefox didn't support OCSP Stapling, and it was much less
common for CAs to use CDNs for their OCSP responders. (Indeed, some CAs
didn't even support OCSP back then).
--
Rob Stradling
Senior Research & Development Sc
On 12/02/16 18:21, David Keeler wrote:
On 02/11/2016 08:15 AM, Rob Stradling wrote:
https://cert-checker.allizom.org/ can already accept and "run certlint"
on a user-submitted certificate. Could a "run cablint" button be added
too?
The way it's implemented, "ru
le.com/certificateauthority/ca_program.html
"A maximum of three roots per CA provider can be accepted because each
additional root negatively impacts users by increasing download time."
--
Rob Stradling
Senior Research & Development Scientist
COMODO - C
like to think that the number of users of
such revocation providers is statistically insignificant by now though.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-secu
[1]
https://www.mail-archive.com/dev-security-policy%40lists.mozilla.org/msg02985.html
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.
On 04/03/16 23:14, Matt Palmer wrote:
On Fri, Mar 04, 2016 at 09:19:36PM +, Rob Stradling wrote:
Maybe we need to take a different approach that ignores the end-entity
certificate profile completely. How about we propose that...
- An X.509 certificate is in scope for the BRs if it's
and
iii) it hasn't been whitelisted by browsers as "out of scope".
?
but, given the current wording, I don't agree that Symantec violated any rule
the Forum has set.
-Original Message-
From: Rob Stradling [mailto:rob.stradl...@comodo.com]
Sent: Thursday, March 3, 2016 2:49
On 03/03/16 04:52, sanjay_m...@symantec.com wrote:
On Wednesday, March 2, 2016 at 7:07:23 AM UTC-8, Rob Stradling wrote:
I couldn't help but notice this SHA-1 precertificate issued by Symantec
a couple of days ago:
https://crt.sh/?id=13407116=cablint
Rob,
Sanjay, thanks for investigating
e is never issued, the misissuance
never occurred because the precertificate was not missused (no reqs against
SHA1 precerts) and a certificate in violation of the BRs was never created.
Rob Stradling <rob.stradl...@comodo.com> wrote:
On 03/03/16 04:52, sanjay_m...@symantec.com wrote:
On Wed
On 06/02/16 21:14, Rob Stradling wrote:
On 05/02/16 21:43, Charles Reiss wrote:
On 02/05/16 20:13, martin.suc...@gmail.com wrote:
Here's a list of all certificates with SHA-1 signatures and notBefore
>= 2016-01-01, logged in the Certificate Transparency Log:
https://crt.sh/?cablint=211=2
/CA:SubordinateCAcerts and automatically links
the audit info to the relevant CA certificates.
(Example: https://crt.sh/?id=3706739)
I'm aiming to produce an (automatically updated) list of CA certificates
that are known to CT but are not (yet) in SalesForce.
--
Rob Stradling
Senior Research & Develop
entropy.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On 19/05/16 21:48, Kathleen Wilson wrote:
On Monday, May 16, 2016 at 1:33:40 PM UTC-7, Rob Stradling wrote:
However, ISTM that a "proposed change currently in discussion" is less
authoritative than the CA Communication (which, as I've said, seems to
explicitly require multiple d
On 23/05/16 22:41, Richard Barnes wrote:
On Mon, May 23, 2016 at 5:28 PM, Rob Stradling wrote:
Why invent a new thing?
Even if we make an old thing new, there's still the transition :)
That's true, but it would be an easier transition.
--
Rob Stradling
Senior Research & Develop
On 18/05/16 19:38, Kathleen Wilson wrote:
On Wednesday, May 18, 2016 at 7:17:01 AM UTC-7, Rob Stradling wrote:
However, then that page says...
"Intermediate certificates are considered to be technically constrained,
and do not need to be added to the CA Community in Sales
:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
Code Signing _is_ still mentioned.
Having extra nameConstraints for this particular intermediate, seems to be
unnecessary, for the Mozilla root program.
DZ.
On 18 Μαΐ 2016, at 17:16, Rob Stradling
On 19/05/16 15:23, Dimitris Zacharopoulos wrote:
On 19/5/2016 4:36 μμ, Rob Stradling wrote:
On 18/05/16 17:23, Dimitris Zacharopoulos wrote:
This intermediate seems technically constrained for SSL and S/MIME
certificates, which are the only type of certs under the current
Mozilla policy
ten policy matches what you consider to be the
actual policy. Thanks.
I've just updated https://crt.sh/mozilla-disclosures. It no longer
claims that disclosure is required when an intermediate cert contains
the id-kp-codeSigning EKU OID but no directoryName constraint.
--
Rob Stradling
Senio
I don't see any way to automate that CSV export, so
it won't auto-update.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.
On 04/05/16 12:06, Rob Stradling wrote:
I'm aiming to produce an (automatically updated) list of CA certificates
that are known to CT but are not (yet) in SalesForce.
As promised, here it is...
https://crt.sh/mozilla-disclosures
This entry is currently in the "Disclosed; Unknown to c
On 09/05/16 21:07, Rob Stradling wrote:
Ben: You might want to fix this record in Salesforce.
Ben, two more of the entries you added have the wrong SHA-1 fingerprint...
ECRaizEstado - d34b Baltimore Baltimore CyberTrust Root SCEE
ECRaizEstado 6DB6F9D0D20096775111D24809BFD740F69C424B
ng in the right PEM.
-Original Message-
From: Rob Stradling [mailto:rob.stradl...@comodo.com]
Sent: Monday, May 9, 2016 2:07 PM
To: mozilla-dev-security-pol...@lists.mozilla.org; Ben Wilson
<ben.wil...@digicert.com>
Subject: Data entry errors (was Re: Undisclosed CA certificate
h Trust" bucket.
Note the distinction between "No" and "Never". "No" here means "Not as
far as we know right now, but this would change upon discovery of an
unconstrained id-kp-serverAuth trust path".
--
Rob Stradling
Senior Res
defense in
depth, but at greater overhead, so I'm wondering if there's a world where we
can have both our speed and our disclosures, and have technical enforcement for
both.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
__
On 11/05/16 12:42, Rob Stradling wrote:
On 10/05/16 23:37, Kathleen Wilson wrote:
Is it really the CPU limit that is hit, and not some other limit? I am
curious because the CPU time limit usually has much more room than other
governor limits, so you would usually hit some other limit before
1 - 100 of 381 matches
Mail list logo