Re: DarkMatter Concerns

2019-07-16 Thread Ronald Crane via dev-security-policy
I have to rebut the idea that revoking trust is an adequate -- let alone an "essentially absolute" -- recourse for a CA's abuse of its authority. The fact is that an abusive CA can cause unwanted (and potentially harmful) code and data to be injected into -- and personal data to be

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-18 Thread Ronald Crane via dev-security-policy
On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but using an EV SSL in conjunction with a domain name and website with the true intent to dupe potential customers is another matter. I'm trying to get past

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Ronald Crane via dev-security-policy
On 8/15/2019 10:58 AM, Doug Beattie via dev-security-policy wrote: So far I see is a number of contrived test cases picking apart small components of EV, and no real data to back it up. I also would like to see more evidence of problems. However, I have to object to the idea that Mostly

Re: Certinomis Root Inclusion Request

2019-07-19 Thread Ronald Crane via dev-security-policy
On 7/18/2019 9:15 PM, alwayshisforever5183--- via dev-security-policy wrote: How do I remove the cert root? Use tools/options, type "cert" in the "find in options" box, then click "view certificates". Select "authorities" tab. Now examine the list until you find the certificate(s) you want

Re: Comodo password exposed in GitHub allowed access to internal Comodo files

2019-07-27 Thread Ronald Crane via dev-security-policy
Thank you for posting that notice. It's not clear whether the leak impacted issuance. From the link you cited: *** Other documents appeared to be Comodo vulnerability reports. *** Ursem’s cursory review of the data did

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-26 Thread Ronald Crane via dev-security-policy
On 8/26/2019 5:39 AM, Josef Schneider via dev-security-policy wrote: Am Sonntag, 18. August 2019 20:05:42 UTC+2 schrieb Ronald Crane: On 8/18/2019 12:39 AM, Leo Grove via dev-security-policy wrote: Deploying a Stripe Inc EV SSL from a state other than CA is one thing, but using an EV SSL in

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-29 Thread Ronald Crane via dev-security-policy
On 8/29/2019 11:07 AM, Nick Lamb via dev-security-policy wrote: ... If you _work_ for such an institution [e.g.,a bank], the best thing you could do to protect your customers against Phishing, a very popular attack that TLS is often expected to mitigate, is offer WebAuthn You also could

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Ronald Crane via dev-security-policy
On 8/23/2019 3:53 PM, Daniel Marschall via dev-security-policy wrote: Am Freitag, 23. August 2019 00:50:35 UTC+2 schrieb Ronald Crane: On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: Whatever the merits of EV (and perhaps there are some -- I'm not convinced either way)

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-22 Thread Ronald Crane via dev-security-policy
On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: I can tell you that anti-phishing services and browser phishing filters have also have concluded that EV sites are very unlikely to be phishing sites and so are safer for users. Whatever the merits of EV (and perhaps

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-23 Thread Ronald Crane via dev-security-policy
On 8/23/2019 6:41 AM, Tom Ritter via dev-security-policy wrote: On Fri, 23 Aug 2019 at 05:00, Leo Grove via dev-security-policy wrote: On Thursday, August 22, 2019 at 5:50:35 PM UTC-5, Ronald Crane wrote: On 8/22/2019 1:43 PM, kirkhalloregon--- via dev-security-policy wrote: I can tell you

Re: An honest viewpoint: Move Extended Validation Information out of the URL bar

2019-09-08 Thread Ronald Crane via dev-security-policy
On 9/8/2019 2:46 AM, Daniel Marschall via dev-security-policy wrote: But the EV string always shows the country name. Therefore, the string should be unambiguous, because there can be only one company called "Google Inc" in a specific country (say Tonga). The second sentence is generally