Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-29 Thread mono.riot--- via dev-security-policy
> Not for those sorts of differences. There are in an IDN context: > http://unicode.org/reports/tr39/ wasn't aware of that TS, thanks! ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Over 14K 'Let's Encrypt' SSL Certificates Issued To PayPal Phishing Sites

2017-03-27 Thread mono.riot--- via dev-security-policy
> I've been wondering if CT is a good tool for things like safe > browsing to monitor possible phishing sites and possibly detect > them faster. Are there general proposals yet on how to distinguish phishing vs legitimate when it comes to domains? (like apple.com vs app1e.com vs mom'n'pop

Re: Researcher Says API Flaw Exposed Symantec Certificates, Including Private Keys

2017-03-31 Thread mono.riot--- via dev-security-policy
Maybe I'm alone in this but, while entertaining, I'm taken aback a bit if this is official Symantec communication in a forum like m.d.s.p. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Symantec: Update

2017-05-10 Thread mono.riot--- via dev-security-policy
On Wednesday, May 10, 2017 at 7:59:37 PM UTC+2, Itzhak Daniel wrote: > The next step, if Symantec wish to continue to use their current PKI in the > future, should be logging (ASAP) *all* of the certificates they issued to a > CT log, then we'll know how deep is the rabbit hole. already the

Re: Certinomis Issues

2019-05-01 Thread mono.riot--- via dev-security-policy
> 2017 assessment report > LSTI didn't issue to Certinomis any "audit attestation" for the browsers in > 2017. The document Wayne references is a "Conformity Assessment Report" for > the eIDAS regulation. I had a look at the 2017 report, and unless I misread, it implies conformity to ETSI EN

Re: Certinomis Issues

2019-05-02 Thread mono.riot--- via dev-security-policy
> But does EN 319 401, as it existed in 2016/2017 incorporate a clause to > apply all "future" updates to the CAB/F regulations or otherwise cover > all BRs applicable to the 2016/2017 timespan? Interesting question. Would it have to explicitly claim to incorporate any future updates? Or would

Re: Certinomis Issues

2019-05-02 Thread mono.riot--- via dev-security-policy
On Thursday, May 2, 2019 at 1:11:20 AM UTC+2, Wayne Thayer wrote: > Correct - 319 411 was (and still is) the Mozilla audit requirement. > > [1] https://bug937589.bmoattachments.org/attachment.cgi?id=8898169 Thanks for the clarification Wayne. ___

Re: DarkMatter Concerns

2019-07-09 Thread mono.riot--- via dev-security-policy
On Tuesday, July 9, 2019 at 11:23:11 PM UTC+2, Matthew Hardeman wrote: > Truly horrid organizations and/or individuals passively own all kinds of > assets. A strong management team that can be trusted to keep commitments to > sound the alarm if the organization goes off track is one way to

Re: DarkMatter Concerns

2019-07-09 Thread mono.riot--- via dev-security-policy
On Tuesday, July 9, 2019 at 11:46:05 PM UTC+2, Matthew Hardeman wrote: > ownership: Francisco Partners. It is difficult for me to see the > difference, objectively speaking. agree, but I think Francisco partners was ... rubbing the wrong way, too; and I think that issue was let go way too