On 11/08/17 16:40, Nick Lamb via dev-security-policy wrote:
On Friday, 11 August 2017 14:19:57 UTC+1, Alex Gaynor wrote:
Given that these were all caught by cablint, has Let's Encrypt considered
integrating it into your issuance pipeline, or automatically monitoring
crt.sh (which runs cablint)
On Sun, Aug 13, 2017 at 5:59 PM, Matt Palmer via dev-security-policy
wrote:
> On Fri, Aug 11, 2017 at 06:32:11PM +0200, Kurt Roeckx via dev-security-policy
> wrote:
>> On Fri, Aug 11, 2017 at 11:48:50AM -0400, Ryan Sleevi via
>> dev-security-policy wrote:
>> >
>> > Could you expand on what you m
On Fri, Aug 11, 2017 at 06:32:11PM +0200, Kurt Roeckx via dev-security-policy
wrote:
> On Fri, Aug 11, 2017 at 11:48:50AM -0400, Ryan Sleevi via dev-security-policy
> wrote:
> > On Fri, Aug 11, 2017 at 11:40 AM, Nick Lamb via dev-security-policy <
> > dev-security-policy@lists.mozilla.org> wrote:
On Fri, Aug 11, 2017 at 5:20 PM, Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> If one integrates a project like certlint/cablint into the cert issuance
> pipeline, one suddenly takes on supplemental responsibility for certlint's
> bugs or changes.
>
Th
I see both sides on this matter.
On the one hand, certlint/cablint catches lots of obvious problems, mostly with
ridiculous certificate profiles or manual special purpose issuances.
Certainly, there's a lot of bad issuance that having it in the blocking path
might help with...
but...
If one
On Fri, Aug 11, 2017 at 1:22 PM, Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, 11 August 2017 16:49:29 UTC+1, Ryan Sleevi wrote:
> > Could you expand on this? It's not obvious what you mean.
>
> I guess I was unclear. My concern was that one obviou
On Friday, 11 August 2017 16:49:29 UTC+1, Ryan Sleevi wrote:
> Could you expand on this? It's not obvious what you mean.
I guess I was unclear. My concern was that one obvious way to approach this is
to set things up so that after the certificate is signed, Boulder runs cablint,
and if it finds
On Fri, Aug 11, 2017 at 11:48:50AM -0400, Ryan Sleevi via dev-security-policy
wrote:
> On Fri, Aug 11, 2017 at 11:40 AM, Nick Lamb via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > On Friday, 11 August 2017 14:19:57 UTC+1, Alex Gaynor wrote:
> > > Given that these w
On Fri, Aug 11, 2017 at 11:40 AM, Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Friday, 11 August 2017 14:19:57 UTC+1, Alex Gaynor wrote:
> > Given that these were all caught by cablint, has Let's Encrypt considered
> > integrating it into your issuance pi
On Friday, 11 August 2017 14:19:57 UTC+1, Alex Gaynor wrote:
> Given that these were all caught by cablint, has Let's Encrypt considered
> integrating it into your issuance pipeline, or automatically monitoring
> crt.sh (which runs cablint) for these issues so they don't need to be
> caught manual
Hi Josh,
Given that these were all caught by cablint, has Let's Encrypt considered
integrating it into your issuance pipeline, or automatically monitoring
crt.sh (which runs cablint) for these issues so they don't need to be
caught manually by researchers?
Alex
On Thu, Aug 10, 2017 at 11:00 PM,
At 11:30am PST on August 10, 2017, Let’s Encrypt was made aware of a compliance
issue regarding unicode normalization of domain names. During the same day we
were made aware of the issue, all unexpired non-compliant certificates were
found and revoked, a fix was applied to our CA systems, and we
12 matches
Mail list logo