On 29/05/16 11:48, Peter Gutmann wrote:
> Are you really trying to claim that the sad farce that is current browser PKI
> is absolutely the very best that browser vendors can do in terms of protecting
> users online?
I'm sure things can always be better. My point was that the current
system, for
Gervase Markham writes:
>It depends what alternative configuration-free idiot-proof secure
>communications technology you have invented in your fantasy world to take its
>place.
Are you really trying to claim that the sad farce that is current browser PKI
is absolutely the
On 27/05/16 13:20, Peter Gutmann wrote:
> Apart from the lucky CAs who have been given government-
> mandated monopolies, would any CA still exist today if there weren't a need to
> pay someone to turn off the browser warnings?
It depends what alternative configuration-free idiot-proof secure
Ryan Sleevi writes:
>This seems both off-topic and not productively addressing the topic at hand.
Yeah, maybe it's best taken to another list like cypherpunks or the crypto
list. It was intended as an honest, and probably pretty blunt, assessment of
the state of HTTPS: It was
On Thursday 26 May 2016 05:13:43 Peter Gutmann wrote:
> Richard Z writes:
> >If any criminal can easily get EV certificates what is the point of
> >https?
> The point of HTTPS is twofold:
>
> 1. Convince users that the Internet is safe to do business on
> (financial
On Wed, May 25, 2016 at 6:50 AM, wrote:
> If I understand you correctly, you are saying that CAs should not be doing
> any "internet policing" or "content policing" when they receive credible
> reports their certs are being used by phishers, malware providers, etc. --
>
Richard Z writes:
>If any criminal can easily get EV certificates what is the point of https?
The point of HTTPS is twofold:
1. Convince users that the Internet is safe to do business on (financial
transfers, medical data).
2. Provide a steady revenue stream for CAs.
On Wed, May 25, 2016 at 11:54:50AM -0400, Eric Mill wrote:
> On Wed, May 25, 2016 at 9:50 AM, wrote:
>
> >
> > Why should CAs delegate to or rely on browsers for this type of user
> > protection? Isn't it better for CAs to remain involved by revoking certs /
> > refusing to
On Wed, May 25, 2016 at 9:50 AM, wrote:
>
> Why should CAs delegate to or rely on browsers for this type of user
> protection? Isn't it better for CAs to remain involved by revoking certs /
> refusing to issue certs to known bad sites, like CAs have done for at least
> the
On Wed, May 25, 2016 at 01:09:53AM -0700, Ryan Sleevi wrote:
> On Tue, May 24, 2016 at 10:25 AM, wrote:
> > Here's my question -- what do Google and Microsoft do with such reports?
> > Do they investigate and then put a site on the "bad" list, eg, for
> > injecting
On Tue, May 24, 2016 at 10:25 AM, wrote:
> Here's my question -- what do Google and Microsoft do with such reports? Do
> they investigate and then put a site on the "bad" list, eg, for injecting
> malware? If not, then no one will stop the malware site. If yes -- what
On Tuesday, May 24, 2016 at 2:01:22 PM UTC+2, Ryan Sleevi wrote:
> On Friday, May 20, 2016 at 10:24:56 AM UTC-7, Andrew Ayer wrote:
> > In fact, Kathleen asked explicitly for what the answers "should be" in
> > addition to what they are, so my email was not unrelated. To be more
> > explicit, I
On Friday, May 20, 2016 at 10:24:56 AM UTC-7, Andrew Ayer wrote:
> In fact, Kathleen asked explicitly for what the answers "should be" in
> addition to what they are, so my email was not unrelated. To be more
> explicit, I think the answers to questions 3-5 should be no. The
> reason why is
On Wednesday, May 18, 2016 at 6:22:39 PM UTC+3, Peter Bowen wrote:
> On Wed, May 18, 2016 at 7:16 AM, Gervase Markham wrote:
> > I think the bullet as a whole could mean that we reserve the right to
> > not include CAs who happily issue certs to "www.paypalpayments.com" to
> >
On Sat, May 21, 2016 at 12:04 PM, wrote:
>
> Peter, once again you are ignoring the full language of BR 4.9.2 to
> 4.10.2. These CA requirements are not limited to reports of "misuse"
> submitted to a CA, but apply to reports of "suspected Key Compromise,
> Certificate
On Thu, May 19, 2016 at 05:20:07PM +1000, Matt Palmer wrote:
> On Tue, May 17, 2016 at 11:14:21PM +0200, Richard Z wrote:
> > There are crime friendly providers already and having crime friendly CAs is
> > something that users would definitely notice.
>
> Why? Do users typically notice the
On Friday, May 20, 2016 at 6:22:21 PM UTC-7, Peter Bowen wrote:
> [ Disclaimer: This message is my personal view and does not
> necessarily represent that of my employer. ]
>
> On Fri, May 20, 2016 at 5:41 PM, [Kirk Hall] wrote:
> > Peter -- the reference to BR 9.6.8(8) is interesting, but is
[ Disclaimer: This message is my personal view and does not
necessarily represent that of my employer. ]
On Fri, May 20, 2016 at 5:41 PM, wrote:
> Peter -- the reference to BR 9.6.8(8) is interesting, but is not really
> relevant to discussion of the requirements of BR
[ Disclaimer: This message is my personal view and does not
necessarily represent that of my employer. ]
On Thu, May 19, 2016 at 9:15 AM, wrote:
> This has been a very surprising discussion to me. If most CAs were asked “Do
> you think CAs are supposed to investigate
On Thu, 19 May 2016 16:52:26 -0700 (PDT)
tech29...@gmail.com wrote:
> Your main concern – unjustified delay in issuing a certificate to
> your customer while a human looks at the domain to decide if there is
> a problem - is not really related to any of Kathleen’s questions.
> Your other comments
On 19/05/16 00:45, Matt Palmer wrote:
> How so? It could be a site providing information from a third party on how
> to make and receive payments via PayPal. It could also be a site operated
> by a third party on behalf of PayPal. Inferring nefarious intent from a
> domain name seems like a
On 18/05/16 17:35, Ben Wilson wrote:
> Looking at the threat from a defense-in-depth/orthogonal perspective,
> doesn't it make sense that everyone -- browsers, ICANN, CAs, etc. -- does
> something to combat malicious websites for the public?
Not necessarily, if what they do ends up damaging
On Friday, May 20, 2016 at 2:09:42 AM UTC-7, Ben Laurie wrote:
> > 4.9.3. Procedure for Revocation Request
> >
> >"*** The CA SHALL provide Subscribers, Relying Parties, Application
> > Software Suppliers, and other third parties with clear instructions for
> > reporting suspected Private
Matt, that's a bit harsh, and you are all over the map. I was only responding
to Kathleen's questions, which asked what do the current BRs require CAs to do
when they receive reports of SSL certificates issued to malware injection
sites. I was not proposing any new rules or any new
Andrew - As I outlined in my message above, the BRs cover two distinct
situations: (1) when must CAs revoke certs that have already been issued for
“Certificate misuse, or other types of fraud, compromise, misuse, or
inappropriate conduct related to Certificates,” and (2) when CAs must refuse
Well said, Andrew. You've summarised the issue excellently.
- Matt
On Thu, May 19, 2016 at 03:19:13PM -0700, Andrew Ayer wrote:
> Kathleen,
>
> I believe that certificate authorities should be content-neutral. They
> should not be required to assess "misuse" or "fraud," nor be required
> to
On Tue, 17 May 2016 03:19:22 +
Peter Gutmann wrote:
> Matt Palmer writes:
> >On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote:
> >> knowingly issuing/tolerating certificates for sites known to
> >> inject malware is
> >> * contrary to
Kathleen,
I believe that certificate authorities should be content-neutral. They
should not be required to assess "misuse" or "fraud," nor be required
to revoke certificates except upon request of the owner of a domain
listed in the certificate.
Requiring CAs to police website content is
This has been a very surprising discussion to me. If most CAs were asked “Do
you think CAs are supposed to investigate and revoke one of your certificates
that is reported to you for injecting malware on Relying Parties clients?”
their answer would be “Yes, of course – that’s required under
On Tue, May 17, 2016 at 11:14:21PM +0200, Richard Z wrote:
> There are crime friendly providers already and having crime friendly CAs is
> something that users would definitely notice.
Why? Do users typically notice the crime friendly hosting providers?
- Matt
On Tue, May 17, 2016 at 01:04:28AM +, Charles Reiss wrote:
> On 05/16/16 12:22, Richard Z wrote:
> >On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote:
> >
> >>Some CAs may choose to not issue to sites known to inject malware, but
> >>this outside the scope of the SSL requirements.
On Wed, May 18, 2016 at 03:16:59PM +0100, Gervase Markham wrote:
> > What is meant by "fraudulent use"?
>
> I think the bullet as a whole could mean that we reserve the right to
> not include CAs who happily issue certs to "www.paypalpayments.com" to
> just anyone without any checks or High Risk
On Wed, May 18, 2016 at 04:35:49PM +, Ben Wilson wrote:
> Looking at the threat from a defense-in-depth/orthogonal perspective,
> doesn't it make sense that everyone -- browsers, ICANN, CAs, etc. -- does
> something to combat malicious websites for the public?
Because the next steps after
I would simply like to state that my views, and the views of Let's Encrypt, are
closely aligned with those already expressed here by Peter Bowen and Eric Mill.
I will add, since I don't think it has been made clear enough here already,
that violations of a CA's subscriber agreement can and
curity-policy
> [mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On
> Behalf Of Peter Bowen
> Sent: Wednesday, May 18, 2016 9:23 AM
> To: Gervase Markham <g...@mozilla.org>
> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Kathleen Wilson
> <kwil.
On Wed, May 18, 2016 at 7:16 AM, Gervase Markham wrote:
> I think the bullet as a whole could mean that we reserve the right to
> not include CAs who happily issue certs to "www.paypalpayments.com" to
> just anyone without any checks or High Risk string list or anything.
> Such
In the case of a DV certificate it's exactly what it says, validating
the ownership of a domain, and nothing more. While users _may believe_
that TLS is supposed to protect them from malware, hackers, or
'untrustworthy' sites in general _it is not_. TLS exists to encrypt the
connection between a
On Mon, May 16, 2016 at 8:24 AM, Ben Wilson wrote:
> Gerv wrote,
> "Counter-question to many of these: who defines what is malware, and who
> made them king?"
>
> The contract that the CA enters into with the subscriber should have done
> that.
>
> Subscriber Agreements
On Monday, May 16, 2016 at 9:20:56 AM UTC-7, Kathleen Wilson wrote:
> I am wondering if the BRs need to be updated to:
> + Define what is meant by "Certificate misuse, or other types of fraud".
> (e.g. being used for a purpose outside of that contained in the cert, or
> applicant provided false
On Tuesday, 17 May 2016 04:19:57 UTC+1, Peter Gutmann wrote:
> So you're saying users expect CAs to certify malware sites?
I'm a user, and that's what I expect, so trivially yes.
___
dev-security-policy mailing list
On Tue, 17 May 2016 12:51:53 +0200, Hubert Kario wrote:
> problem is, that this is a slippery slope. What's malware for one person
> is a research subject for another. What's inflammatory or misleading
> information for one person is parody and joke material to other. What's
> illegal in one
On Tuesday 17 May 2016 03:19:22 Peter Gutmann wrote:
> Matt Palmer writes:
> >On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote:
> >> knowingly issuing/tolerating certificates for sites known to inject
> >> malware is
> >> * contrary to user expectaions
> >
>
Matt Palmer writes:
>On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote:
>> knowingly issuing/tolerating certificates for sites known to inject
>> malware is
>> * contrary to user expectaions
>
>[Citation needed]
So you're saying users expect CAs to certify malware
On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote:
> On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote:
>
> > Some CAs may choose to not issue to sites known to inject malware, but
> > this outside the scope of the SSL requirements. The EV Guidelines it
> > very clear that the
On Mon, May 16, 2016 at 09:20:40AM -0700, Kathleen Wilson wrote:
> In regards to Mozilla policy, maybe we should consider adding text about
> Mozilla's expectations for CAs when they find out that a TLS/SSL
> certificate that they issued is being used to do bad things.
Mozilla should expect that
On 16/05/16 17:20, Kathleen Wilson wrote:
This discussion should consider what's best for Mozilla's users. Perhaps
that aligns precisely with the minimum requirements in the EVGs, or perhaps
it doesn't. Mozilla are free to specify additional requirements if they
feel the need to do so, just as
> > This discussion should consider what's best for Mozilla's users. Perhaps
> > that aligns precisely with the minimum requirements in the EVGs, or perhaps
> > it doesn't. Mozilla are free to specify additional requirements if they
> > feel the need to do so, just as Microsoft did recently...
>
Gerv wrote,
"Counter-question to many of these: who defines what is malware, and who
made them king?"
The contract that the CA enters into with the subscriber should have done
that.
Subscriber Agreements should have language in them that says something to
the effect, "We can revoke your
On 16/05/16 01:13, Kathleen Wilson wrote:
> 3) If a website is using its SSL certificate to mask injection of malware and
> evidence of that is presented to the issuing CA, is that sufficient misuse
> for the CA to be required to revoke the certificate?
Counter-question to many of these: who
On Mon, May 16, 2016 at 6:06 AM, Rob Stradling wrote:
> On 16/05/16 01:43, Peter Bowen wrote:
>
> This discussion should consider what's best for Mozilla's users. Perhaps
> that aligns precisely with the minimum requirements in the EVGs, or perhaps
> it doesn't. Mozilla
On 16/05/16 01:43, Peter Bowen wrote:
Some CAs may choose to not issue to sites known to inject malware, but
this outside the scope of the SSL requirements. The EV Guidelines it
very clear that the reputation and actions of the Subject are not in
scope:
Peter, I'd just like to point out that
On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote:
> "By providing more reliable third-party verified identity and address
> information regarding the business, EV Certificates may help to [...]
> Assist law enforcement organizations in their investigations of
> phishing and other online
On Sun, May 15, 2016 at 05:43:39PM -0700, Peter Bowen wrote:
> Some CAs may choose to not issue to sites known to inject malware, but
> this outside the scope of the SSL requirements. The EV Guidelines it
> very clear that the reputation and actions of the Subject are not in
> scope:
knowingly
(Top posting to bring the questions to the top)
> 1) What does "Certificate misuse, or other types of fraud" in the definition
> of Certificate Problem Report actually mean?
> 2) What does "misused" mean in Section 4.9.1.1?
I think there are a several of different things that could fall within
54 matches
Mail list logo