On 13/04/17 17:43, Jeremy Rowley wrote:
> Because the certificate improperly included Symantec's BR-compliance OID. If
> the cert wasn't a BR-covered certificate but included the BR compliance OID,
> then the cert was still mis-issued and should be disclosed.
But that was not the reason they gave
-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
.org] On Behalf Of Gervase Markham via dev-security-policy
Sent: Thursday, April 13, 2017 7:49 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Symantec Response B
Symantec's bug opens with the words:
"At the end of
Symantec's bug opens with the words:
"At the end of 2013, Symantec issued a cert to one of its customers that
did not comply with several provisions of the CA/Browser Forum Baseline
Requirements."[0]
So Symantec, at least, thought that this cert fell under the BRs. If
their case was that it did
On Behalf Of Ryan Sleevi via dev-security-policy
Sent: Wednesday, April 12, 2017 6:40 AM
To: Kurt Roeckx <k...@roeckx.be>
Cc: mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: Symantec Response B
On Wed, Apr 12, 2017 at 4:24 AM, Kurt Roeckx via dev
On Wed, Apr 12, 2017 at 4:24 AM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> I don't think 2) applies. It's only their software, that obviously can't
> be updated yet, and so won't enforce such limit. That doesn't prevent the
> rest of us to set such
On 2017-04-11 17:54, Ryan Sleevi wrote:
On Tue, Apr 11, 2017 at 11:44 AM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
The reply indicated that it was a non-browser application. So I understand
that a browser should never see that certificate.
There's
On Tue, Apr 11, 2017 at 11:44 AM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> The reply indicated that it was a non-browser application. So I understand
> that a browser should never see that certificate.
>
There's no way to objectively quantify or
On 2017-04-11 17:20, Ryan Sleevi wrote:
On Tue, Apr 11, 2017 at 6:02 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Hi Ryan,
On 10/04/17 16:38, Ryan Sleevi wrote:
1) You're arguing that "the issuance of this cert didn't impose risk on
anyone but
On Tue, Apr 11, 2017 at 6:02 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi Ryan,
>
> On 10/04/17 16:38, Ryan Sleevi wrote:
> > 1) You're arguing that "the issuance of this cert didn't impose risk on
> > anyone but this specific customer"
> > a)
Hi Ryan,
On 10/04/17 16:38, Ryan Sleevi wrote:
> 1) You're arguing that "the issuance of this cert didn't impose risk on
> anyone but this specific customer"
> a) What factors lead you to that decision?
Can you lay out for us a scenario where this issuance might impose risk
on someone else?
>
Hi Steve,
Some quick follow-ups:
1) You're arguing that "the issuance of this cert didn't impose risk on
anyone but this specific customer"
a) What factors lead you to that decision?
b) What process does Symantec have in place to make such determination?
c) Does such process continue to
Issue B: 1024-bit Certificate Issued Directly From Root (Dec 2013 - Jan
2014)
The customer in question informed us of an issue in December 2013 that
threatened to seriously disrupt their primary business, and they sought our
assistance. The customer's non-browser implementation required a
12 matches
Mail list logo
