Kyle Hamilton wrote:
I then have to click at least six
times to try to figure out what's going on, and then when I do find a
site that's protected by an unknown CA certificate (OR that I've
removed the trust bits on), I have to do the following:
1) Click 'add an exception'
2) click 'get
On 12/24/2008 05:44 PM, Eddy Nigg:
I have received also testimonials that Mozilla and Microsoft received
previously complaints and evidences about the business practices of
Comodo. I'm not aware which specific actions were taken back then.
I have to make a small correction about this
Kyle Hamilton wrote:
(Especially if Comodo delegates full Registration Authority capability
without verification, which seems to be the case -- though they could
have simply issued a sub-CA certificate.)
Delegating the RA's tasks is still different from issuing a sub-CA cert
since with a
Eddy Nigg wrote:
I think Thawte uses the keygen tag as well. This is a signed public key
and challenge (SPKAC).
I also thought so. But there is some Javascript and the HTML looks like
this:
select name=spkac challenge=tURRaHXxYBDwCk58option2048 (High
Grade)/optionoption1024 (Medium
Eddy Nigg wrote:
On 12/23/2008 09:09 AM, Kyle Hamilton:
Of course, this would be an NSS change (the addition of a 'trust
suspended' bit,
I think this to be an interesting idea and should be considered.
I really wonder why there should be one state more. And how is it going
to be set
Frank Hecker wrote:
From my point of view I'd wait on more
information regarding items 2 and 3 above before making a recommendation.
Could you please define a time-frame within Comodo MUST react?
Ciao, Michael.
___
dev-tech-crypto mailing list
Kyle Hamilton wrote:
I hate to say this, but this IS The Worst-Case Scenario. A CA has
gone rogue and issued certificates that violate its standards, and the
standards of the root programs that it's a part of -- it is true that
Comodo didn't /intend/ to go rogue, but it has, and we can't
Justin Dolske wrote:
...I think there's some risk that if a Firefox update suddenly breaks a
large swath of legitimate SSL sites, that could end up training users to
ignore the problem.
Given the large amount of self-generated server certs this problem
already exists. Ultimately you cannot
doug...@theros.info wrote:
I, for example, have a ssl cert from comodo reseller, and they DO have
made all the validation steps.
My site, a legitimate one, would be in trouble with this. Are you all
sure that it is a good measure to just knock off the root cert or
security bit?
please,
Kyle Hamilton wrote:
[..many good observations snipped..]
Because of this, my recommendation that Comodo's trust bits be removed
until a full audit of their practices (and a full audit of all issued
certificates) stands, and I am that much more resolute in my belief.
Full ack!
Ciao, Michael.
On 12/25/2008 02:39 PM, Michael Ströder:
doug...@theros.info wrote:
I, for example, have a ssl cert from comodo reseller, and they DO have
made all the validation steps.
My site, a legitimate one, would be in trouble with this. Are you all
sure that it is a good measure to just knock off the
On 24/12/08 15:17, Frank Hecker wrote:
Gen Kanai wrote:
More discussion on this topic over at Programming Reddit:
http://www.reddit.com/r/programming/comments/7lb96/ssl_certificate_for_mozillacom_issued_without/
Unfortunately the discussion devolved (as it always does :-) into the
merits of
Michael Ströder wrote:
Frank Hecker wrote:
From my point of view I'd wait on more
information regarding items 2 and 3 above before making a recommendation.
Could you please define a time-frame within Comodo MUST react?
Comodo (in the person of Robin Alden) has already made a reply:
Kyle Hamilton wrote:
What is the effect of this problem on the request to enable the
UTN-UserFirst-Hardware root for EV,
https://bugzilla.mozilla.org/show_bug.cgi?id=401587 ?
I think (but don't have time to confirm right at the moment) that that
request is moot. As far as I know, Comodo EV
Frank Hecker wrote:
Michael Ströder wrote:
Frank Hecker wrote:
From my point of view I'd wait on more
information regarding items 2 and 3 above before making a
recommendation.
Could you please define a time-frame within Comodo MUST react?
Comodo (in the person of Robin Alden) has already
I've already stated my preference.
To reiterate:
Actually, I think it's very important that the accounting include this:
for each name (not just certificate, but name in
subjectAlternativeNames) that has been certified, a connection to the
TLS ports should be made, and the certificate presented
If Frank's desire to balance user benefit from keeping the root in
with user security by taking the root out is to be upheld, then there
needs to be a way to notify the software user that there is a valid
complaint against the operator of the CA in question.
If it drives business away from the CA
among other things, because keygen is not a standardized mechanism.
-Kyle H
On Thu, Dec 25, 2008 at 4:10 AM, Michael Ströder mich...@stroeder.com wrote:
Eddy Nigg wrote:
I think Thawte uses the keygen tag as well. This is a signed public key
and challenge (SPKAC).
I also thought so. But
Dear Firefox Developers,
I understand that this should be the right place to ask:
Using Firefox we would like to generate Thawte X.509 E-Mail Certificates.
When generating the Private/Public key pair using Firefox as well as requesting
the certificate, we are logged in on the Thawte Website.
At 11:13 PM -0800 12/24/08, Daniel Veditz wrote:
Paul Hoffman wrote:
At 1:16 AM +0200 12/24/08, Eddy Nigg wrote:
Select Preferences - Advanced - View Certificates - Authorities.
Search for AddTrust AB - AddTrust External CA Root and click
Edit. Remove all Flags.
Doesn't this seem like a
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
Maybe this serves as a good example to other CAs that the Mozilla CA
policy is really enforced. Otherwise nobody will care.
This is Firefox we're talking about, not IE. Do you
On 12/25/2008 08:16 PM, Michael Ströder:
The question is, what else do what want Comodo to do in this case?
What really strikes me is that this case was only
detected by Eddy because of Certstar's spam e-mails.
Even though I believe that Robin and his crew are really angry with me
right
On 12/26/2008 12:24 AM, Paul Hoffman:
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
Maybe this serves as a good example to other CAs that the Mozilla CA
policy is really enforced. Otherwise nobody will care.
This is
xbcvb cvbcvbvcb wrote:
Using Firefox we would like to generate Thawte X.509 E-Mail Certificates.
When generating the Private/Public key pair using Firefox as well as
requesting
the certificate, we are logged in on the Thawte Website.
*Our security relevant question:*
Which data is
Paul Hoffman wrote:
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
Maybe this serves as a good example to other CAs that the Mozilla CA
policy is really enforced. Otherwise nobody will care.
This is Firefox we're
On Dec 26, 2008, at 1:49 AM, Frank Hecker wrote:
Beyond that? It's somewhat of an open question.
Frank
Mozilla needs to have a concrete policy and procedures in place so
that there is no question as to what the penalties would be for future
actions of this kind.
I personally like John
Kyle Hamilton wrote, On 2008-12-25 12:15:
among other things, because keygen is not a standardized mechanism.
True, but neither is crypto.generateCRMFRequest.
There is no standardize html or JavaScript feature for this purpose.
___
dev-tech-crypto
On 12/26/2008 03:28 AM, Gen Kanai:
I personally like John Nagle's proposal from earlier in this thread:
http://groups.google.com/group/mozilla.dev.tech.crypto/msg/9443ba781a669879
Gen, one thing to note, that Comodo most likely performs a yearly
WebTrust audit, though the last one I can see
On 26/12/08 00:36, Michael Ströder wrote:
Paul Hoffman wrote:
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
I do not see a rogue CA. The evidence of the posts here suggests a flaw
leading to false certs was found
On Friday 26 December 2008 07:15:59 am Kyle Hamilton wrote:
among other things, because keygen is not a standardized mechanism.
FWIW, is there a description of how keygen is actually supposed to work, and
a set of test cases?
Brad
___
dev-tech-crypto
30 matches
Mail list logo