Uhm...
how did you arrive at the tens of thousands of other Comodo
customers figure? I don't believe that Comodo has disclosed the
number of unique domain names served by certificates that it has
issued.
And since the number one reason for having a CA in the root list is
for Mozilla-software
On Sun, Dec 28, 2008 at 11:26 PM, Anders Rundgren
anders.rundg...@telia.com wrote:
Kyle Hamilton wrote:
(Note: this is almost completely off-topic as relates to the OP's message.)
I don't completely get this. If we are talking about soft tokens of
the kind implemented in Mozilla, PKI-using
How do I get the certificates out of the builtin object token?
certutil only appears to work on cert8.db and key3.db, modutil won't
add libnssckbi.dylib (it gives me error -2804 if I try), and I can't
figure out how I'm supposed to do it.
(I hope I don't have to use the slow, cumbersome, and
On 29/12/08 09:47, Kyle Hamilton wrote:
Uhm...
how did you arrive at the tens of thousands of other Comodo
customers figure? I don't believe that Comodo has disclosed the
number of unique domain names served by certificates that it has
issued.
On 29/12/08 08:26, Anders Rundgren wrote:
The big picture of this project is establishing a practical HW-crypto
solution based on mobile phones with consumers/citizens as primary
target.
Big picture: Yes, that's about where we are heading.
iang
Anders Rundgren wrote:
Michael Ströder wrote:
Anders Rundgren wrote:
I wouldn't spend much work on keygen and crypto.generateCRMFRequest
because they don't match today's needs anyway.
Your comment is not relevant in this context. Off course the *existing*
implementation of keygen and
On 12/29/2008 09:25 AM, Reed Loden:
When I talk about e-mail addresses, I'm usually referring to valid,
real addresses. A Google Account doesn't have to be a Gmail
address. I know of a lot of people who use the local part of their
e-mail address to represent how the address is used.
On 12/29/2008 09:41 AM, Grey Hodge:
Apparently, but that doesn't mean it's invalid. Mozilla can't act arbitrarily
and without cause and expect to retain any shred of respect or
trustworthiness.
Nobody suggested that I think. There is however real cause for concern.
Yes, perhaps, and
On 12/29/2008 07:40 AM, David E. Ross:
On 12/28/2008 3:45 PM, Kyle Hamilton wrote [in part]:
CertStar was found out, only due to the diligence of someone on this
list. How many other RAs haven't been found out yet? We can't know,
because Comodo won't say. This affects the confidence I have
There is now an interest article at the register:
http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/
We here now some words from the house of Comodo:
Comodo said that it was pushing for minimum standards for domain
validation (DV) certificates.
The problem illustrated in
Kyle Hamilton wrote:
I don't completely get this. If we are talking about soft tokens of
the kind implemented in Mozilla, PKI-using services rely on keys stored
in containers using obfuscation and optional weak passwords as
the only protection. IMO, this trust in client code is above the
On 28.12.2008 12:13, Kai Engert wrote:
From my perspective, it's a CA's job to ensure competent verification
of certificate requests. The auditing required for CAs is supposed to
prove it. The verification task is the most important task. All
people and
processes involved should be part of
Kai Engert wrote:
From my perspective, it's a CA's job to ensure competent verification
of certificate requests. The auditing required for CAs is supposed to
prove it.
snip
In my opinion, it means, a CA must do this job themselves.
My quick personal perspective on this (and I'll apologize in
Background: CertStar issued certificates without verification
whatsoever. The faulty certs were signed with the PositiveSSL
certificate, which is chained to the UserTRUST root cert that Mozilla
ships. The UserTRUST cert is owned and operated by Comodo.
Our policy mandates that CAs have a
On 12/29/2008 3:47 AM Kyle Hamilton cranked up the brainbox and said:
And since the number one reason for having a CA in the root list is
for Mozilla-software user security, how do you arrive at punish [...]
millions of users?
If all of Comodo's certs cease to be trusted, millions of web
On 12/29/2008 8:45 AM Eddy Nigg cranked up the brainbox and said:
Please do not add comments to that thread without relevance, thanks.
Excuse me, I've had enough or your arrogant attitude. I've seen the way you've
been treating people and I can name half a dozen off the top of my head you've
alex.agra...@gmail.com wrote, On 2008-12-29 01:27:
On Dec 28, 5:02 pm, alex.agra...@gmail.com wrote:
I'm trying to create a simple Java RMI application with a custom
factory that uses JSS SSL classes.
Sorry for the lack of earlier reply. Most (actually all) of the NSS/JSS
team is officially
Eddy Nigg wrote, On 2008-12-29 05:50 PST:
There is now an interest article at the register:
http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/
We here now some words from the house of Comodo:
[snip]
Interesting that Comodo founded the CAB forum and Comodo created a
standard
On 12/29/2008 08:04 PM, Frank Hecker:
When we created the policy I was well aware of the existence of RAs and
of the possibility that CAs might outsource functions like domain
validtion to RAs. Whether or not this is clear from the policy (and I
guess it's not, since you and others are asking
On 12/29/2008 10:23 PM, Grey Hodge:
Indeed, I am, as an educated guess. Comodo is a root CA. You don't get root
status by having a handful of customers.
The amount of customers never was a known criteria of CAs business
practices ever.
It's hard business to break into, and
Comodo has been
Regarding KPMG: It appears to be a Switzerland-based group of
auditors. http://www.kpmg.com/Global/ContactUs/Pages/InternationalHotline.aspx
has contact information for the Group which relates to accounting,
auditing, or other irregularities.
For US reporting, http://www.kpmgethics.com/ is where
On 12/29/2008 12:23 PM, Grey Hodge wrote:
On 12/29/2008 3:47 AM Kyle Hamilton cranked up the brainbox and said:
And since the number one reason for having a CA in the root list is
for Mozilla-software user security, how do you arrive at punish [...]
millions of users?
If all of Comodo's
On 29.12.2008 07:59, Nelson B Bolyard wrote:
Perhaps the policy should even go so far, as Kai has suggested, as to
require that whatever entity performs the verification of subject
identity for the CA must be audited.
Yes. Not perhaps.
The verification is one of the two core operations of
2008/12/29 Kaspar Brand m...@velox.ch
Nelson B Bolyard wrote:
Fost1954 wrote, On 2008-12-27 06:54:
My personal question: Is this warning dialog really ALWAYS the case ?
I think the question is: is there any way for a web site to suppress
that dialog?
[...] But it's relatively easy to
On 29/12/08 22:07, Nelson B Bolyard wrote:
Eddy Nigg wrote, On 2008-12-29 05:50 PST:
There is now an interest article at the register:
http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/
We here now some words from the house of Comodo:
[snip]
Interesting that Comodo founded the
On 29/12/08 23:37, Kyle Hamilton wrote:
This comment is likely going to be viewed as being in poor taste...
It is rather on point. It is also likely to be viewed as poor taste :)
Wasn't it a lack of regulation that managed to put the US and the rest
of the world into this economic
Kyle Hamilton wrote, On 2008-12-29 01:08:
On Sun, Dec 28, 2008 at 11:26 PM, Anders Rundgren wrote:
[suggestion of XER snipped]
According to a recent discussion in PKIX the only safe way dealing
with certificates is treating them as blobs because a lot of CAs do
not use proper DER encoding.
On 12/29/2008 4:46 PM Eddy Nigg cranked up the brainbox and said:
The amount of customers never was a known criteria of CAs business
practices ever.
I also don't know how many Credit cards Bank of America issues, but I can
guess with reasonable accuracy.
Isn't the responsibility of a CA this
On Mon, Dec 29, 2008 at 4:59 PM, Ian G i...@iang.org wrote:
As far as I heard, the CABForum was also formed or inspired from a similar
group of vendors (browsers) that got together at the invite of the Konqueror
guy to talk about phishing one day ...
Question for now: is the CABForum still a
I would LOVE for Comodo to clean up its practices.
Including decertifying the CA that does not adhere to financial
levels of control that is certified by a CA that does.
-Kyle H
On Mon, Dec 29, 2008 at 5:44 PM, Grey Hodge g...@burntelectrons.org wrote:
On 12/29/2008 4:46 PM Eddy Nigg cranked
On 29.12.2008 19:04, Frank Hecker wrote:
So, in theory at least a WebTrust for CAs audit is supposed to confirm
management's assertions that verification of subscriber information is
being done properly, including any verifications done by third-party
RAs acting on behalf of the CA. In
On 12/30/2008 03:44 AM, Grey Hodge:
Considering the KNOWN size of the breach, a maximum of 111 certs, less than
ten percent of which could not be verified in 2 days, only 2 of which were
confirmed to be fraudulent (both your attempts), I don't think this requires a
revocation. If we /can/
On 12/30/2008 04:04 AM, Ben Bucksch:
So, who actually controls that verifications are done at all? I mean,
paper is nice, I can claim and write all I want, and not actually do it,
but I thought the point of the audit was to *check* and control and
ensure that the processes are *actually* carried
On 12/30/2008 04:23 AM, Eddy Nigg:
This is most likely not what the Mozilla CA Policy envisioned and
requires. As a matter of fact, we could have known about it and
considered it insufficient during Comodo's review last spring.
Unfortunately even if it came up in some form, it drowned by the
Ian G wrote, On 2008-12-29 16:59:
As far as I heard, the CABForum was also formed or inspired from a
similar group of vendors (browsers) that got together at the invite of
the Konqueror guy to talk about phishing one day ...
I think Mozilla's own Mr. Gervase Markham had something to do with
If we decide that a CA does not operate properly,.but we don't want to
cause problems for users, another option would be to shorten the expiry
date of the relevant root certs to one year or less.
Technically, that should be possible. The cert is public anyways. The
current certs are probably
36 matches
Mail list logo