Jean-Marc Desperrier wrote:
Gerv, what about changing the Firefox SSL page/implementation so that in
that situation, for those 99% of the market, it gives the most
informative information, non scary, non blocking possible ? Even when
there was an error in the configuration ?
I'm not sure we
On 02/04/2009 11:28 AM, Gervase Markham:
Jean-Marc Desperrier wrote:
Gerv, what about changing the Firefox SSL page/implementation so that in
that situation, for those 99% of the market, it gives the most
informative information, non scary, non blocking possible ? Even when
there was an error
On 3 Feb, 19:19, Michael Kohler michaelkoh...@live.com wrote:
Good evening,
have now all CAs switched to SHA-1 encryption due the MD5 collision
attack on CA certs?
Michael
Almost everyone, but not all :p
There are still some CAs issuing RSA+MD5 etc
If you got a MD5 certificate I suggest
Eddy Nigg wrote:
On 02/03/2009 01:12 AM, Kyle Hamilton:
If you haven't read my prior thanks on this list, K, then I thank you
from the bottom of my heart for helping to bring order to the chaos
and quagmire that the root list has historically suffered.
Seconded from the bottom of another
kathleen95...@yahoo.com wrote:
DCSSI’s root inclusion request has been in public discussion for a
week now. No issues or concerns about this request have been raised.
According to https://wiki.mozilla.org/CA:How_to_apply
“If there are no open issues or action items after the first
discussion
Eddy Nigg wrote:
Update: One of the CA roots requested for inclusion is valid until 2030:
S-TRUST Authentication and Encryption Root CA 2005:PN
Valid until: 06/22/2030 02:59:59
The above mentioned issue does not apply to this root. Incidentally this
root was also included at Microsoft, the
Eddy Nigg wrote:
According to Frank, he has reviewed the audit reports which isn't
public. This might be a problem.
No, I previously posted about that. I don't like having a private audit
report, but it was not SECOM Trust's fault (or even its auditor's fault,
IIRC). The final issue from my
Hello,
i look for some information about firefox and the building trusted chain
mecanism. I have a certificate containing two URL in the AIA extension:
1) p7c files containing cross-certificates
2) OCSP URL
I made a two PKI domain cross-certified with each one. I tried to verify the
identity
Realistically, the only way to describe this kind of thing to an
end-user is to bring up something -- in a language the user can
understand -- that explains what's going on with the connection. My
current thinking is that this needs to be brought up for all
connections, not just connections that
Michael Ströder wrote:
Julien R Pierre - Sun Microsystems wrote:
Paul Hoffman wrote:
At 3:45 PM -0800 1/21/09, Nelson B Bolyard wrote:
Perhaps Mozilla should change its policy to require CAs to revoke certs
when the private key is known to be compromised, whether or not an
attack
is in
On 4/2/09 10:49, Kyle Hamilton wrote:
Realistically, the only way to describe this kind of thing to an
end-user is to bring up something -- in a language the user can
understand -- that explains what's going on with the connection. My
current thinking is that this needs to be brought up for all
On 4/2/09 18:09, Frank Hecker wrote:
Now, with regard to making this a formal policy requirement, I have the
following questions:
1. To what extent do typical CPSs and CPs address this issue? In other
words, if we were to read the average CPS/CP, would it have language
that would unambiguously
Eddy Nigg wrote:
On 01/03/2009 05:38 AM, Eddy Nigg:
Before anybody else does, I prefer from posting it myself :-)
http://blog.phishme.com/2009/01/nobody-is-perfect/
http://schmoil.blogspot.com/2009/01/nobody-is-perfect.html
For the interested, StartCom is currently checking if I can release
On 4-Feb-09, at 1:37 PM, Frank Hecker wrote:
Gervase Markham wrote:
Paul Hoffman wrote:
Having a separate policy list would help the technology folks focus
on what they do best. It would also help keep the policy people keep
their discussion out of bits-on-the-wire and up in the what should
On 02/04/2009 07:09 PM, Frank Hecker:
1. To what extent do typical CPSs and CPs address this issue? In other
words, if we were to read the average CPS/CP, would it have language
that would unambiguously tell us whether our policy requirement were met
or not? Or is this something that's typically
Johnathan Nightingale wrote re bug 475473:
I think that bug isn't resolved yet because google groups has been
acting up a bit lately. Another recent newsgroup creation,
(mozilla.dev.tree-management) was finally picked up about a week after
creation, but messages still aren't appearing there.
I'm attempting configuration of mod_nss to use an OCSP responder. My
OCSP responder uses a self signed certificate (call it OCSPcert) to
sign responses, my web server uses a certificate (call it SERVERcert)
signed by a trusted CA (call it CA1cert). I also have a second
trusted CA (call it
On 02/04/2009 09:11 PM, Frank Hecker:
OK, thanks for the info. I guess we'll just wait for this to resolve
itself, then we can verify that the new group is operating properly (and
the mailing list also) and then make an announcement in m.d.t.crypto and
m.d.security.
Seems to work here.
axi...@googlemail.com wrote, On 2009-02-03 04:09:
I created a certification request (CRMF) programmatically with
JavaScript/Firefox using the crypto.generateCRMFRequest() method.
Now I'd like to sign this request on a server and generate a response
(CMMF) to be imported via
Ian G wrote re revocation on compromise:
I happen to be in that area at the moment as I am reading CAcert against
the criteria, so I will pass on their CPS [2]:
Thanks for this info!
Certificates may be revoked under the following circumstances:
1. As initiated by the Subscriber
Ahnjoan Amous wrote:
I'm attempting configuration of mod_nss to use an OCSP responder. My
OCSP responder uses a self signed certificate (call it OCSPcert) to
sign responses, my web server uses a certificate (call it SERVERcert)
signed by a trusted CA (call it CA1cert). I also have a second
David Tiertant wrote, On 2009-02-03 08:48 PST:
I'm working in InstallShield to create a web installer for one of our
software packages. The installer for IE builds fine, but Firefox
requires a Netscape certificate. InstallShield is supposed to build this
automatically, but something is
Eddy Nigg wrote re revocation on compromise:
Generally CAs can act upon mere knowledge about certain circumstances
for revoking certificates.
snip
I believe that the StartCom CPS isn't unique in regards to revocation
which states:
Circumstances for Revocation
Revocation of a certificate is
InstallShield is its own separate thing. Newer versions use the
Microsoft Installer (MSI) capability, but it is still made by Acresso
(spun off from Macrovision).
There are two states in the NIST key state transition diagram that are
appropriate to this entire concept... compromised (state entered
when the private information associated with it -- i.e., the private
key and its passphrase, and has only one possible state transition
from it) and compromised
On 02/05/2009 04:05 AM, Frank Hecker:
* In the near term I think we should make it a recommended practice that
CAs should revoke certificates whose private keys are known to be
compromised, as well as certificates for which subscriber verification
is known to be invalid.
Well, a recommendation
On 02/05/2009 04:23 AM, Kyle Hamilton:
Once a key is in compromised state, it can never become uncompromised
again. Enforcing this is part of the trust that I have in the
certification authorities -- and why I don't currently trust any of
them to tell me who anyone happens to be, since any CPS
Ian G wrote:
There have been a lot of calls to change the policy ... has someone
thought to keep a record of all these? Here's what I recall so far:
* MD5 should be dropped [1]
* publication of private key is considered to be compromise
+ compromise should cause revocation
* no
28 matches
Mail list logo
