On 02/07/2012 09:58 PM, Kai Engert wrote:
On 07.02.2012 17:54, Ondrej Mikle wrote:
The phone calls would ensure that each registered person will be aware
of the certificate issuance.
This is getting very close to EV validation (Sovereign Keys have the
same issue).
I'd say making phone
On 08/02/12 12:43, Ondrej Mikle wrote:
On 02/07/2012 09:58 PM, Kai Engert wrote:
snip
That's a reason why I propose vouchers to be IP specific.
In my understanding, each IP will have only a single certificate,
regardless from where in the world you connect to it.
It's not true in general.
On 02/07/2012 06:04 PM, Kai Engert wrote:
The CA will remember the assocation {IP, certificate}. In future
requests, as long as this requesting IP requests a voucher for the same
certificate, the described bidirectional authentication and verification
will be sufficient.
Just a technicality:
Hi,
Google just published the changes they are about to do in the revocation
checking in Chrome :
http://www.imperialviolet.org/2012/02/05/crlsets.html
In my opinion, maybe somewhat opposite to the way they describe it,
fundamentally they are not *at* *all* changing the standard PKI method
My criticism:
(a)
I don't like it that the amount of CRLs will be a subset of all CRLs.
What about all the revoked certificates that aren't included in the list?
With a dynamic mechanism like OCSP (and in the future OCSP stapling) you
don't have to make a selection.
(b)
I don't like it
On 02/08/2012 09:58 PM, From Jean-Marc Desperrier:
Whereas the optimal solution would be to download each day a delta
CRL, with only the difference with the previous day, and containing
only the revocation reasons you *really* care about (key compromise).
A certificate can be either valid,
On 02/09/2012 12:18 AM, From Nelson B Bolyard:
Will they really include the CRLs from all of mozilla's trusted CAs?
Won't the union of all those CRLs be huge, even if they strip off
certain reason codes?
BTW, this proposal wouldn't be a problem if it would cover, lets say the
top 500 sites
Eddy Nigg wrote:
On 02/09/2012 12:18 AM, From Nelson B Bolyard:
BTW, this proposal wouldn't be a problem if it would cover, lets say
the top 500 sites and leave the rest to the CAs. There would be
probably also the highest gains.
Effectively, we would be making the most popular servers on the
On 9/02/12 06:58 AM, Jean-Marc Desperrier wrote:
In conclusion I'm 100% in favor of Mozilla adopting this solution,
+1
I haven't looked closely but I'm confident they will do the right thing
in this area.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
On 02/08/2012 04:20 PM, Brian Smith wrote:
However, I don't think we should reject Google's improvement here because it
isn't perfect. OCSP fetching is frankly a stupid idea, and AFAICT, we're all
doing it mostly because everybody else is doing it and we don't want to look
less secure. In the
On 9/02/12 09:18 AM, Nelson B Bolyard wrote:
On 2012/02/08 12:57 PDT, Kai Engert wrote:
My criticism:
[snip]
Won't the set of CRLs be too big for download?
[snip]
This is my question as well.
Will they really include the CRLs from all of mozilla's trusted CAs?
Won't the union of all those
On 02/09/2012 02:20 AM, From Brian Smith:
Effectively, we would be making the most popular servers on the
internet faster, and giving them a significant competitive advantage
over less popular servers. I am not sure this is compatible with
Mozilla's positions on net neutrality and related
12 matches
Mail list logo