Because only showing the O= is insufficient, you also need to show the
jurisdiction the O= is based in. (In the case of Amazon, it's a Delaware
corporation.)
The fact that browsers are getting tricked into thinking EV doesn't help is
only because their UX designers refuse to allow the information
On 10/12/2018 14:41, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
Of Michael Ströder
Sent: Saturday, December 08, 2018 06:59
On 12/7/18 11:44 PM, Michael Wojcik wrote:
Homograph attacks combined with phishing would be much cheaper and
easier.
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Michael Ströder
> Sent: Saturday, December 08, 2018 06:59
>
> On 12/7/18 11:44 PM, Michael Wojcik wrote:
> > Homograph attacks combined with phishing would be much cheaper and
> > easier. Get a DV certificate from
On 12/7/18 11:44 PM, Michael Wojcik wrote:
> Homograph attacks combined with phishing would be much cheaper and
> easier. Get a DV certificate from Let's Encrypt for anazom.com or
> amazom.com, or any of the Unicode homograph possibilies>
> Part of the point of EV certificates was supposed to be
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Blumenthal, Uri - 0553 - MITLL
> Sent: Friday, December 07, 2018 15:30
> If there's a non-EV CA that would give you a cert for DNS name amazon.com -
> I'd like to make sure it's in my list and
> marked Not Trusted.
If there's a non-EV CA that would give you a cert for DNS name amazon.com - I'd
like to make sure it's in my list and marked Not Trusted.
Regards,
Uri
Sent from my iPhone
> On Dec 7, 2018, at 17:02, Kyle Hamilton wrote:
>
> CAs *do* verify the attributes they certify. That they're not
CAs *do* verify the attributes they certify. That they're not presented as
such is not the fault of the CAs, but rather of the browsers who insist on
not changing or improving their UI.
The thing is, if I run a website with a forum that I don't ask for money on
and don't want any transactions
On 12/6/18 11:56 PM, Jakob Bohm via openssl-users wrote:
> Different levels of certainty is the point.
Which never worked well in practice, no matter how hard people tried to
clearly define levels if certainty.
Ciao, Michael.
--
openssl-users mailing list
To unsubscribe:
> On Dec 6, 2018, at 5:56 PM, Jakob Bohm via openssl-users
> wrote:
>
>> While the point of EV was that it certified a binding to a (domain +
>> business name)
>> rather than just a domain with DV, it turned out that displaying the
>> business name
>> was also subject to abuse, and the
On 06/12/2018 21:16, Viktor Dukhovni wrote:
On Dec 6, 2018, at 3:06 PM, Blumenthal, Uri - 0553 - MITLL
wrote:
So, a CA that's supposed to validate its customer before issuing a certificate, may do a
"more sloppy job" if he doesn't cough up some extra money.
I think Peter is exactly right
> On Dec 6, 2018, at 3:06 PM, Blumenthal, Uri - 0553 - MITLL
> wrote:
>
> So, a CA that's supposed to validate its customer before issuing a
> certificate, may do a "more sloppy job" if he doesn't cough up some extra
> money.
>
> I think Peter is exactly right here. CA either do their job,
>> Quoting from Peter Gutmann's "Engineering Security",
>> section "EV Certificates: PKI-me-Harder"
>>
>> Indeed, cynics would say that this was exactly the problem that
>> certificates and CAs were supposed to solve in the first place, and
>> that
On 06/12/2018 11:48, Michael Ströder wrote:
On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
On 05/12/2018 17:59, Viktor Dukhovni wrote:
IIRC Apple's Safari is ending support for EV, and some say that EV
has failed, and are not sorry to see it go.
This is very bad for security. So
On 12/6/18 10:03 AM, Jakob Bohm via openssl-users wrote:
> On 05/12/2018 17:59, Viktor Dukhovni wrote:
>> IIRC Apple's Safari is ending support for EV, and some say that EV
>> has failed, and are not sorry to see it go.
>
> This is very bad for security. So far the only real failures have
> been:
On 05/12/2018 17:59, Viktor Dukhovni wrote:
On Dec 5, 2018, at 4:49 AM, Jan Just Keijser wrote:
The only reason to use OCSP I currently have is in Firefox: if you turn off
"Query OCSP responder servers" in Firefox then EV certificates will no longer
show up with their owner/domain name.
IIRC
> On Dec 5, 2018, at 4:49 AM, Jan Just Keijser wrote:
>
> The only reason to use OCSP I currently have is in Firefox: if you turn off
> "Query OCSP responder servers" in Firefox then EV certificates will no longer
> show up with their owner/domain name.
IIRC Apple's Safari is ending support
Hi,
On 03/12/18 21:40, Viktor Dukhovni wrote:
On Dec 3, 2018, at 3:35 PM, Charles Mills wrote:
OCSP and OCSP stapling are currently higher on my wish list than this.
Good luck with OCSP, the documentation could definitely be better, and
various projects get it wrong. IIRC curl gets OCSP
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Question on necessity of
SSL_CTX_set_client_CA_list
> On Dec 3, 2018, at 3:35 PM, Charles Mills wrote:
>
> OCSP and OCSP stapling are currently higher on my wish list than this.
Good luck with OCSP, the documentation could d
> On Dec 3, 2018, at 3:35 PM, Charles Mills wrote:
>
> OCSP and OCSP stapling are currently higher on my wish list than this.
Good luck with OCSP, the documentation could definitely be better, and
various projects get it wrong. IIRC curl gets OCSP right, so you
could look there for example
Re: [openssl-users] Question on necessity of
SSL_CTX_set_client_CA_list
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Charles Mills
> Sent: Monday, December 03, 2018 10:55
>
> Got it. Thanks. I would think the basic client case is "on
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Charles Mills
> Sent: Monday, December 03, 2018 10:55
>
> Got it. Thanks. I would think the basic client case is "one certificate, one
> CA"
I'm going to disagree somewhat with this assumption, but not necessarily
the issue in mind if a problem
comes up.
Charles
-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
Viktor Dukhovni
Sent: Sunday, December 2, 2018 5:50 PM
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Question on
> On Dec 2, 2018, at 7:38 PM, Charles Mills wrote:
>
> I have an OpenSSL (v1.1.0f) server application that processes client
> certificates.
>
> The doc for SSL_CTX_load_verify_locations() states “In server mode, when
> requesting a client certificate, the server must send the list of CAs of
Do I need to say no calls to SSL_CTX_set_client_CA_list() nor any of the
three related functions listed on the man page?
Charles
From: Charles Mills [mailto:charl...@mcn.org]
Sent: Sunday, December 2, 2018 4:38 PM
To: 'openssl-users@openssl.org'
Subject: Question on necessity of
24 matches
Mail list logo