Re: Mozilla's Expectations for OCSP Incident Reporting
Browsers by default just ignore any OCSP error. So while the browser might have seen an error getting the OCSP reply, the user is not aware of it. And why Browsers do ignore OCSP errors? Because some CA don't take OCSP errors seriously. So yes, it has an impact: it comfort Browsers in that situation, which is less than ideal, because it impacts the security of *all* users. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible violation of CAA by nazwa.pl
> The party actually running the authoritative DNS servers is in control of the domain. I'm not sure I agree. They can control the domain, but they are supposed to be subordinate of the domain owner. If they did something without the owner consent/approval, it really looks like a domain hijacking. > I'm not suggesting that the CA did anything untoward in issuing this > certificate. I am not suggesting that at all. My opinion is that if the CA was aware that the owner didn't ask/consent to that issuance, If it's not a misissuance according to the BRs, it should be. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Submission to ct-logs of the final certificate when there is already a pre-certificate
Following the discussion on https://community.letsencrypt.org/t/non-logging-of-final-certificates/58394 What is the position of Mozilla about the submission to ct-logs of the final certificate when there is already a pre-certificate? As it helps discover bugs ( https://twitter.com/_quirins/status/979788044994834434 ), it helps accountability of CAs and it's easily enforceable, I feel that it should be mandatory. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: wosign and letsencrypt.cn / letsencrypt.com.cn
Hi Gerv, > It's never come up. But I think we would be reluctant to intervene; Thank you for that answer. I understand it. > there are other mechanisms for sorting out such disputes, and it's not > our job to interpret or enforce trademark law or domain name dispute > resolution law. There are other mechanisms. But hard to use, especially between countries. As a Firefox user, I expect that CA trusted by Firefox are clearly identifiable and distinguishable from each others. We need CA to avoid website impersonation. In order to achieve that, I feel that "CA impersonation" must be avoided before all. And the logical way to do it in my opinion is in the Mozilla CA Certificate Policy. Tom ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy