Re: Words from Comodo?
On Tuesday 30 December 2008 22:22:11 Gervase Markham wrote: > Ian G wrote: > > As far as I heard, the CABForum was also formed or inspired from a > > similar group of vendors (browsers) that got together at the invite of > > the Konqueror guy to talk about phishing one day ... > > I'm fairly sure it wasn't at the invitation of the Konqueror guy (George > Staikos), but a CA-led initiative right at the very beginning. But my > memory could be failing me, or there could have been meetings I didn't > know about. Gerv, your memory is correct. Comodo instigated and hosted an "Industry Round Table" on May 17th 2005, inviting various CAs and Browser reps to attend. This meeting led directly to the formation of the CABForum. Comodo's intention was to stop the "race to the bottom" and to restore the value of the browser padlock by creating an industry standard for IV/OV and by persuading the browsers to differentiate between DV and IV/OV. (I just tried to post this same message with a PDF attachment containing the invitation to the "Industry Round Table", but it appears that that message was blocked). > > Question for now: is the CABForum still a closed group? > > Depends what you mean by 'closed'. There are membership criteria, and > anyone who fits the criteria can be a member. See the bottom of this page: > http://www.cabforum.org/forum.html > > Gerv > > ___ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Words from Comodo?
On Monday 29 December 2008 13:50:58 Eddy Nigg wrote: > There is now an interest article at "the register": > http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/ > Interesting that Comodo founded the CAB forum and Comodo created a > standard for domain control validation. I wonder where exactly? This > might be reason to join the CAB forum? Eddy, assuming Startcom meets the CABForum's membership requirements (see http://www.cabforum.org/forum.html), I would definitely encourage you to apply to join. This would allow you to contribute to the "minimum standards for domain validation" initiative mentioned by that Reg article. -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Words from Comodo?
Ian G wrote: > As far as I heard, the CABForum was also formed or inspired from a > similar group of vendors (browsers) that got together at the invite of > the Konqueror guy to talk about phishing one day ... I'm fairly sure it wasn't at the invitation of the Konqueror guy (George Staikos), but a CA-led initiative right at the very beginning. But my memory could be failing me, or there could have been meetings I didn't know about. > Question for now: is the CABForum still a closed group? Depends what you mean by 'closed'. There are membership criteria, and anyone who fits the criteria can be a member. See the bottom of this page: http://www.cabforum.org/forum.html Gerv ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
CABForum place in the world (was: words from comodo)
On 30/12/08 04:22, Nelson B Bolyard wrote: Ian G wrote, On 2008-12-29 16:59: As far as I heard, the CABForum was also formed or inspired from a similar group of vendors (browsers) that got together at the invite of the Konqueror guy to talk about phishing one day ... I think Mozilla's own Mr. Gervase Markham had something to do with the transformation of the CA Forum into the CAB Forum. Maybe he can tell us something of that history. (Could be! We should be careful of the history, thought. It is really only mildly interesting for serious students of how things came to pass. Such things tend to be a distraction to how things are, now, today. I am guilty of that same mistake...) Question for now: is the CABForum still a closed group? My understanding is that CAB Forum is a membership organization, with specific qualifications for members. The qualifications are published http://cabforum.org/forum.html (bottom of page). There is no membership fee (AFAIK), but members seem to be expected to take turns hosting the Forum's periodic face-to-face meetings. Ah, thanks for posting that link. CABForum has 33 CAs and 5 vendors. * Issuing CA:- The member organization operates a certification authority that has a current and successful WebTrust for CAs audit, or ETSI 102042 or ETSI 101456 audit report prepared by a properly-qualified auditor, and that actively issues certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers. * Root CA:- The member organization operates a certification authority that has a current and successful WebTrust for CAs, or ETSI 102042 or ETSI 101456 audit report prepared by a properly-qualified auditor, and that actively issues certificates to subordinate CAs that, in turn, actively issue certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers. * Browser:- The member organization produces a software product intended for use by the general public for browsing the Web securely. AND In addition to the above entities, members of the Information Security Committee of the American Bar Association Section of Science & Technology Law and the Canadian Institute of Chartered Accountants have participated in developing the standards for Extended Validation SSL certificate procedures and standards. My thoughts only (but note that as I am part of the excluded peoples, these words should be treated as potentially biased): A tightly closed membership, oriented to CAs in their chosen segment. As CAs, they incline towards including two other groups, being the upstream audit organisations who provide the WebTrust, and the downstream browsers who consume the WebTrust. However, they include no other stakeholder groups. Of especial concern, nobody who speaks for the end-user, even though they clearly intend as a group to sell to these end-users. Given such a structure, it is hard to see how they can avoid the fate of protecting the franchise. Although I'm sure they do careful work in documenting the current thinking, it is not reasonable to expect them to do new thinking and to think about the new threat environment, nor to resist the trap of increasing work loads and complexity, and reducing availability and delivered security. Relying parties should not look to them for that. Old chinese curse: be careful what you wish for. iang [1] For further info, check their mission and their mailing lists for open discussion and open subscription. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Words from Comodo?
Ian G wrote, On 2008-12-29 16:59: > As far as I heard, the CABForum was also formed or inspired from a > similar group of vendors (browsers) that got together at the invite of > the Konqueror guy to talk about phishing one day ... I think Mozilla's own Mr. Gervase Markham had something to do with the transformation of the CA Forum into the CAB Forum. Maybe he can tell us something of that history. > Question for now: is the CABForum still a closed group? My understanding is that CAB Forum is a membership organization, with specific qualifications for members. The qualifications are published http://cabforum.org/forum.html (bottom of page). There is no membership fee (AFAIK), but members seem to be expected to take turns hosting the Forum's periodic face-to-face meetings. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Words from Comodo?
On Mon, Dec 29, 2008 at 4:59 PM, Ian G wrote: > As far as I heard, the CABForum was also formed or inspired from a similar > group of vendors (browsers) that got together at the invite of the Konqueror > guy to talk about phishing one day ... > > Question for now: is the CABForum still a closed group? I'm pretty sure that Google wasn't part of it from day 1, but they're a part of it now? -Kyle H ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Words from Comodo?
On 29/12/08 22:07, Nelson B Bolyard wrote: Eddy Nigg wrote, On 2008-12-29 05:50 PST: There is now an interest article at "the register": http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/ We here now some words from the house of Comodo: [snip] Interesting that Comodo founded the CAB forum and Comodo created a standard for domain control validation. I wonder where exactly? This might be reason to join the CAB forum? Eddy, I wouldn't assume that the text you quoted was a verbatim quote from anyone at Comodo. I think it may have been a paraphrase. The CAB Forum was founded by the members of the CA forum, which includes a lot of CAs, so I have little doubt that Comodo really was among the founders of CABForum. At least one member of the CABForum has expressed interest in the Forum setting minimum DV standards. It remains to be seen if the Forum as a whole will adopt that task. As far as I heard, the CABForum was also formed or inspired from a similar group of vendors (browsers) that got together at the invite of the Konqueror guy to talk about phishing one day ... Question for now: is the CABForum still a closed group? iang ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Words from Comodo?
Eddy Nigg wrote, On 2008-12-29 05:50 PST: > There is now an interest article at "the register": > http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/ > > We here now some words from the house of Comodo: [snip] > Interesting that Comodo founded the CAB forum and Comodo created a > standard for domain control validation. I wonder where exactly? This > might be reason to join the CAB forum? Eddy, I wouldn't assume that the text you quoted was a verbatim quote from anyone at Comodo. I think it may have been a paraphrase. The CAB Forum was founded by the members of the CA forum, which includes a lot of CAs, so I have little doubt that Comodo really was among the founders of CABForum. At least one member of the CABForum has expressed interest in the Forum setting minimum DV standards. It remains to be seen if the Forum as a whole will adopt that task. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Words from Comodo?
There is now an interest article at "the register": http://www.theregister.co.uk/2008/12/29/ca_mozzilla_cert_snaf/ We here now some words from the house of Comodo: Comodo said that it was pushing for minimum standards for domain validation (DV) certificates. The problem illustrated in this unfortunate event highlights the vulnerability inherent with DV certificates. All DV certificates are theoretically susceptible to this man in the middle (MITM) exploitation. While the CAB Forum, which was founded by Comodo, has established guidelines for highly validated Extended Validation (“EV”) Certificates, no minimum standard has been adopted. Earlier this month at the CAB Forum’s most recent meeting, Comodo put forward a minimum standard for all SSL certificates which, if adopted, would eliminate this MITM attack. DV certificates' susceptibility to MITM attacks is well known. Minimum standards are well overdue. Interesting that Comodo founded the CAB forum and Comodo created a standard for domain control validation. I wonder where exactly? This might be reason to join the CAB forum? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto