On Monday 12 October 2009 16:29:23 Daniel Veditz wrote:
On 10/12/09 3:13 AM, Rob Stradling wrote:
Perhaps the time has come for the browsers to force all of the other
CAs to take their OCSP responsibility seriously, by requiring OCSP by
default.
Firefox cannot take that step unilaterally,
On 13-Oct-09, at 2:04 AM, Rob Stradling wrote:
An alternate approach I'd like to lobby our front-end guys on would
be
to put up a scary red bar when we can't validate OCSP.
I think that your suggestion strikes a good balance between security
and
useability.
Sorry I missed this thread -
On 10/13/2009 06:23 PM, Johnathan Nightingale:
As for ipsCA, I find myself agreeing with Eddy's point: that the null
bytes are a regrettable validation error that we should work with
ipsCA to ensure they fix; but NXDOMAIN on an OCSP server that appears
in issued certs is a bigger problem. I'm
On 13/10/2009 18:23, Johnathan Nightingale wrote:
On 13-Oct-09, at 2:04 AM, Rob Stradling wrote:
An alternate approach I'd like to lobby our front-end guys on would be
to put up a scary red bar when we can't validate OCSP.
I think that your suggestion strikes a good balance between security
[Please follow-up to dev-security-policy -- which is where most things
having to do with CA and browser interaction policies are discussed.]
I'm trying to figure out how much of the OCSP slowness and server
underpowering is due to the sizes of the keys used, or limitations of
the HSMs (and
On 10/13/09 9:23 AM, Johnathan Nightingale wrote:
The temptation to attach UI to this problem sets off
blame the user alarms for me - do we think that uses will make better
decisions with this information? Like I say, I don't think we're at
WONTFIX on this question, but I don't think it's an
FWIW I'm not a big believer in trying to communicate finely graduated
tiers of risk to end users either. Its already a battle trying to get
users to understand the difference between a clearly valid vs invalid
certificate. I use the grandmother rule for security dialogs... if
you can't
On 10/13/09 10:12 AM, Eddy Nigg wrote:
#B is important because we are already month after the alleged bug
happened, plenty of time to get the act together. I think this warrants
some actions, a review and renewed confirmation of compliance might be a
good thing to do in this case.
These certs
On 14/10/2009 02:04, Daniel Veditz wrote:
On 10/13/09 9:23 AM, Johnathan Nightingale wrote:
The temptation to attach UI to this problem sets off
blame the user alarms for me - do we think that uses will make better
decisions with this information? Like I say, I don't think we're at
WONTFIX on
On 10/13/2009 11:26 PM, Kyle Hamilton:
I'm trying to figure out how much of the OCSP slowness and server
underpowering is due to the sizes of the keys used, or limitations of
the HSMs (and drivers) that these systems are using.
Kyle, it's a myth, there are CAs having very responsive OCSP
Daniel Veditz wrote:
On 10/13/09 10:12 AM, Eddy Nigg wrote:
#B is important because we are already month after the alleged bug
happened, plenty of time to get the act together. I think this warrants
some actions, a review and renewed confirmation of compliance might be a
good thing to do
On 10/13/09 5:14 PM, Lucas Adamski wrote:
For the small percentage of (power) users that can really understand the
implications of a question like the OCSP URL provided by this
certificate does not appear to be valid at this moment, would you like
to continue,
Just to be clear at no point did
12 matches
Mail list logo
