On 04/09/2011 10:32 PM, From Adam Barth:
Yes. Certificate (or CA) pinning in HSTS is an agreement between a
web site and a browser.
Excellent! Even though I assume that this still prevents only a
particular failure and probably should never be a substitute or shifting
of responsibilities
).
The premise (and a not unreasonable one) is that such a list can be generated
if
needed.
I expect that Mozilla will not come up with the resources for it.
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED]
Blog
Gervase Markham:
Eddy Nigg (StartCom Ltd.) wrote:
Oh, that would technically not be possible I guess. Searching for such
keys dynamically could take hours per key, hence previously created
keys are used. They would need to be hosted somewhere and compared to.
That's why Mozilla would
Gervase Markham:
Eddy Nigg (StartCom Ltd.) wrote:
Locally stored where exactly? Do you have an idea how big such a list
which would cover just the most commonly used key sizes would be?
Doesn't sound feasible to me, hence I thought you were talking about
some kind of lookup service
the certificate because of somebody detected a
weak key. I haven't encountered such a situation yet and doesn't make
much sense.
Suggestions?
Even if it doesn't sound so good, do nothing is the right thing to do I
think.
Regards
Signer: Eddy Nigg, StartCom Ltd. http
that
already.
I had no clue what other CAs decided in that respect and I offered our
estimates and decisions on this subject. That's not something
coordinated. I'm open to suggestions as always.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber
the cxv32.com domain already all over the
place? Tested with FF3 and FF2...
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED]
Blog: Join the Revolution! http://blog.startcom.org
Phone: +1.213.341.0390
Eddy Nigg (StartCom Ltd.):
I just wonder why the h*** Google anti-phishing tool still allows me
to go to
http://comerica.connect.tmconnectweb.login.cgi.msg5984.time32491989.webbizcompany.c1b9r62whf314lx53xq.secureserv.onlineupdatemirror66272.comerica.certificateupdate.cxv32.com/logon.htm
,
since todays requirements and sites are mostly not static, but
dynamically assembled on the server side. In my opinion, the security
concept of the Mozilla browser(s) is not really usable... :-(
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber
Hi Gerv,
Gervase Markham wrote:
Eddy Nigg (StartCom Ltd.) wrote:
Or I could simply push the Backup button of the certificate viewer?
Except that in this very specific case, the copyright of the different
CA certificates are perhaps that of the CAs themselves. However
distribution
of the certdata.txt file can be
loaded at run-time as opposed at compile time, this problem could be
solved that way easily.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED]
Blog: Join the Revolution! http
://www.verisign.com/repository/roots/pca_certificate.html
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED]
Blog: Join the Revolution! http://blog.startcom.org
Phone: +1.213.341.0390
Hecker wrote:
Eddy Nigg (StartCom Ltd.) wrote:
So is the assumption correct, that if I or anybody else extracts the CA
certificates from certdata.txt and uses the result of it, isn't bound to
any licensing constraints, similar as the content of a web page which
the browser displays isn't
situation of loosing control.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED]
Blog: Join the Revolution! http://blog.startcom.org
Phone: +1.213.341.0390
___
dev
Thanks for your answer!
Gervase Markham wrote:
Eddy Nigg (StartCom Ltd.) wrote:
Since sometimes there are some licensing concerns with the certdata.txt
file, I wanted to know exactly what one is allowed to do. If for example
by merely extracting the CA certificates with a tool like
know the answer, but try to help another project solve an
issue with this, which affects many other applications. Thanks!
[1]
http://lxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber
;-)
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED]
Blog: Join the Revolution! http://blog.startcom.org
Phone: +1.213.341.0390
___
dev-security mailing list
dev
of not being compliant
with the Mozilla CA policy.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED]
Blog: Join the Revolution! http://blog.startcom.org
Phone: +1.213.341.0390
more edits, additions and changes. This would leave the
current CA policy mostly as is now and in the future.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED]
Blog: Join the Revolution! http
configure a web server to accept ANY certificate for client
auth.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED]
Blog: Join the Revolution! http://blog.startcom.org
Phone: +1.213.341.0390
present in client certs, of the competition and spam them for their
services...good thought ;-)
--
Regards
Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org
Jabber: [EMAIL PROTECTED] xmpp:[EMAIL PROTECTED]
Blog: Join the Revolution! http://blog.startcom.org
Phone
Thanks for the tip! I didn't knew that...
Nelson B wrote:
Eddy Nigg (StartCom Ltd.) wrote:
Does anyone know what the issue might be when trying to build from
trunk? After checkout and building browser or mail static I'm getting:
gmake[6]: ../../../config/./nsinstall: Command not found
SSL connections (broken
lock) anyway. So perhaps the initial question of this thread is really
important and I suggest to require same certificate (or at least same
level) per site. It makes sense in my opinion...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED
, the browser complains. Guess something
like that should happen here as well (i.e. downgrade).
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security
if something on the same
site is served by a different level then claimed originally.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
? Obviously this is only important if a distinctions is
made between EV and others... ;-)
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
Gervase Markham wrote:
As I'm not sure of the way the proposed implementation for EV indication
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
Gervase Markham wrote:
Eddy Nigg (StartCom Ltd.) wrote:
Is there a way to have them commit to that in some way or form? And what
if they'll just say: Well, we looked at it and it's not possible after
you already voted in favor?
I think it's rather unlikely that they would say
Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
and trying to open it up is obviously much harder and I congratulate you
for every success you achieve.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security
orientated
organization refrains from voting in favor of the EV guidelines!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https
this is what it's all
about? Maybe they don't want non-microsoft - non-IE users to
participate? ;-)
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
___
dev-security mailing list
dev
. It's a service that adds tremendous value for your
subscribers and all their users/customers. I wish more CAs did that.
Thank you for the flowers :-)
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
not trust button is chosen.
How good that this certificate isn't trusted...which CA issues such a
certificatewww.microsoft.ipsos.com? I guess that the signer is a
fake Verisign certificate
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone
have a robot checking for missing ICA certificatesand
send an appropriate message to the subscriber...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
___
dev-security mailing list
dev
and should add the intermediate CA certificate to your server...Which
server software are you using?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security
I'm replying now to my own mail, as I misunderstood the statement from
you...Of course this is not the correct answer to what you said
Eddy Nigg (StartCom Ltd.) wrote:
I can create a cert which claims to be a VeriSign Class 3 Secure Server
CA and sign my webserver's cert with it. If you
of the obligation to
send their entire server cert chains
Correct.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https
?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
:-))
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
for testing and promotional reasons, same as
StartCom uses Class 3 and Class 1 for its own web sites.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https
Gervase Markham wrote:
Eddy Nigg (StartCom Ltd.) wrote:
This is why I asked how to continue from here. But there is a general
proposal on the table, which can be taken as the basis to form a new
policy etc. So which steps would you propose? Shaping and refining
the proposal could be one
Gervase Markham wrote:
Oh, and I'm sure we're taking patches for DNSSec support in Firefox.
Aren't we?
This however would be a very good idea!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing
).
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
Gervase Markham wrote:
Eddy Nigg (StartCom Ltd.) wrote:
That's right! But the audit confirms exactly that (in your example,
no verification). The CA will have to mark its certificates compared
to its policy which was audited accordingly.
Why will they have to?
Because they would like
such a table...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
)? Should the UI wait
for the framework? Do the proposals (ours, EV) depend on the UI
proposal? Or should they be implemented without relation?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
[EMAIL PROTECTED] wrote:
They are a Geotrust reseller, but also have issued hundreds of ssl
from their own FlySSL CA: http://www.registerfly.com/ssl/
It's irrelevant! There is no FlySSL in the Mozilla certificate store.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
now on the responsibility and liability?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
have a completely valid
certificate for a domain name which doesn't belong to you anymore. How's
that?!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https
a CA certificate to be embedded in
Mozilla software, the CA agrees to adhere to the this policy in full...
and confirm to have read, understood etc. of the same paper...Something
for the lawyers obviously, but I think it has to be done in some way.
--
Regards
Signer: Eddy Nigg, StartCom
and liability of the CA, by making sure anything of it?
Let the CA decide its promise to Mozilla, the subscriber and relying
party and let the CA retain all responsibilities. Mozilla only provides
an interface for the promises.
Hope this makes sense!
--
Regards
Signer: Eddy Nigg, StartCom Ltd
anything
special. Just as example.
If the OID detections for the UI would be possible in Javascript I don't
know.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security
that.
However we were thinking about it too and came to the conclusion that
this might be the right thing to do.
Cheers!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
Eddy Nigg (StartCom Ltd.) wrote:
I'm sorry, but I can't work it out - what does the abbreviation
resp. stand for?
It stands for respective.
Ouuups, it stand for Respectively of course...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
be build according to this framework however and we suggest its
implementation afterwards.
The proposal is also available as a PDF document at
http://apache-2.startcom.org/moz-pki-proposal.pdf
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
called it...There is
nothing else to do for you, except what you already provide, period!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing
promised to shut up and wait for the UI team to put a proposal
forward...I shut up now ;-)
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing
General in agreement with you, so I'm
not sure if the domain name itself is the most important thing, because
the domain is in the address bar already and if that's not the correct
domain, than the browser already barks...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
by a participant on this list, is simply rejected by
you! So we might never agree with each other in that respect, but please
let me explain to others what I think would be the best for the Mozilla
browser. I believe that others are actually listening
--
Regards
Signer: Eddy Nigg, StartCom Ltd
!
And because neither Mozilla nor any other browser vendor would do this -
it remains a hollow phrase without meaning and teeth...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
enabled web site
your browser has to download a CRL of a few megabytes and even beyond.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing list
dev
...There is something I'm missing here...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing list
dev-security@lists.mozilla.org
https
and company estate) and then of
sudden there is none...Confusing, isn't it?
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing list
dev-security
]: GlobalSign
(http://www.globalsign.com/images/extended-validation-ssl.gif)
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing list
dev-security
.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
studies paid by some CA showing how EV helps the
user...ala Get the Windows Facts...
In the meantime, let the various CA's do a really great job and make
some real good verifications based on the EV guidelines - without the
greenly incentive!
--
Regards
Signer: Eddy Nigg, StartCom Ltd
-security: Websites
webtools-security: Webtools
addons-security: addons.mozilla.org
updates-security: AUS
security: Everything else
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
this information!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
Michael Lefevre wrote:
On 2007-01-29, Gervase Markham [EMAIL PROTECTED] wrote:
dolphinling wrote:
The study, based on user testing, found that EV certificates don't
improve users' ability
...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
*equivalent *depending interpretation only*! *
We hope, that Mozilla has the ability to change that decision taken by
the CA/Browser Forum and get rid of the WebTust monopole which Microsoft
and perhaps other CA's maintain.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone
, not the rest
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
-020305.html
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing list
dev
pishing sites. Certainly NOT the issue here. Is this
it, what you are trying to say?
[1]
http://news.netcraft.com/archives/2006/10/09/september_phishing_site_competition_winners.html
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
this
contribution. This has nothing to do with CA dominance, but perhaps with
some knowledge on the subject, being it as a CA, Linux distributer and
with lots of contact with user/clients of such certificates. I hope ,
that this changes your impression!
--
Regards
Signer: Eddy Nigg, StartCom Ltd
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
green color (after the
user got used to see it for a while when visiting their sites). Other
type of confusion could happen however, if the entities are legitimate
businesses and validated as such...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
84 matches
Mail list logo