It would be great to see Mozilla propose and advocate to have section 9.3.1 of
the BRs, Reserved Certificate Policy Identifiers, to be made mandatory with the
CA/Browser forum. Presently this section of the BRs is only optional.
The text as of revision 1.1.8 reads:
9.3.1 Reserved Certificate
Le mardi 22 juillet 2014 20:29:40 UTC+2, Kathleen Wilson a écrit :
[...]
If your intranet site is still working with Firefox 30 and not with
Nightly, it might be a side effect of our switch to mozilla::pkix as
described on this wiki page:
On 23/07/14 10:06, nick.l...@lugatech.com wrote:
The status quo today means that it is not possible to discriminate
programatically between a DV and OV certificate in a standardized,
reliable way.
This is because Mozilla's position is that, in security terms, there is
no relevant difference.
On Wednesday, July 23, 2014 8:50:38 PM UTC+8, Gervase Markham wrote:
On 23/07/14 10:06, nick.l...@lugatech.com wrote:
The status quo today means that it is not possible to discriminate
programatically between a DV and OV certificate in a standardized,
reliable way.
This is
Sorry, I meant to write:
It would be nice if Firefox could state that the certificate was DV or -OV- in
a neutral way without making / implying any security difference.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
Right - all adding the OIDs does is specify in the certificate which BR section
was used to perform the validation. There isn't a security indicator attached.
Jeremy
-Original Message-
From: dev-security-policy
Ryan Hurst wrote a blog post on this very topic not too long ago. His
conclusion was that determining, programmatically, the difference was
difficult. See http://unmitigatedrisk.com/?p=203.
This is mostly because there are some certs that still include a domain in the
org field. Requiring a
Having these identifiers takes us a long way towards our goal of
deterministic evaluation of certificate issuance policy — that said not
all CAs have adopted them which is technically alright since the
Baseline Requirements do allow them to use their own Policy
Identifiers. This is what Ryan
+1
Robin
-Original Message-
From: Jeremy Rowley [mailto:jeremy.row...@digicert.com]
Sent: 23 July 2014 16:05
To: 'Moudrick M. Dadashov'; 'Robin Alden'; 'Gervase Markham';
nick.l...@lugatech.com; mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Proposal: Advocate to get
on Tue, 22 Jul 2014 12:24:30 -0700, Brian Smith wrote:
Having said all of that, I remember that Mozilla did some user
research ~3 years ago that showed that when we show a negative
security indicator like the broken lock icon, a significant percentage
of users interpreted the problem to lie
10 matches
Mail list logo
