Re: Short-lived certs

On 16/09/14 23:13, Richard Barnes wrote: From a browser perspective, I don't care at all whether certificates excused from containing revocation URLs if they're sufficiently short lived. From a technical perspective, that is true. However, if we have an interest in making short-lived certs a

Re: Short-lived certs

On 2014-09-17 09:25, Gervase Markham wrote: A short-lived cert _without_ an OCSP URI also works with legacy browsers. Unless you are using some other definition of works? A browser could perfectly reject a certificate that doesn't comply with the BR because the required OCSP URI is missing.

Re: Short-lived certs

On Wed, Sep 17, 2014 at 12:25 AM, Gervase Markham g...@mozilla.org wrote: On 16/09/14 23:13, Richard Barnes wrote: From a browser perspective, I don't care at all whether certificates excused from containing revocation URLs if they're sufficiently short lived. From a technical perspective,

RE: Short-lived certs

I agree that we should reduce the validity period of OCSP responses and also that must staple is a high priority. 10 day responses is way too long (although I doubt any CAs are actually doing 10 days). Mozilla appears to be considering their entire revocation policy at this time, including

Re: Audits of CA conformance to the BRs

On 2014-09-17 00:52, Kathleen Wilson wrote: https://wiki.mozilla.org/CA:BaselineRequirements#Whole-Population_Audit_of_Intermediate_Certs I really like this section, it makes things clear. https://wiki.mozilla.org/CA:BaselineRequirements#WebTrust_BR_Audit_Statement

Indicators for high-security features

Hey all, Anne suggested an idea to me that I thought would be interesting for this group. Consider this email a rough sketch of an idea, not any sort of plan. There are a bunch of security features right now that I think we all agree improve security over and above just using HTTPS: -- HTTP

Re: SHA1

On 9/6/14, 8:38 AM, Kosuke Kaizuka wrote: On Sat, 06 Sep 2014 16:34:06 +0200, Sjw wrote: Hi everyone At present, there are a lot of articles, that the weak SHA1 certificates with a long duration will be marked as weak/insecure in some browsers soon and in a few years they won't be accepted

Re: Indicators for high-security features

Hi I would support your idea, but it's quite hard to implement it. If a server use TLS 1.2 and HSTS, you still don't know if the connection is really secure. But it would be easier if Firefox would show more details about protocol, ciphers etc. Am 17.09.2014 um 17:20 schrieb Richard Barnes: