On 16/09/14 23:13, Richard Barnes wrote:
From a browser perspective, I don't care at all whether certificates
excused from containing revocation URLs if they're sufficiently short
lived.
From a technical perspective, that is true. However, if we have an
interest in making short-lived certs a
On 2014-09-17 09:25, Gervase Markham wrote:
A short-lived cert _without_ an OCSP URI also works with legacy
browsers. Unless you are using some other definition of works?
A browser could perfectly reject a certificate that doesn't comply with
the BR because the required OCSP URI is missing.
On Wed, Sep 17, 2014 at 12:25 AM, Gervase Markham g...@mozilla.org wrote:
On 16/09/14 23:13, Richard Barnes wrote:
From a browser perspective, I don't care at all whether certificates
excused from containing revocation URLs if they're sufficiently short
lived.
From a technical perspective,
I agree that we should reduce the validity period of OCSP responses and also
that must staple is a high priority. 10 day responses is way too long
(although I doubt any CAs are actually doing 10 days).
Mozilla appears to be considering their entire revocation policy at this time,
including
On 2014-09-17 00:52, Kathleen Wilson wrote:
https://wiki.mozilla.org/CA:BaselineRequirements#Whole-Population_Audit_of_Intermediate_Certs
I really like this section, it makes things clear.
https://wiki.mozilla.org/CA:BaselineRequirements#WebTrust_BR_Audit_Statement
Hey all,
Anne suggested an idea to me that I thought would be interesting for this
group. Consider this email a rough sketch of an idea, not any sort of plan.
There are a bunch of security features right now that I think we all agree
improve security over and above just using HTTPS:
-- HTTP
On 9/6/14, 8:38 AM, Kosuke Kaizuka wrote:
On Sat, 06 Sep 2014 16:34:06 +0200, Sjw wrote:
Hi everyone
At present, there are a lot of articles, that the weak SHA1 certificates
with a long duration will be marked as weak/insecure in some browsers
soon and in a few years they won't be accepted
Hi
I would support your idea, but it's quite hard to implement it. If a
server use TLS 1.2 and HSTS, you still don't know if the connection is
really secure.
But it would be easier if Firefox would show more details about
protocol, ciphers etc.
Am 17.09.2014 um 17:20 schrieb Richard Barnes:
8 matches
Mail list logo