On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert in the CT data since they have agreed to do that. What happens next?
What I've been
On 2015-04-14 13:54, Rob Stradling wrote:
On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert in the CT data since they have agreed to
On 14/04/15 13:09, Kurt Roeckx wrote:
On 2015-04-14 13:54, Rob Stradling wrote:
On 14/04/15 12:38, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov and let's further suppose that CNNIC includes this
cert in
On Thursday, March 19, 2015 at 1:02:06 PM UTC-7, Peter Bowen wrote:
On Wed, Mar 18, 2015 at 12:40 PM, Kathleen Wilson kwil...@mozilla.com wrote:
I propose removing the following root cert from NSS, due to inadequate audit
statements.
Issuer:
CN = e-Guven Kok Elektronik Sertifika Hizmet
I'm not sure I agree with this metaphor because someone still will review the
speed camera data and pass judgment. Who will be doing that for CT? The other
problem is that in a speed camera situation there is a documented procedure for
dealing with violators.
Has anyone made a public
On Tue, Apr 14, 2015 at 01:38:55PM +0200, Kurt Roeckx wrote:
On 2015-04-14 01:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for whitehouse[dot]gov and
let's further suppose that CNNIC includes this cert in the CT data since
they have agreed to do that. What
On 14/04/15 00:15, Peter Kurrasch wrote:
Let's use an example. Suppose CNNIC issues a cert for
whitehouse[dot]gov
presumably without permission ;-)...
and let's further suppose that CNNIC includes this
cert in the CT data since they have agreed to do that. What happens
next?
If no-one
On 14/04/15 01:19, Matt Palmer wrote:
I'm not a fan of browser-imposed name constraints on CAs, at a philosophical
level. An important principle of the Mozilla root program, IMO, is that it
works for the public good (insofar as the public is represented by users
of Mozilla products). A name
Breaking this part of the discussion out of the CNNIC thread
So, to paraphrase, the security benefit to CT is on par with posting speed
limits along a highway: if you're going to break the rules, don't get caught.
And if you do get caught, have a good excuse--although in the case of CT
So basically we have: if you mis-issue an end-entity cert and don't update the
CT logs, the cert won't work; mis-issue the cert and update the logs with the
mis-issuance and everything works just fine.
As you say, someone might notice it and say something but there is also a
chance that
10 matches
Mail list logo
