On Thu, May 26, 2016 at 1:58 PM, Phillip Hallam-Baker
wrote:
> What has encryption got to do with it?
The "bad" raised was unrelated to certificates, publicly trusted or
otherwise. As Nick also pointed out, a number of the "bad" is just as
accomplish through other means independent of certificate
You are right to point out that many of those scenarios could be accomplished
with a self-signed cert or indeed no cert at all. The decision to use a good
cert or the likelihood of a good cert being used in any given scenario is not
necessarily that important. What matters is that once we find a
> On Thu, May 26, 2016 at 6:17 PM, Kathleen Wilson
> wrote:
>
>> Hi All,
>>
>> I have been asked if it is OK to post job listings in
>> mozilla.dev.security.policy. Surprisingly, I don't recall ever being asked
>> that question before, and I am not aware of a written policy about the
>> content o
I could tolerate a policy like that, and it's always possible to revisit it
if it turns out to be abused, or causes people to unsubscribe (which I
would recommend Mozilla watching, especially right after postings go out).
One suggested change:
> * The Subject of the posting begins with "Job: "
I
Symantec has disclosed several subCAs via Salesforce and indicated that
these subCAs have the same audit as their parent, however the audit
statement they link
(https://cert.webtrust.org/SealFile?seal=1565&file=pdf) has a table of
"In-Scope CAs" which does not appear to include the following su
Hi All,
I have been asked if it is OK to post job listings in
mozilla.dev.security.policy. Surprisingly, I don't recall ever being asked that
question before, and I am not aware of a written policy about the content of
postings to mozilla.dev.security.policy.
So, here is a proposal:
~~
Jobs ma
On Thu, May 26, 2016 at 12:23 PM, Ryan Sleevi wrote:
> On Thu, May 26, 2016 at 7:40 AM, Peter Kurrasch wrote:
> > My suggestion is to frame the issue as: What is reasonable to expect of
> a
> > CA if somebody sees bad stuff going on? How should CA's be notified? What
> > sort of a response is w
On Thursday, 26 May 2016 15:40:35 UTC+1, Peter Kurrasch wrote:
> I might use a perfectly good cert in a "bad" way:
Maybe it's worthwhile to consider what happens instead if we live under a
regime (whether legally enforced or just de facto because of choices made by
browser vendors) where you ca
On Thu, May 26, 2016 at 7:40 AM, Peter Kurrasch wrote:
> My suggestion is to frame the issue as: What is reasonable to expect of a
> CA if somebody sees bad stuff going on? How should CA's be notified? What
> sort of a response is warranted and in what timeframe? What guidelines
> should CA's use
It strikes me that some people might not have a good idea how people use certs to do bad things. As the token bad guy in this forum I'll take it upon myself to share some examples of how I might use a perfectly good cert in a "bad" way:* Create a phishing site to harvest login credentials from u
On Thursday 26 May 2016 05:13:43 Peter Gutmann wrote:
> Richard Z writes:
> >If any criminal can easily get EV certificates what is the point of
> >https?
> The point of HTTPS is twofold:
>
> 1. Convince users that the Internet is safe to do business on
> (financial transfers, medical data).
>
>
On Wed, May 25, 2016 at 6:50 AM, wrote:
> If I understand you correctly, you are saying that CAs should not be doing
> any "internet policing" or "content policing" when they receive credible
> reports their certs are being used by phishers, malware providers, etc. --
> but that browsers can a
On Wed, May 25, 2016 at 10:13 PM, Peter Gutmann
wrote:
> Richard Z writes:
>
>>If any criminal can easily get EV certificates what is the point of https?
>
> The point of HTTPS is twofold:
>
> 1. Convince users that the Internet is safe to do business on (financial
>transfers, medical data).
13 matches
Mail list logo
