On Tue, Sep 13, 2016 at 07:04:31AM -0700, Han Yuwei wrote:
> 在 2016年9月13日星期二 UTC+8下午7:12:22,Matt Palmer写道:
> > On Mon, Sep 12, 2016 at 08:38:00PM -0700, Han Yuwei wrote:
> > > 在 2016年9月13日星期二 UTC+8上午8:07:31,Matt Palmer写道:
> > > I am the owner of BUPT.MOE and I just use DNS service.
> >
> > And you
On Monday, September 12, 2016 at 2:46:40 PM UTC-7, Ryan Sleevi wrote:
> On Wednesday, August 31, 2016 at 12:43:50 PM UTC-7, Nick Lamb wrote:
> > I have spent some time thinking about this, but I am only one person, and
> > one with relatively little in-depth knowledge of the Mozilla project, so I
On 13/09/2016 16:56, Peter Bowen wrote:
On Tue, Sep 13, 2016 at 7:53 AM, Ryan Sleevi wrote:
We also see a variety of domains using certs from either for purposes that are
ostensibly not relevant to browsers - a frequent dead give-away is a cert for
autodiscover.[example.com] - which is an Exc
On 13/09/2016 16:47, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 8:30:07 PM UTC-7, Jakob Bohm wrote:
A variation of this, would be to create (compacted) whitelists for
specific old intermediary certs,
It sounds like you haven't been following this conversation, but the entire
point of
(Apologies for shortness and lack of context. My home is being redecorated so
no non-work PCs powered on)
Ryan's example doesn't work, autodiscover is a sign of MS Exchange but that
means OWA Outlook Web Access may be enabled. Which means web browsers see that
certificate.
_
On Tuesday, September 13, 2016 at 7:56:20 AM UTC-7, Peter Bowen wrote:
> I would be careful reading too much into server names.
> mail.[example.com] might host web based email access. For example,
> I'm typing this into a site called mail.google.com :)
Apologies that the conjunctive and was not c
On Tue, Sep 13, 2016 at 7:53 AM, Ryan Sleevi wrote:
> We also see a variety of domains using certs from either for purposes that
> are ostensibly not relevant to browsers - a frequent dead give-away is a cert
> for autodiscover.[example.com] - which is an Exchange AutoConfiguration
> server not
On Monday, September 12, 2016 at 8:30:07 PM UTC-7, Jakob Bohm wrote:
> A variation of this, would be to create (compacted) whitelists for
> specific old intermediary certs,
It sounds like you haven't been following this conversation, but the entire
point of restarting this thread, and in the pre
On Tuesday, September 13, 2016 at 7:04:56 AM UTC-7, Peter Bowen wrote:
> There is a huge unknown for both of these, and that is StartCom's true
> number of issued certs and domains. As far as I know, StartCom has
> not logged all their 2015 certs and is probably missing some early
> 2016 as well.
On Monday, September 12, 2016 at 8:01:36 PM UTC-7, Peter Bowen wrote:
> I'm trying to think of this as potentially reusable code. Just
> because IssuerA is quasi-trusted for example.com doesn't mean IssuerB
> should be. From a logic perspective, setting the whitelist per issuer
> means you are ba
On Mon, Sep 12, 2016 at 2:46 PM, Ryan Sleevi wrote:
>
> Consider if we start with the list of certificates issued by StartCom and
> WoSign [...] Extract the subjectAltName from every one of these certificates,
> and then compare against the Alexa Top 1M. This yields more than 60K
> certificates
在 2016年9月13日星期二 UTC+8下午7:12:22,Matt Palmer写道:
> On Mon, Sep 12, 2016 at 08:38:00PM -0700, Han Yuwei wrote:
> > 在 2016年9月13日星期二 UTC+8上午8:07:31,Matt Palmer写道:
> > > If Cloudflare *was*, in fact, obtaining certificates on behalf of all its
> > > DNS-using (only) customers on the "off chance" that they
On Mon, Sep 12, 2016 at 08:38:00PM -0700, Han Yuwei wrote:
> 在 2016年9月13日星期二 UTC+8上午8:07:31,Matt Palmer写道:
> > If Cloudflare *was*, in fact, obtaining certificates on behalf of all its
> > DNS-using (only) customers on the "off chance" that they might want to use
> > their proxy services in the fut
On 13/09/2016 11:50, Gervase Markham wrote:
On 12/09/16 19:02, Jakob Bohm wrote:
Wouldn't this fall under the general auditable requirement of being
careful in their practices and procedures.
Ask an auditor, and they will tell you that "be careful" is not an
auditable requirement.
I know fr
On 13/09/2016 11:50, Gervase Markham wrote:
Hi Jakob,
On 12/09/16 18:30, Jakob Bohm wrote:
Our current evidence seems to be an unfortunate mix of actual issues
(such as the github.io certificates), and semi-irrelevant smear, which
means we will need to separate the chaff from the wheat before M
On 12/09/16 19:02, Jakob Bohm wrote:
> Wouldn't this fall under the general auditable requirement of being
> careful in their practices and procedures.
Ask an auditor, and they will tell you that "be careful" is not an
auditable requirement.
Gerv
___
Hi Jakob,
On 12/09/16 18:30, Jakob Bohm wrote:
> Our current evidence seems to be an unfortunate mix of actual issues
> (such as the github.io certificates), and semi-irrelevant smear, which
> means we will need to separate the chaff from the wheat before Mozilla
> has a good basis for any decisio
17 matches
Mail list logo
