On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote:
> Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates
> that we'd issued to WoSign:
>
> https://crt.sh/?id=3223853
> https://crt.sh/?id=12716343
> https://crt.sh/?id=12716433
>
> See also:
>
On Tue, Oct 4, 2016 at 6:29 AM, Rob Stradling wrote:
> On 04/10/16 13:18, Nick Lamb wrote:
>> On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote:
>>> Neither. I'd like to run cablint over all certs pre-issuance, but
>>> unfortunately it's not practical to
On 29/09/16 16:40, Gervase Markham wrote:
> Following the publication of the recent investigative report,
> representatives of Qihoo 360 and StartCom have requested a face-to-face
> meeting with Mozilla. We have accepted, and that meeting will take place
> next Tuesday in London.
This meeting
On 04/10/16 14:19, Nick Lamb wrote:
> That's why I proposed Mozilla might like to write this to CA/B or in
> a group CA communication, because I would be astonished if WoSign and
> Comodo are the only CAs to have such special "rules" that defeat the
> purpose of the validation step, or if this is
On 04/10/16 13:18, Nick Lamb wrote:
> On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote:
>> Neither. I'd like to run cablint over all certs pre-issuance, but
>> unfortunately it's not practical to do this yet because 1) cablint is
>> too slow and 2) there are some differences of
On Tuesday, 4 October 2016 12:21:47 UTC+1, Rob Stradling wrote:
> When we are required (by CABForum and/or root program requirements) to
> do , we will of course undertake to do .
>
> There are lots of s that we are already required to do. We
> haven't tended to issue a separate announcement
Hi,
There seem to be more certificates of that kind that weren't mentioned
in the incident report. Here's a .re / www.re certificate (expired
2015):
https://crt.sh/?id=4467456
Has comodo checked its systems for other certificates of that kind? Can
you provide a full list of all such
On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote:
> Neither. I'd like to run cablint over all certs pre-issuance, but
> unfortunately it's not practical to do this yet because 1) cablint is
> too slow and 2) there are some differences of opinion that have been
> discussed at
Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates
that we'd issued to WoSign:
https://crt.sh/?id=3223853
https://crt.sh/?id=12716343
https://crt.sh/?id=12716433
See also:
https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2
On 06/09/16 11:11, Rob Stradling wrote:
> Hi
On 03/10/16 02:23, Nick Lamb wrote:
> Comodo's document never actually says that they're abolishing this "rule" as
> a result of Ballot 169. It lets you choose to draw that implication, by
> specifying that their current practices pre-date Ballot 169's changes, but it
> never says as much.
On Mon, Oct 3, 2016 at 9:44 PM, Peter Bowen wrote:
> On Mon, Oct 3, 2016 at 5:24 PM, Jakob Bohm wrote:
> > On 03/10/2016 20:41, Kyle Hamilton wrote:
> >> WoSign is known to be cross-signed by several independent CAs (as well
> as
> >
> >> 2. There is
On 02/10/16 17:49, Nick Lamb wrote:
> On Sunday, 2 October 2016 11:11:34 UTC+1, Patrick Figel wrote:
>> https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg04274.html
>
> Thanks, I too could not find this in Google Groups. That is a little
> concerning as I had assumed this
On 04/10/16 11:51, Kurt Roeckx wrote:
> On Tue, Oct 04, 2016 at 11:13:21AM +0100, Rob Stradling wrote:
>> On 04/10/16 07:10, Gervase Markham wrote:
>>> Does Comodo run cablint over all certificates post-issuance (or
>>> pre-issuance)?
>>
>> Neither. I'd like to run cablint over all certs
On Tue, Oct 04, 2016 at 11:13:21AM +0100, Rob Stradling wrote:
> On 04/10/16 07:10, Gervase Markham wrote:
>
> >> [4] https://crt.sh/?cablint=1+week
> >
> > This URL is a 404.
>
> Sorry, crt.sh is a bit under the weather right now. Someone submitted a
> batch of several million certs to the
On 04/10/16 07:10, Gervase Markham wrote:
>> [4] https://crt.sh/?cablint=1+week
>
> This URL is a 404.
Sorry, crt.sh is a bit under the weather right now. Someone submitted a
batch of several million certs to the Google CT logs, and this has
rather overwhelmed the replication between crt.sh's
Dear Erwann,
My answers inline marked with ***
Le jeudi 29 septembre 2016 11:45:39 UTC+2, Varga Viktor a écrit :
> Dear Peter,
>
> I am deeply in ETSI process, so I can give info some info:
>
> Formerly the ETSIs are based on
>
> *102042 for CAs
> *101456 for CAs issuing
On 04/10/16 01:00, Ángel González wrote:
> Not really. Their old roots could sign their new roots, which would
> be enough to make them work on the older devices where it worked. The
> cost of untrusting the old roots is probably similar to that of
> adding new roots, so that the effort of
Hi Kyle,
On 03/10/16 19:41, Kyle Hamilton wrote:
> WoSign is known to be cross-signed by several independent CAs (as well as 1
> CA which is no longer deemed to be independent). If it wished to bypass
> any attempt to distrust it, all it would have to do is be cross-signed by
> another CA.
Hi Robin,
Thank you for this report.
On 27/09/16 02:07, Robin Alden wrote:
> When we use an 'agreed-upon change to website' method to prove domain
> control, we consider proof of control of 'www.' as also
> proving control of '' (except where '' is a
> public suffix).
> We don't give any other
19 matches
Mail list logo