On Friday, 7 October 2016 21:11:01 UTC+1, Han Yuwei wrote:
> About the auditor Ernst & Young (Hong Kong), I don't understand how did it(?)
> involved this. Can someone explain that?
Management of a public CA are oblige to state periodically that they understand
and obey various rules for
在 2016年9月26日星期一 UTC+8下午10:21:13,Gervase Markham写道:
> Today, Mozilla is publishing an additional document containing further
> research into the back-dating of SHA-1 certificates, in violation of the
> CAB Forum Baseline Requirements, to avoid browser blocks. It also
> contains some conclusions we
On 07/10/2016 19:25, Andrew Ayer wrote:
On Fri, 7 Oct 2016 12:12:58 +0100
Gervase Markham wrote:
* WoSign and StartCom are to be legally separated, with the corporate
structure changed such that Qihoo 360 owns them both individually,
rather than WoSign owning StartCom.
*
在 2016年10月7日星期五 UTC+8下午7:13:42,Gervase Markham写道:
> As noted by Richard Wang, WoSign have just published an updated Incident
> Report:
> https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf
>
> I think we are now in a position to discuss whether the plan proposed here:
>
On 07/10/2016 19:14, Kathleen Wilson wrote:
On Thursday, October 6, 2016 at 4:27:10 PM UTC-7, Peter Bowen wrote:
On Thu, Oct 6, 2016 at 3:57 PM, Richard Barnes wrote:
I seem to recall we had some discussion a while back about what criteria
should be applied to email CAs. Where did we end up
On Thursday, October 6, 2016 at 4:27:10 PM UTC-7, Peter Bowen wrote:
> On Thu, Oct 6, 2016 at 3:57 PM, Richard Barnes wrote:
> > I seem to recall we had some discussion a while back about what criteria
> > should be applied to email CAs. Where did we end up on that?
>
> I don't believe anything
On Friday, October 7, 2016 at 9:10:29 AM UTC-7, Gervase Markham wrote:
> I should start by reiterating what you already know, but might be a
> useful reminder for others - no agreement has been made between Mozilla
> and Qihoo/StartCom/WoSign. We gave them advice on what we thought the
> community
Hi Ryan,
I should start by reiterating what you already know, but might be a
useful reminder for others - no agreement has been made between Mozilla
and Qihoo/StartCom/WoSign. We gave them advice on what we thought the
community might like to see, but they are responsible for their plan,
and the
On Friday, October 7, 2016 at 4:13:42 AM UTC-7, Gervase Markham wrote:
> As noted by Richard Wang, WoSign have just published an updated Incident
> Report:
> https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf
>
> I think we are now in a position to discuss whether the plan
On 06/10/16 06:46, Peter Bowen wrote:
> I think we can all look back with 20/20 hindsight and say that device
> vendors should not use the same roots as browsers and that maybe CAs
> should have created "SHA-1 forever" roots for devices that never plan
> to update, but that is great hindsight. We
On 07/10/16 13:23, Jakob Bohm wrote:
> On 07/10/2016 13:12, Gervase Markham wrote:
>> ... * WoSign agrees it should have been more forthcoming about its
>> purchase of StartCom, and announced it earlier.
>>
>> * WoSign and StartCom are to be legally separated, with the
>> corporate structure
On 07/10/16 12:23, Jakob Bohm wrote:
> As an outsider, here is one question: If StartCom has not yet decided
> on a technical separation plan, could one acceptable option for such a
> plan be to reactivate the old (pre-acquisition) infrastructure and
> software and take it from there?
>
> An
On 07/10/2016 13:12, Gervase Markham wrote:
...
* WoSign agrees it should have been more forthcoming about its purchase
of StartCom, and announced it earlier.
* WoSign and StartCom are to be legally separated, with the corporate
structure changed such that Qihoo 360 owns them both individually,
On 07/10/16 12:12, Gervase Markham wrote:
> Mozilla is minded to agree that it is reasonable to at least consider
> the two companies separately, although that does not preclude the
> possibility that we might decide to take the same action for both of
> them. Accordingly, Mozilla continues to
As noted by Richard Wang, WoSign have just published an updated Incident
Report:
https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf
I think we are now in a position to discuss whether the plan proposed here:
Hi Gerv,
This is the updated incident report:
https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf .
Thanks.
Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of
On 06/10/16 15:22, Jakob Bohm wrote:
> Good, now communicate it.
Companies should be talking to their CAs, who will offer this service if
they have it.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
On 06/10/16 20:38, Ryan Sleevi wrote:
> Do you have any further updates regarding this plan? This seems to
> have stalled any further discussions about next steps.
I am a little surprised it hasn't appeared by now. We did not agree a
specific deadline, but my impression was that it would appear
On 07/10/16 04:21, Peter Gutmann wrote:
> That still doesn't necessarily answer the question, Google have their CRLSets
> but they're more ineffective than effective in dealing with revocations
> (according to GRC, they're 98% ineffective,
> https://www.grc.com/revocation/crlsets.htm).
That
On Fri, Oct 07, 2016 at 03:21:48AM +, Peter Gutmann wrote:
> Kurt Roeckx writes:
>
> >This is why browsers have something like OneCRL, so that they actually do
> >know about it and why Rob added that information to the bug tracker (
>
20 matches
Mail list logo