On Fri, 4 Nov 2016 10:30:00 +
Gervase Markham wrote:
> We need to recall that currently, SHA-1 issuance is not banned
> directly by Mozilla policy, but only by the BRs. And so we don't have
> a route to object to certs not covered by the BRs.
The March 2016 CA
On Friday, November 4, 2016 at 10:36:13 AM UTC-7, Gervase Markham wrote:
> Here is the spreadsheet I am using to track my analysis of the SHA-1
> issuances discovered in crt.sh:
>
> https://docs.google.com/spreadsheets/d/1s0zsDjkHkPpFPd9LCtaJDgra5hqmcHmRor_sHSLl5Yg/edit
>
> It includes notes
This is awesome. We're very excited to see Mozilla support CT.
How about:
1) What version of logs should Mozilla accept (do they have to comply with
the bis)? If they are compliant with the original spec, should they be
accepted until a certain date when they must transition to the new bis?
2)
在 2016年11月4日星期五 UTC+8下午8:20:11,Gervase Markham写道:
> CT is coming to Firefox. As part of that, Mozilla needs to have a set of
> CT policies surrounding how that will work. Like our root inclusion
> program, we intend to run our CT log inclusion program in an open and
> transparent fashion, such
Thanks Peter for the questions. The answers are listed below:
First, a couple of questions about DigiCert itself. The press release at
https://thomabravo.com/2015/10/22/thoma-bravo-completes-acquisition-of-majority-stake-in-digicert/
says that Thoma Bravo acquired a majority stake in DigiCert
Here is the spreadsheet I am using to track my analysis of the SHA-1
issuances discovered in crt.sh:
https://docs.google.com/spreadsheets/d/1s0zsDjkHkPpFPd9LCtaJDgra5hqmcHmRor_sHSLl5Yg/edit
It includes notes about each incident and my determination of what to
do. At the moment, bugs are open for
Hi Jeremy,
Thanks for posting this. Mozilla had been concerned for some time about
the level of BR compliance of the Verizon-controlled PKI and their
seeming difficulties in bringing their many sub-CAs into compliance.
When DigiCert approached us when researching the potential acquisition,
they
On 04/11/2016 15:42, Hanno Böck wrote:
On Fri, 4 Nov 2016 14:09:55 +0100
Jakob Bohm wrote:
* How do we allow organization internal non-public CAs to not reveal
their secret membership/server lists to public CT systems or
otherwise run the (administratively and
On Friday, November 4, 2016 at 4:49:28 AM UTC-7, Gervase Markham wrote:
> On 03/11/16 18:09, Andrew Ayer wrote:
> > This is just as bad as signing an actual cert with SHA-1.
>
> Add:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1315225 (Symantec)
>
> Gerv
I updated the bug to say that this
Well, these are logs. So:
- Is it necessary to require that log items can't be modified after they have
been created? (Or is that implied by the cryptography being used.) How about
deleted?
- Is is perhaps a good idea to require a certain minimum accuracy (or other
characteristics, timestamps
On Fri, Nov 04, 2016 at 12:19:32PM +, Gervase Markham wrote:
>
> * Do we want to require a certain number of SCTs for certificates of
> particular validity periods?
What happens to the SCT requirements if a log is distrusted? Is the
date of the distrust taking into account? Is that the same
On 4 November 2016 at 07:19, Gervase Markham wrote:
> * How do we decide when to un-trust a log? What reasons are valid
> reasons for doing so?
Do we want different types of distrust for a log? That is, a "We don't
trust you at all anymore" distrust vs a "We don't trust
On Fri, Nov 4, 2016 at 3:42 PM, Hanno Böck wrote:
>
> Isn't that already solved?
>
> Browsers already treat manually installed roots differently, e.g.
> bypassing key pinning. Chrome's CT requirements don't apply to locally
> installed roots.
>
> How about public technically
On Fri, 4 Nov 2016 14:09:55 +0100
Jakob Bohm wrote:
> * How do we allow organization internal non-public CAs to not reveal
> their secret membership/server lists to public CT systems or
> otherwise run the (administratively and technically) expensive
> processes required
Hi,
Great to see Mozilla committing to CT.
On Fri, 4 Nov 2016 12:19:32 +
Gervase Markham wrote:
> So, please add comments with additional _questions_ you think the
> policy will need to address. What the answers should be is (for now)
> off-topic.
Some meta-thought:
In
CT is coming to Firefox. As part of that, Mozilla needs to have a set of
CT policies surrounding how that will work. Like our root inclusion
program, we intend to run our CT log inclusion program in an open and
transparent fashion, such that the Internet community can see how it
works and how
On 03/11/16 18:09, Andrew Ayer wrote:
> This is just as bad as signing an actual cert with SHA-1.
Add:
https://bugzilla.mozilla.org/show_bug.cgi?id=1315225 (Symantec)
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
For those wishing to contribute with comments/feedback, ENISA has
updated Draft Guidelines for TSPs implementing eIDAS.
https://www.enisa.europa.eu/topics/trust-services/guidelines/
Thank you,
Dimitris Zacharopoulos.
___
dev-security-policy mailing
On 03/11/16 21:17, Jakob Bohm wrote:
> Note that the GlobalSign SHA-1 intermediaries chain only to their old
> SHA-1 root which is (I believe) not used for any SHA-256 certs, except
> a cross-cert that signs their current SHA-256 root.
Nevertheless, it is still in Mozilla's trust store.
> So I
Hi Gerhard,
I realise you are upset with what Cloudflare has been doing, but having
considered the matter, I think the bottom line is that the only
reasonable position for Mozilla to take is "issuances which perform a
valid domain control check are OK". We can't go policing the terms of
service
On 04/11/2016 07:01, Nigel Jones wrote:
On 11/09/2016 12:37 AM, Han Yuwei wrote:
I am using Cloudflare's DNS service and I found that Cloudflare has
issued a certficate to their server including my domain. But I didn't
use any SSL service of theirs. Is that ok to Mozilla's policy?
Issued
21 matches
Mail list logo