Re: OneCRL

2016-11-16 Thread Adrian R.
Is there any way of allowing users to add locally on their machine a certificate to the OneCRL scope? (but don't allow local scope to override the mozilla-published one - it should always have priority) back in september i revoked locally on my machine the WoSign roots and i tried to use the

OneCRL

2016-11-16 Thread Gervase Markham
OneCRL is Mozilla's push-based revocation system. Up to now, it's been a little bit opaque. Thanks to the ever-excellent Rob Stradling, we now have a web page showing all the certs in OneCRL: https://crt.sh/mozilla-onecrl This shows what's on it, and information about why by linking to the

Re: SHA-1 Phase-out

2016-11-16 Thread Gervase Markham
On 16/11/16 09:08, Kurt Roeckx wrote: > The other option would be that Firefox adds an option to allow SHA-1 for > things that are in the trust store but are not in the default trust store. AIUI, that is going to be the default behaviour. Gerv ___

Re: Technically Constrained Sub-CAs

2016-11-16 Thread Jakob Bohm
On 16/11/2016 02:13, Nick Lamb wrote: On Tuesday, 15 November 2016 09:35:17 UTC, Jakob Bohm wrote: The HTTPS-everywhere tendency, including the plans of some people to completely remove unencrypted HTTP from implementations, makes it necessary for non-public stuff connected to the Internet to

Re: Include Symantec-brand Class 1 and Class 2 Root Certs

2016-11-16 Thread Jakob Bohm
On 16/11/2016 00:58, Kathleen Wilson wrote: This request from Symantec is to only enable the Email trust bit for the following 4 root certificates that will eventually replace the VeriSign-brand class 1 and 2 root certs that are currently included in NSS. 1) Symantec Class 1 Public Primary

Re: UI Improvement in Certificate details

2016-11-16 Thread Dimitris Zacharopoulos
On 16/11/2016 10:51 πμ, Ryan Sleevi wrote: And the bug you want is https://bugzilla.mozilla.org/show_bug.cgi?id=500333 Thanks for the help. We'll try to revive it :) Dimitris. On Wed, Nov 16, 2016 at 12:47 AM, Ryan Sleevi wrote: The module you want is PSM. The code you

Re: SHA-1 Phase-out

2016-11-16 Thread Kurt Roeckx
On 2016-11-15 18:00, Peter Bowen wrote: On Tue, Nov 15, 2016 at 7:25 AM, Kurt Roeckx wrote: - If it's an enterprise root they need to switch to SHA-2 This is a lot easier said than done for many organizations. Depending on the CA software this might be a small configuration

Re: UI Improvement in Certificate details

2016-11-16 Thread Ryan Sleevi
And the bug you want is https://bugzilla.mozilla.org/show_bug.cgi?id=500333 On Wed, Nov 16, 2016 at 12:47 AM, Ryan Sleevi wrote: > The module you want is PSM. > > The code you want to submit a patch to is >

Re: UI Improvement in Certificate details

2016-11-16 Thread Ryan Sleevi
The module you want is PSM. The code you want to submit a patch to is https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsNSSCertHelper.cpp#242 On Tue, Nov 15, 2016 at 11:54 PM, Dimitris Zacharopoulos wrote: > > Li-Chun CHEN from Chunghwa Telecom would like