Exactly that??s the meaning of ??entitle??.
Based on the interpretation, I understand that when a firefighter is on a
vocation, even a fire breaks next to him, it??s of his choice to go hiking, fly
kites whatever as he may only be entitled on weekdays rather than in a
vocation.
IMO, the point o
As you have quoted it, Let's Encrpyt's CPS says:
"the CA is *entitled* to revoke the certificate"
The key word is "entitled." Meaning that Let's Encrypt may revoke the
certificate if they chose, but are not required to. Therefore not revoking
the certificate is compatible with their CPS.
It's im
According to what I??ve known,
??Acknowledgment and Acceptance: An acknowledgment and acceptance that the CA
is entitled to revoke the certificate immediately if the Applicant were to
violate the terms of the Subscriber or Terms of Use Agreement or if the CA
discovers that the Certificate is b
On Fri, Feb 24, 2017 at 03:09:10AM +, Richard Wang via dev-security-policy
wrote:
> Do you think this site is an authentic site from Microsoft?
> If it is a fake site, then CA should revoke the issued certificate.
Why?
- Matt
___
dev-security-poli
Do you think this site is an authentic site from Microsoft?
If it is a fake site, then CA should revoke the issued certificate.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Matt P
On Fri, Feb 24, 2017 at 01:12:38AM +, Richard Wang via dev-security-policy
wrote:
> I am sure this site: https://www.microsoftonline.us.com/ is a phishing site
> and a fade office 365 site that I wish LE can revoke this cert.
Why? It works just fine over HTTP, too.
- Matt
On Thu, Feb 23, 2017 at 5:16 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> For example, in a certificate request, while the attacker can "choose"
> such a bunch of bits in the public key, the value also has to be a valid
> public key for which the attack
Well, they found a way to do it with somewhat "ordinary" computers
running for an actually doable period of time.
And they chose a prefix for its real world usefulness, not for matching
any specific property of the SHA-1 algorithm or its weakness. Their
paper explains (with some wisely omitted
I am sure this site: https://www.microsoftonline.us.com/ is a phishing site and
a fade office 365 site that I wish LE can revoke this cert.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
This list hosted an extensive discussion on this issue in May of 2016,
subject line "SSL Certs for Malicious Websites":
https://groups.google.com/d/topic/mozilla.dev.security.polic
y/vMrncPi3tx8/discussion
Most (all?) of the people on this thread participated on that one, and said
most (all?) of
By and large I'd say that Matt's no's should instead be yes's. If we adopt the
standpoint that releasing a domain is equivalent to saying "I no longer use
that name" then a revocation is equivalent to adding "...and anyone who does
use that name must surely be an imposter."
In other words, we s
On Thu, Feb 23, 2017 at 03:55:43AM +, Richard Wang via dev-security-policy
wrote:
> If "apple", "google", "Microsoft" is not a high risk domain, then I don’t
> know which domain is high risk domain, maybe only "github".
That's kinda the problem: you don't know, and neither does anyone else,
On Thu, Feb 23, 2017 at 01:55:40AM -0800, Nick Lamb via dev-security-policy
wrote:
> 1. Neither registries nor registrars in the DNS system would ordinarily
> have control over the existence of sub-domains. In some cases the whole
> _purpose_ of the registration is to create such sub-domains with
identical prefix, not chosen prefix. I was more interested in an SHA-1
collision ASIC.
From: dev-security-policy
on
behalf of Adrian R. via dev-security-policy
Sent: Thursday, February 23, 2017 8:26:10 AM
To: mozilla-dev-security-pol...@lists.mozilla.o
On 22/02/17 17:08, Richard Wang wrote:
> I think "apple-id-2.com" is a high risk domain that must be blocked to issue
> DV SSL to those domains.
I don't represent Let's Encrypt, but their policy on such things is
relevant to this discussion, and it is here:
https://letsencrypt.org/2015/10/29/phis
Hello
i just saw this in the news... a SHA-1 collision has been achieved.
https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
proof site: https://shattered.io/
authors:
Marc Stevens (1), Elie Bursztein (2), Pierre Karpman (1), Ange Albertin
Forwarded Message
Subject: Summary of February 2017 Audit Reminder Emails
Date: Tue, 21 Feb 2017 20:00:51 + (GMT)
Mozilla: Audit Reminder
Root Certificates:
ISRG Root X1
Standard Audit: https://cert.webtrust.org/SealFile?seal=1987&file=pdf
Audit Statement Date: 2015-12-15
On Thursday, 23 February 2017 01:11:54 UTC, Richard Wang wrote:
> https://crt.sh/?id=65208905 for google.ligboy.org
Without wanting to jump on this pre-existing dogpile:
This specific example is illustrative of two important factors that should be
considered in examining the threat here:
1. N
I'm sorry, I'm still a little confused about how to understand your
response.
I can't tell if you're discussing in the abstract - as in, you don't know
how an Delegated Third Party would ever meet that definition, due to the
absence of "auditing standards that underlie the accepted audit schemes
f
19 matches
Mail list logo