To be transparent, WoSign are NOT "acquiring the HARICA root" that we NEVER
contact HARICA, and we don't think our brand is "tarnishing", we are working
hard to try to regain the trust and confidence in this community.
Best Regards,
Richard
-Original Message-
From:
On Thursday, March 30, 2017 at 10:35:37 AM UTC-7, Kathleen Wilson wrote:
> Within the next few days, we plan to start sending automated email reminders
> to CAs about their intermediate cert records in the Common CA Database that
> are missing audit or CP/CPS information.
>
> The email template
Doesn't Chrome's behaviour already "penalise" plaintext HTTP? You can't build a
login form, or use shiny new features.
We aren't where we'd ideally be, everybody is agreed about that. That's not the
same thing as agreeing our direction of travel is wrong.
I am far from home reduced to using
All,
Within the next few days, we plan to start sending automated email reminders to
CAs about their intermediate cert records in the Common CA Database that are
missing audit or CP/CPS information.
The email template is here:
On 2017-03-30 23:30, Alex Gaynor via dev-security-policy wrote:
>>> 1. HTTP
>>> 2. "I explicitly asked for security and didn't get it" (HTTPS with no
>>> validation)
>>> 3. HTTPS
>
> You're not wrong that (2) is better than (1). It's also indistinguishable
> from a downgrade attack from (3).
But
On Sunday, March 26, 2017 at 11:48:43 PM UTC-4, wangs...@gmail.com wrote:
> We compiled an analysis document on our CP/CPS’s Compliance with the BRs for
> everyone to review and comment. You can find the document at the following
> address of the
>
By "not new", are you referring to Google being the second(?) instance where a
company has purchased an individual root cert from another company? It's fair
enough to say that Google isn't the first but I'm not aware of any commentary
or airing of opposing viewpoints as to the suitability of
On 30/03/17 13:11, Gervase Markham via dev-security-policy wrote:
On 28/03/17 12:21, Rob Stradling wrote:
Increased attack surface. An undisclosed dormant sub-CA most likely has
its private key in an online HSM, and so I think it's prudent to assume
that it's more vulnerable (to being
On 28/03/17 12:21, Rob Stradling wrote:
> Increased attack surface. An undisclosed dormant sub-CA most likely has
> its private key in an online HSM, and so I think it's prudent to assume
> that it's more vulnerable (to being compromised by an attacker, or to
> being accidentally used to misissue
Right. It is then.
It says private keys can only be stored with permission of the subscriber and
encryption must always be used to transfer them. And of course the certificate
must be revoked if/when it becomes known that a private key has gotten to the
wrong person.
Well... NOT my private
On 29/03/17 20:42, Jakob Bohm wrote:
> That goal would be equally (in fact better) served by new market
> entrants getting cross-signed by incumbents, like Let's encrypt did.
Google will be issuing from Google-branded intermediates under the
ex-GlobalSign roots. So the chains would be basically
11 matches
Mail list logo