thanks
发自网易邮箱大师
在2017年05月03日 10:15,Jakob Bohm via dev-security-policy 写道:
On 02/05/2017 12:46, Gervase Markham wrote:
> On 02/05/17 01:55, Peter Kurrasch wrote:
>> I was thinking that fraud takes many forms generally speaking and that
>> the PKI space is no different. Given that Mozilla (and
On 02/05/2017 17:30, Rob Stradling wrote:
On 02/05/17 16:11, Alex Gaynor via dev-security-policy wrote:
I know several CAs are using certlint
(https://github.com/awslabs/certlint)
as a pre-issuance check that the cert they're about to issue doesn't have
any programmatically detectable
On 01/05/2017 10:55, Gervase Markham wrote:
Does anyone have any thoughts about this issue, below?
I sent out a message saying that I had adopted this change as proposed,
but that was an error. It has not yet been adopted, because I am
concerned about the below.
The first option is simpler,
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> wizard--- via dev-security-policy
> Sent: Tuesday, May 02, 2017 7:10 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: [EXT]
Okay – we’ll add them all to CT over the next couple of days.
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Tuesday, May 2, 2017 9:08 AM
To: Jeremy Rowley
Cc: r...@sleevi.com; Gervase Markham ;
mozilla-dev-security-pol...@lists.mozilla.org
Thanks!
The revocation timeline changes are coming today/tomorrow morning.
-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Tuesday, May 2, 2017 4:55 AM
To: r...@sleevi.com; Jeremy Rowley ;
mozilla-dev-security-pol...@lists.mozilla.org
Hi Steve,
On 02/05/17 18:39, Steve Medin wrote:
> Gerv- Thank you for the thoughtful analysis. We are reviewing and intend to
> respond to your latest proposal shortly.
Please understand that this is not (yet) Mozilla's response to Symantec.
If we were a closed root program, this would be an
Gerv- Thank you for the thoughtful analysis. We are reviewing and intend to
respond to your latest proposal shortly.
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Gervase Markham via
On 02/05/17 16:11, Alex Gaynor via dev-security-policy wrote:
I know several CAs are using certlint (https://github.com/awslabs/certlint)
as a pre-issuance check that the cert they're about to issue doesn't have
any programmatically detectable deficiencies; if it doesn't already cover
some of
I know several CAs are using certlint (https://github.com/awslabs/certlint)
as a pre-issuance check that the cert they're about to issue doesn't have
any programmatically detectable deficiencies; if it doesn't already cover
some of these cases, it'd be great to add them as a technical means for
Group participants may be interested in David Keeler's analysis of why
Firefox seemed to be seeing cert pinning mismatches for Mozilla properties:
https://people-mozilla.org/~dkeeler/deployment-checker-analysis.html
Gerv
___
dev-security-policy mailing
This seems like a very reasonable stance for Mozilla to take: strongly
encourage a new Symantec PKI so they start with a clean slate, otherwise staged
distrust of all existing certificates with the requirement that Symantec
produce a full document/diagram of how the components of their PKI are
On 01/05/17 18:33, Alex Gaynor wrote:
> One idea that occurred to me (maybe novel, though I doubt it), is requiring
> mandatory _timely_ CT submission for intermediates/cross signatures. That
> is, to be compliant an issuers's (SCT-timestamp - cert-not-before) must be
> less than some period,
On 02/05/17 00:01, Ryan Sleevi wrote:
> Thank you for
> 1) Disclosing the details to a sufficient level of detail immediately
> 2) Providing regular updates and continued investigation
> 3) Confirming the acceptability of the plan before implementing it, and
> with sufficient detail to understand
On 01/05/17 18:33, Alex Gaynor via dev-security-policy wrote:
Hi Gerv,
One idea that occurred to me (maybe novel, though I doubt it), is requiring
mandatory _timely_ CT submission for intermediates/cross signatures. That
is, to be compliant an issuers's (SCT-timestamp - cert-not-before) must be
On 02/05/17 03:10, Peter Kurrasch wrote:
> Your updates look good! One small quibble: The bottom of the Physical
> Relocation section mentions the code signing trust bit, but I think that
> is irrelevant now?
I see that on https://wiki.mozilla.org/CA:RootTransferPolicy , but
that's the document
On 02/05/17 01:55, Peter Kurrasch wrote:
> I was thinking that fraud takes many forms generally speaking and that
> the PKI space is no different. Given that Mozilla (and everyone else)
> work very hard to preserve the integrity of the global PKI and that the
> PKI itself is an important tool to
On 01/05/17 18:53, Lee wrote:
> You seem to be replacing a "meets or exceeds" requirement with a
> "strictly meets" requirement.
That is not particularly the intention. I think that the Baseline nature
of the Baseline Requirements means that CAs know it's generally OK to go
above and beyond what
18 matches
Mail list logo