On 28.09.17 19:06, Gervase Markham via dev-security-policy wrote:
> On 26/09/17 03:17, Ryan Sleevi wrote:
>> update in a year, are arguably outside of the scope of ‘reasonable’ use
>> cases - the ecosystem itself has shown itself to change on at least that
>> frequency.
>
> Is "1 year" not a
Hi Gerv,
> On 28. Sep 2017, at 19:06, Gervase Markham via dev-security-policy
> wrote:
>
> Is "1 year" not a relatively common (for some value of "common") setting
> for HPKP timeouts for sites which think they have now mastered HPKP?
We did a
On 26/09/17 00:03, Andrew wrote:
> is that the reports should only be sent in a situation where a
> certificate _would_ have been issued if not for the CAA records.
I'd say that's right. I'd think that by far the more common use case
would be internal policy enforcement at a company rather than
On 26/09/17 03:17, Ryan Sleevi wrote:
> update in a year, are arguably outside of the scope of ‘reasonable’ use
> cases - the ecosystem itself has shown itself to change on at least that
> frequency.
Is "1 year" not a relatively common (for some value of "common") setting
for HPKP timeouts for
On 22/09/17 00:33, Andrew wrote:> Will there be any sort of deprecation
period for PROCERT certificates
> as with StartCom/Wosign & Symantec? Or is PROCERT small enough that
> you believe it's feasible to just immediately distrust them without
> any significant negative impact on the overall web
On 20/09/17 03:49, userwithuid wrote:
>> I agree, Gerv's remarks are a bit confusing with respect to the concern.
Ryan is polite. :-)
> Wrt to the StartCom bulletpoint, I guess this was a mistake on Mozilla's part
> then and should probably be acknowledged as such, @Gerv.
Yes, I acknowledge
This is https://bugzilla.mozilla.org/show_bug.cgi?id=1401407 .
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On 27/09/17 18:54, Matthew Hardeman wrote:
> In the case of StartCom, I can not help but feel that they are being
> held to an especially high standard (higher than other prior adds to
> the program) in this new PKI because of who they are -- despite the
> fact that management and day-to-day
On 22/09/17 00:12, Ryan Sleevi wrote:
> Based on the number of reports reviewed recently, I suspect we've got
> opportunities for improvement, but I'm not quite sure yet what the concrete
> suggestions on that should look like. A few thoughts below:
Here's a set of changes which attempt to
9 matches
Mail list logo