Am Dienstag, 31. Oktober 2017 10:21:47 UTC+1 schrieb Dimitris Zacharopoulos:
> It is not the first time this issue is brought up. While I have a very
> firm opinion that ETSI auditors under the ISO 17065 (focused on the
> quality of products/services) and ETSI EN 319 403 definitely check
>
On 02/11/17 11:39, Henri Sivonen wrote:
> A Medium post claiming[1] to represent Estonia e-residency
> https://medium.com/e-residency-blog/estonia-is-enhancing-the-security-of-its-digital-identities-361b9a3c9c52
> instructs Mac users not to update Firefox from December 15 2017 onwards.
Thank you
More info (that was sent to me a while ago, I just missed the report):
There we actually seven. I missed this one:
Serial: "a18e9"
We installed a patch to stop accepting ROCA keys for TLS certs on
2017-10-26. A patch for code signing and email certs is coming shortly.
Once that patch is
Yeah - still trying to get that info. I'll update this list right when I
know what's been done. I'm not 100% sure at this point, but I wanted to
post early and update than wait until I know everything. Sorry - should
have specified that in the original email.
-Original Message-
From:
Hi,
What I miss is what has been done to prevent new ones from being
issued.
Kurt
On Tue, Nov 07, 2017 at 06:20:53PM +, Jeremy Rowley via dev-security-policy
wrote:
> Hey everyone,
>
>
>
> Here's the DigiCert incident report about the ROCA fingerprints. Note that
> these were all
I believe so – I asked that they all be logged, but I’ll need to double check
whether it got done.
From: Alex Gaynor [mailto:agay...@mozilla.com]
Sent: Tuesday, November 7, 2017 11:23 AM
To: Jeremy Rowley
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Hi Jeremy,
Have all these certificates been submitted to CT?
Thanks!
Alex
On Tue, Nov 7, 2017 at 1:20 PM, Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hey everyone,
>
>
>
> Here's the DigiCert incident report about the ROCA fingerprints. Note that
>
Hey everyone,
Here's the DigiCert incident report about the ROCA fingerprints. Note that
these were all issued by Symantec (ie, before the transaction closed).
We became aware of the issue when it was posted to the mailing list.
However, at that time, the certs were not operated by
Apologies, my understanding is that the XML is synced from the JSON, rather
than the other way around
See https://wiki.mozilla.org/Firefox/Kinto#Blocklists
That is, the canonical source is Kinto (JSON), that is then used to drive
the generation of the blocklist.xml (so that released binaries
Thanks a lot, Ryan! Your comment on the Firefox specific selection of
revoked certificates contained in the list is definitely a point we'll have
to consider.
One more question: do I see it correctly that what is being called OneCRL
is the "certItems" part of
On 06/11/2017 17:05, m.wiedenho...@tuvit.de wrote:
TÜViT as a conformity assessment body would like to add some explanations to
clear up some misunderstandings about ETSI auditing.
First of all, we would like to give one preliminary remark. ETSI has separated
the TSP technical requirements
Note that additions and removals are made in OneCRL relate to the behaviour
of mozilla::pkix and the trust lists expressed by the associated version of
NSS shipping with the supported versions of Firefox.
For example, this includes revocation of 'email only' CAs (that are not
appropriately
For example, in all our audits for other standards, no “audit
period” is clearly documented in the report; time since previous
audit is always implied.
>>>
>>> Again, I don't believe that it is reasonable to assume that
>>> auditing/sampling has been done over the full year.
>>>
Hi all
I'm working for a big managed security provider. We would like to benefit from
OneCRL as a means of improving our certificate revocation checking.
I could download OneCRL at
https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records.
My
Thank you for clarification.
Do you think the terms "/approval scheme/", "/supervision scheme/",
"/accreditation//scheme/" etc. (used in some ETSI TSs or the Commission
Decisions) have the same meaning and ETSI EN 319 403 is just one of
possible "/certification scheme/s"?
Thanks,
M.D.
On
On 03/11/17 18:16, douglas.beat...@gmail.com wrote:
> Here is the final incident report
Thanks, Doug :-)
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
TÜViT as a conformity assessment body would like to add some explanations to
clear up some misunderstandings about ETSI auditing.
First of all, we would like to give one preliminary remark. ETSI has separated
the TSP technical requirements (ETSI EN 319 411-1, ETSI EN 319 401) from the
CAB
17 matches
Mail list logo