Re: Welcome Wayne Thayer to Mozilla!

That is great! On Monday, November 27, 2017 at 4:04:09 PM UTC-8, Kathleen Wilson wrote: > All, > > I am pleased to announce that Wayne Thayer is now a Mozilla employee, > and will be working with me on our CA Program! > > Many of you know Wayne from his involvement in this discussion forum and

Re: Question on CAA processing for mixed wildcard and non-wildcard SAN DNS names

On 28/11/2017 04:16, Ryan Sleevi wrote: On Mon, Nov 27, 2017 at 8:29 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 27/11/2017 19:37, Nick Lamb wrote: On Fri, 24 Nov 2017 12:25:40 + Gervase Markham via dev-security-policy

Re: Question on CAA processing for mixed wildcard and non-wildcard SAN DNS names

On Mon, Nov 27, 2017 at 8:29 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 27/11/2017 19:37, Nick Lamb wrote: > >> On Fri, 24 Nov 2017 12:25:40 + >> Gervase Markham via dev-security-policy >> wrote: >> >>

Re: Question on CAA processing for mixed wildcard and non-wildcard SAN DNS names

On 28/11/2017 02:29, Jakob Bohm wrote: On 27/11/2017 19:37, Nick Lamb wrote: On Fri, 24 Nov 2017 12:25:40 + Gervase Markham via dev-security-policy wrote: ... While your scenario below sounds compelling, it is very much a contrived scenario of the

Re: Possible future re-application from WoSign (now WoTrus)

On 27/11/2017 09:38, Danny 吴熠 wrote: Dear Gerv, Kethleen, other community friends, First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion. Second, thanks for the community participants to help us know our problem clearly in the past year,

Welcome Wayne Thayer to Mozilla!

All, I am pleased to announce that Wayne Thayer is now a Mozilla employee, and will be working with me on our CA Program! Many of you know Wayne from his involvement in this discussion forum and in the CA/Browser Forum, as a representative for the Go Daddy CA. Wayne was involved in Go

Re: Mozilla RSA-PSS policy

On Mon, Nov 27, 2017 at 4:51 PM, Hubert Kario wrote: > > > First, I absolutely disagree with your assumption - we need to assume > > hostility, and design our code and policies to be robust against that. I > > should hope that was uncontroversial, but it doesn't seem to be. > >

Re: Mozilla RSA-PSS policy

On Monday, 27 November 2017 20:31:53 CET Ryan Sleevi wrote: > On Mon, Nov 27, 2017 at 12:54 PM, Hubert Kario wrote: > > > On the realm of CA policy, we're discussing two matters: > > > 1) What should the certificates a CA issue be encoded as > > > 2) How should the CA protect

Re: Possible future re-application from WoSign (now WoTrus)

The position that WoTrus (and apparently QiHoo 360) take(s) here does seem to clarify a matter involving the reinclusion. It sounds like they are insisting that Richard Wang would be part of the plan and would, in fact, retain a position of material control and responsibility in the

Re: Question on CAA processing for mixed wildcard and non-wildcard SAN DNS names

The thing is, extraneous names on a certificate present a subtle security flaw, even if control over those names was validated properly I agree, if the user is not fully aware of these addition, it can add subtle security flaw such as "virtual host confusion attacks" (

Firefox Mobile - Which Trust Store?

Does Firefox mobile use the NSS trust store? I can't find any information, but it seems most mobile browsers use the OS trust store. Kenneth Myers Manager Protiviti | 1640 King Street | Suite #400 | Alexandria | VA 22314 US | Protiviti.com NOTICE: Protiviti is a

Re: Mozilla RSA-PSS policy

On Mon, Nov 27, 2017 at 12:54 PM, Hubert Kario wrote: > > > On the realm of CA policy, we're discussing two matters: > > 1) What should the certificates a CA issue be encoded as > > 2) How should the CA protect and use its private key. > > > > While it may not be immediately

Re: Question on CAA processing for mixed wildcard and non-wildcard SAN DNS names

On Fri, 24 Nov 2017 12:25:40 + Gervase Markham via dev-security-policy wrote: > Validate example.com -> add "www.example.com": seems fine to me, and a > reasonable accommodation to a common customer desire. > > Validate www.example.com -> add

Re: Mozilla RSA-PSS policy

On Monday, 27 November 2017 17:28:02 CET Ryan Sleevi wrote: > On Thu, Nov 23, 2017 at 7:07 AM, Hubert Kario via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > In response to comment made by Gervase Markham[1], pointing out that > > Mozilla > > doesn't have an official

Re: Mozilla RSA-PSS policy

On Thu, Nov 23, 2017 at 7:07 AM, Hubert Kario via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > In response to comment made by Gervase Markham[1], pointing out that > Mozilla > doesn't have an official RSA-PSS usage policy. > > This is the thread to discuss it and make a

RE: Possible future re-application from WoSign (now WoTrus)

Here it is also a question of a dangerous precedent. Should Mozilla always forgive all bad CA in the future and take a formal approach to security? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

RE: Possible future re-application from WoSign (now WoTrus)

Dear Gerv, Kethleen, other community friends, First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion. Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to

RE: Possible future re-application from WoSign (now WoTrus)

Dear Gerv, Kethleen, other community friends, First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion. Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to