On 12/12/2017 12:21 AM, Hanno Böck via dev-security-policy wrote:
> Hi,
>
> On Mon, 11 Dec 2017 11:01:10 -0800 (PST)
> Ryan Sleevi via dev-security-policy
> wrote:
>
>> I suppose this is both a question for policy and for Mozilla - given
>> the ability to
On Tue, Dec 12, 2017 at 3:44 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> What you are writing below, with far too many words is that you think
> that URLs are the only identities that matter in this world, and
> therefore DV certificates are enough
Would it be reasonable to have some sort of global database where the company
names and other identifiers that can be displayed in UI will be stored
including
some sort of contact data?
In the validation process for EV the CA could then be required to contact the
companies with similar names
On 12/12/2017 21:39, Wayne Thayer wrote:
On Tue, Dec 12, 2017 at 7:45 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 12/12/2017 19:39, Wayne Thayer wrote:
The outcome to be avoided is a CA that holds in escrow thousands of
private keys used for TLS.
On Tue, Dec 12, 2017 at 7:45 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 12/12/2017 19:39, Wayne Thayer wrote:
>
>> The outcome to be avoided is a CA that holds in escrow thousands of
>> private keys used for TLS. I don’t think that a policy
On 12/12/2017 20:04, Ryan Sleevi wrote:
On Tue, Dec 12, 2017 at 1:11 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
The overall thing is that the current thread seems to be a major case of
throwing the baby out with the bathwater.
That is overly
On 12/12/2017 19:39, Wayne Thayer wrote:
On Mon, Dec 11, 2017 at 9:43 AM, Tim Hollebeek via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
I don't know but it's worth talking about. I think the discussion should
be
"when should this be allowed, and how can it be done
> A policy allowing CAs to generate key pairs should also include provisions
> for:
> - The CA must generate the key in accordance with technical best practices
> - While in possession of the private key, the CA must store it securely
Don't forget appropriate protection for the key while it is
On Tue, Dec 12, 2017 at 1:11 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> The overall thing is that the current thread seems to be a major case of
> throwing the baby out with the bathwater.
>
That is overly reductive and may demonstrate a lack of
On Mon, Dec 11, 2017 at 9:43 AM, Tim Hollebeek via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> I don't know but it's worth talking about. I think the discussion should
> be
> "when should this be allowed, and how can it be done securely?"
>
> The outcome to be avoided
On 12/12/2017 18:31, Jonathan Rudenberg wrote:
On Dec 12, 2017, at 08:36, Jakob Bohm via dev-security-policy
wrote:
A lot of people have posed suggestions for countermeasures so extreme
they should not be taken seriously. This includes discontinuing
On 12/12/2017 18:19, Ryan Sleevi wrote:
On Tue, Dec 12, 2017 at 8:36 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 12/12/2017 01:08, Adam Caudill wrote:
Even if it is, someone filed the paperwork. Court houses have clerks,
guards, video cameras,
> On Dec 12, 2017, at 08:36, Jakob Bohm via dev-security-policy
> wrote:
>
> A lot of people have posed suggestions for countermeasures so extreme
> they should not be taken seriously. This includes discontinuing EV,
I don’t think that removing the EV
On Tue, Dec 12, 2017 at 8:36 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 12/12/2017 01:08, Adam Caudill wrote:
>
>> Even if it is, someone filed the paperwork. Court houses have clerks,
> guards, video cameras, etc... It still may present a
On Tue, Dec 12, 2017 at 10:18 AM, Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> > The implemented controls detected the misconfiguration within 24
> > hours. The incorrect configuration was nevertheless recorded as a
> > security incident. The handling of
On Mon, 11 Dec 2017 19:08:43 -0500
Adam Caudill via dev-security-policy
wrote:
> I can say from my own experience, in some states in the US, it's a
> trivial matter to create a company online, with no validation of
> identity or other information. It takes
I think this is fundamentally an issue of the history of the DNS and X.500
architecture. Combined with social factors since 1996 when the original NSF
Directory and DNS grant money ran out, and domains (which had been free) became
this wild west name space, which has reached some predictable
This is useful feedback. Thanks.
-Tim
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+tim.hollebeek=digicert@lists.mozilla.org]
On Behalf Of Jakob Bohm via dev-security-policy
Sent: Tuesday, December 12, 2017 6:36 AM
To:
On 12/12/2017 01:08, Adam Caudill wrote:
Even if it is, someone filed the paperwork. Court houses have clerks,
guards, video cameras, etc... It still may present a real physical
point
from which to bootstrap an investigation.
Court houses also have online systems. I think if you read both
I recently talked about [1] some of the many problems I see with EV
certificates on my blog but looking at the tangible security benefits of EV
they can already be matched, or will soon be matched, by DV certificates.
Certificate Transparency will be required [2] for all certificates and not
I have to correct one thing:
7)
The implemented controls detected the misconfiguration, when we detectetd the
misconfiguration the report was given within 24 hours.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
1)How your CA first became aware of the problem (e.g. via a problem report
submitted to your Problem Reporting Mechanism, a discussion in
mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the
time and date.
We became aware of the problem during an internal review of
22 matches
Mail list logo