Re: CA generated keys

Ryan Hurst via dev-security-policy writes: >Unfortunately, the PKCS#12 format, as supported by UAs and Operating Systems >is not a great candidate for the role of carrying keys anymore. You can see >my blog post on this topic here:

Re: On the value of EV

On Mon, Dec 18, 2017 at 03:04:11PM -0800, Ian Carroll via dev-security-policy wrote: > > I do wonder how many users actually make the connection that the country code > next to the company name is in fact a country code. And even if you do make the connection, it's not always obvious even in

Re: On the value of EV

On Monday, December 18, 2017 at 4:54:24 PM UTC-5, Andrew wrote: > On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote: > > Thank you Ryan for raising this question, and to everyone who has been > > contributing in a constructive manner to the discussion. A number of > > excellent

Re: On the value of EV

On Mon, Dec 18, 2017 at 4:09 PM, Wayne Thayer wrote: > Thank you Ryan for raising this question, and to everyone who has been > contributing in a constructive manner to the discussion. A number of > excellent points have been raised on the effectiveness of EV in general and

Re: ComSign Root Renewal Request

On Sun, Dec 10, 2017 at 9:15 AM, YairE via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Thank you for your notes, > Here are the answers to your points. > > all the "bad" points about the CPS were addressed: > Both CPS's are now changed to ver 4.1 > Looks good, thank

Re: On the value of EV

On Monday, December 18, 2017 at 3:54:24 PM UTC-6, Andrew wrote: > On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote: > > Thank you Ryan for raising this question, and to everyone who has been > > contributing in a constructive manner to the discussion. A number of > > excellent

Re: On the value of EV

On Monday, December 18, 2017 at 3:09:31 PM UTC-6, Wayne Thayer wrote: > Thank you Ryan for raising this question, and to everyone who has been > contributing in a constructive manner to the discussion. A number of > excellent points have been raised on the effectiveness of EV in general and > on

Re: On the value of EV

Thank you Ryan for raising this question, and to everyone who has been contributing in a constructive manner to the discussion. A number of excellent points have been raised on the effectiveness of EV in general and on the practicality of solving the problems that exist with EV. While we have

Re: On the value of EV

My apologies for bringing up an analogy to cars for purposes of explaining, as it's otherwise opened up an analogical rathole. The answer to your question about IDNs is probably best for a separate thread (as it doesn't seem to bear relevance to EV), and your question about whether it encourages

Re: On the value of EV

IDN abuses are far more hostile, to my mind, than EV positive indicators. At least within certain locales. Why is IDN even displayed in styled form if the client locale belongs to a jurisdiction or language for which non-roman characters would be abnormal? Additionally, many vehicles provide

Re: On the value of EV

That is, indeed, a good question. I've also questioned simultaneously questioning users' reliance on the UI while suggesting that no user looks to the UI. If the user does not see or make decisions on the basis of the UI, it seems leaving it present is no harder a conclusion to arrive at than

Re: On the value of EV

On Mon, Dec 18, 2017 at 1:26 PM, Andrew via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote: > > It also perpetuates the myopic and flawed view as a phishing mitigation, > > whose reliance is upon users

Re: On the value of EV

As I see it, there are essentially two entirely different forms of identity assurance that TLS certificates are intended to provide: - To assure the user that the domain name displayed in the address bar is controlled by the same entity who controls the server they are communicating with

Re: On the value of EV

On Friday, December 15, 2017 at 4:06:02 PM UTC-6, Ryan Sleevi wrote: > It also perpetuates the myopic and flawed view as a phishing mitigation, > whose reliance is upon users checking it (again, user hostile) Ryan, several times now you've characterized the expectation that users check that the

Re: Mississuance of EV Certificates

On Mon, Dec 18, 2017 at 9:30 AM, cornelia.enke66--- via dev-security-policy wrote: > > Update on the long-term countermeasures: > At the first point - sorry for the delay. I missed to post my answer on > Fryday. > > We The occurred error caused by a human

Re: CABF Recommendations (was: On the value of EV)

On Sun, Dec 17, 2017 at 6:38 PM, Peter Kurrasch via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Again I will state that it's in the best interests of CA's to improve > their EV issuing guidelines and practices. While CA's no doubt enjoy > charging a premium for EV

Re: On the value of EV

On Sun, Dec 17, 2017 at 4:45 PM, Peter Kurrasch via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Second, the actual value in EV as far as I can see is in having that human > readable name in addition to the domain name. A successful plan of attack > will need convincing

RE: CA generated keys

> On 15/12/17 16:02, Ryan Hurst wrote: > > So I have read this thread in its entirety now and I think it makes sense for it > to reset to first principles, specifically: > > > > What are the technological and business goals trying to be achieved, > > What are the requirements derived from those

Re: Mississuance of EV Certificates

Am Dienstag, 12. Dezember 2017 11:10:00 UTC+1 schrieb cornel...@swisssign.com: > 1)How your CA first became aware of the problem (e.g. via a problem report > submitted to your Problem Reporting Mechanism, a discussion in > mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and

Re: Investigating validations & issuances - The high value IP space BGP Hijacks on 2017-12-12

The Microsoft Volume Licensing Service Center (VLSC) is definitely affected, at least from my recent experience - i've been struggling with their service for the past week because the email address validations from Microsoft VLSC seem to be intercepted/blocked somewhere - i'm having