On February 9, 2018 at 1:24:12 AM, Wayne Thayer (wtha...@mozilla.com) wrote:
On Tue, Feb 6, 2018 at 6:03 PM, Paul Kehrer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> So, how long is too long?
>
This is the crux of the issue for me. If a CA (that really should have
On Wed, Feb 7, 2018 at 8:18 AM, YairE via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hi Wyane,
> resopnding to your notes:
>
> Section 4.9 states that in any case that Comsign is notified about a
> misissuance (no matter if it was notified by a subscriber or in any other
On Thu, Feb 8, 2018 at 3:14 PM, Hanno Böck via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, 8 Feb 2018 15:50:08 +
> Gervase Markham via dev-security-policy
> wrote:
>
> > In this case, the certificates are revoked in Firefox via OneCRL and
> > Chrome via CRLSe
On Thu, 8 Feb 2018 15:50:08 +
Gervase Markham via dev-security-policy
wrote:
> In this case, the certificates are revoked in Firefox via OneCRL and
> Chrome via CRLSets (AIUI) and so the revocations are guaranteed to be
> noticed.
Hi Gerv,
Independent of this specific case, which I guess is
On Thu, Feb 8, 2018 at 8:54 AM, Rob Stradling via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 08/02/18 15:50, Gervase Markham via dev-security-policy wrote:
>
>> On 08/02/18 13:47, Hanno Böck wrote:
>>
>> OneCRL additions normally have an associated bug but I can't see
On Tue, Feb 6, 2018 at 6:03 PM, Paul Kehrer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> So, how long is too long?
>
This is the crux of the issue for me. If a CA (that really should have
stopped responding 'good' for unknown certs back in 2013) needs to select,
pur
On 08/02/18 15:50, Gervase Markham via dev-security-policy wrote:
On 08/02/18 13:47, Hanno Böck wrote:
Is a revoked intermediate cert a license for operating a yolo CA that
signs everything? Given the fragility of revocation checking I'd find
that a problematic precedent.
In this case, the cer
On 08/02/18 13:47, Hanno Böck wrote:
> Is a revoked intermediate cert a license for operating a yolo CA that
> signs everything? Given the fragility of revocation checking I'd find
> that a problematic precedent.
In this case, the certificates are revoked in Firefox via OneCRL and
Chrome via CRLSe
On 07/02/18 15:14, Alex Gaynor wrote:
> That said, given the issues Paul highlighted in his original mail (which I
> wholeheartedly concur with), it seems the place to focus is the folks who
> are getting Ds right now. Therefore I think the essential part of your
> email is your agreement that CAs
Also, it should be understood that on Linux OS no transitional periods will be
made, but simply to removes all Symantec certificates from a certain date.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org
On 16.10.2017 19:32, Gervase Markham via dev-security-policy wrote:
> The subCAs that we know of that fall into this category belong to Google
> and Apple. If there are any other subCAs that fall into this category,
> please let us know immediately. Google has one such subCA; Apple has seven.
Besi
On 16.10.2017 20:26, Eric Mill via dev-security-policy wrote:
> Adding code to Firefox to support the distrust of specified subCAs seems
> like it would be a good long-term investment for Mozilla, as it would give
> Mozilla a lot more flexibility during future distrust events.
I think this isn't a
Hi,
On Tue, 6 Feb 2018 16:56:48 +0100
Kurt Roeckx via dev-security-policy
wrote:
> I should probably more clear, the certificates of the CA have been
> revoked.
I'm wondering what that means.
Is a revoked intermediate cert a license for operating a yolo CA that
signs everything? Given the fragi
On 16.10.2017 19:33, Gervase Markham via dev-security-policy wrote:
> As per previous discussions and
> https://wiki.mozilla.org/CA:Symantec_Issues, a consensus proposal[0] was
> reached among multiple browser makers for a graduated distrust of
> Symantec roots.
>
> Here is Mozilla’s planned timel
On 01.11.2017 00:58, Jeremy Rowley via dev-security-policy wrote:
> A couple of points of clarification (as it seems to have stirred some
> questions)
> 1. Migration to the DigiCert issuing and validation process only applies to
> certs intended for browser use, meaning the infrastructure may iss
15 matches
Mail list logo
