> I believe Root programs have the necessary policy in place to treat
> incidents -in exceptional circumstances- on a case-by-case basis. Wayne
> had mentioned in a previous post [4] that Mozilla doesn't want to be
> responsible for assessing the potential impact, but that statement took
> for
> The rule as written requires that the output bits have come from a CSPRNG.
> But it doesn't say that they have to come from a single invocation of a
> CSPRNG or that they have to be collected as a contiguous bit stream from the
> CSPRNG with no bits of output from the CSPRNG discarded and
On Wed, Mar 13, 2019 at 6:09 PM Peter Gutmann via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Richard Moore via dev-security-policy <
> dev-security-policy@lists.mozilla.org> writes:
>
> >If any other CA wants to check theirs before someone else does, then now
> is
>
Richard Moore via dev-security-policy
writes:
>If any other CA wants to check theirs before someone else does, then now is
>surely the time to speak up.
I'd already asked previously whether any CA wanted to indicate publicly that
they were compliant with BR 7.1, which zero CAs responded to (I
On Thursday, March 7, 2019 at 7:01:41 PM UTC-7, Daymion Reynolds wrote:
> As of 9pm AZ on 3/6/2019 GoDaddy started researching the 64bit certificate
> Serial Number issue. We have identified a significant quantity of
> certificates (> 1.8million) not meeting the 64bit serial number requirement.
On Tuesday, March 12, 2019 at 11:53:25 PM UTC, Kurt Roeckx wrote:
>
> The expected distribution when generating a random 64 bit integer
> and properly encoding that as DER is that:
> - about 1/2 integers require 9 bytes
> - about 1/2 integers require 8 bytes
> - about 1/512 integers require 7
When the serial number issue was first disclosed we reviewed all GlobalSign
certificates issued from our systems and found no issues wrt serial number
length. While all GlobalSign systems are compliant, one of our customers
running an on-premise CA that chains to a GlobalSign root, AT, uses EJBCA
Hello MDSP,
Logius PKIoverheid wants to report a potential issue that we've found with one
of our TSPs issuing certificates under the Staat der Nederlanden Root CAs
All times are in UTC +1
1.How your CA first became aware of the problem (e.g. via a
Hi everyone,
We are migrating TLS Observatory to a new infrastructure on March 14th, which
will induce a 24 hours downtime.
I'll post an update when we're back online.
- Julien
___
dev-security-policy mailing list
On 13/03/2019 03:04, Peter Gutmann wrote:
> Rob Stradling via dev-security-policy
> writes:
>
>> I've been working on an alternative proposal for a serial number generation
>> scheme, for which I intend to write an I-D and propose to the LAMPS WG.
>
> This seems really, really complicated.
On 13/03/2019 03:18, Matthew Hardeman wrote:
> Overall I think it's a neat scheme.
>
> It does impose some trade-offs beyond the mechanism that I proposed:
>
> 1. It leaves the implementing CA with no space within the serial number
> field to include a CA significant sequence number,
On Wed, Mar 13, 2019 at 5:52 AM Ryan Sleevi wrote:
>
>
> On Tue, Mar 12, 2019 at 11:18 PM bif via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> FWIW, the easiest would've been to remove "positive" aspect of serials.
>> Who really cares? A random number is a random
12 matches
Mail list logo