On 25/03/2019 23:42, Wayne Thayer wrote:
> My general sense is that we should be doing more to discourage the use of
> SHA-1 rather than less. I've just filed an issue [1] to consider a ban on
> SHA-1 S/MIME certificates in the future.
>
> On Mon, Mar 25, 2019 at 10:54 AM Jakob Bohm via
Thank you for the report Will and for the tracking info Rob.
It appears that all but one of these certificates is currently revoked, but
roughly 5 more weren't revoked until earlier today, which I assume was more
than 24 hours since they were reported to the CA.
Will: can you share an
On Mon, Mar 25, 2019 at 5:30 PM Matthew Hardeman via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> My ultimate intent was to try to formulate a way in which GRCA could
> provide certificates for the applications that they're having to support
> for their clients today
My general sense is that we should be doing more to discourage the use of
SHA-1 rather than less. I've just filed an issue [1] to consider a ban on
SHA-1 S/MIME certificates in the future.
On Mon, Mar 25, 2019 at 10:54 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org>
On 18/03/2019 21:11, Hector Martin 'marcan' wrote:
> On 19/03/2019 02.17, Rob Stradling via dev-security-policy wrote:
>> On 18/03/2019 17:05, Kurt Roeckx wrote:
>>> On Mon, Mar 18, 2019 at 03:30:37PM +, Rob Stradling via
>>> dev-security-policy wrote:
When a value in column E is
On 25/03/2019 22:29, Matthew Hardeman wrote:
On Mon, Mar 25, 2019 at 3:03 PM Ryan Hurst via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
While it may be true that the certificates in question do not contain
SANs, unfortunately, the certificates may still be trusted for
On Mon, Mar 25, 2019 at 3:03 PM Ryan Hurst via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> While it may be true that the certificates in question do not contain
> SANs, unfortunately, the certificates may still be trusted for SSL since
> they do not have EKUs.
>
> For an
On 25/3/2019 10:48 μ.μ., Wayne Thayer via dev-security-policy wrote:
I agree with Ryan on this. From a policy perspective, we should be
encouraging [and eventually requiring] EKU constraints, not making it
easier to exclude them.
I was merely copying parts of the existing policy related to
I agree with Ryan on this. From a policy perspective, we should be
encouraging [and eventually requiring] EKU constraints, not making it
easier to exclude them.
On Mon, Mar 25, 2019 at 1:03 PM Ryan Hurst via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> While it may be
While it may be true that the certificates in question do not contain SANs,
unfortunately, the certificates may still be trusted for SSL since they do not
have EKUs.
For an example see "The most dangerous code in the world: validating SSL
certificates in non-browser software" which is
On 23/03/2019 02:03, Wayne Thayer wrote:
> On Fri, Mar 22, 2019 at 6:54 PM Peter Bowen wrote:
>
>>
>>
>> On Fri, Mar 22, 2019 at 11:51 AM Wayne Thayer via dev-security-policy <
>> dev-security-policy@lists.mozilla.org> wrote:
>>
>>> I've been asked if the section 5.1.1 restrictions on SHA-1
As a preliminary note, Kamu SM would like to express that the only affected 2
certificates are the test certificates issued to our own domains in order to
fulfill the related requirement of Mozilla Root Inclusion Request.
1. How your CA first became aware of the problem (e.g. via a problem
I've just created a batch for this list on the Revocation Tracker:
https://misissued.com/batch/47/
On 22/03/2019 19:05, CERT Coordination Center via dev-security-policy wrote:
> Hi folks,
>
> I'm sharing this information with this list per suggestion of Hanno
> Böck. Some time ago we started
On 17/3/2019 1:54 π.μ., Matthew Hardeman via dev-security-policy wrote:
While sending a message that non-compliance could result in policy change
is generally a bad idea, I did notice something about the profile of the
non-compliant certificate which gave me pause:
None of the example
On Mon, Mar 25, 2019 at 12:05:44AM -0700, jonathansshn--- via
dev-security-policy wrote:
> 在 2019年2月27日星期三 UTC+8下午11:28:00,michel.le...@gmail.com写道:
> > I noticed this certificate
> > https://crt.sh/?id=1231965201=cablint,x509lint,zlint that has an
> > invalid domain `mail.xinhua08.con` in SANs.
在 2019年2月27日星期三 UTC+8下午11:28:00,michel.le...@gmail.com写道:
> Hello,
>
> I noticed this certificate
> https://crt.sh/?id=1231965201=cablint,x509lint,zlint that has an invalid
> domain `mail.xinhua08.con` in SANs. This looks like a typo and
> `mail.xinhua08.com` is present in other certificates.
16 matches
Mail list logo