On May 3, Apple submitted an update to the original incident report
(https://bugzilla.mozilla.org/show_bug.cgi?id=1533655), which is reposted
below.
Most certificates have been revoked and less than 1% of the total population of
That approach could work.
From: Wayne Thayer
Sent: Friday, May 3, 2019 1:19 PM
To: Ben Wilson
Cc: Andrew Ayer ; Corey Bonnell ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Unretrievable CPS documents listed in CCADB
On Fri, May 3, 2019 at 8:36 AM Ben Wilson via
On Fri, May 3, 2019 at 8:36 AM Ben Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I'm against having to continually update the exact URL of the CP and CPS
> in the CCADB.
A relatively simple solution to this problem is to create a "permanent
link" to the
Kathleen and Pedro,
Thank you for raising these legitimate concerns. I continue to believe that
a literal reading of the current requirement is that it already does apply
to S/MIME certificates, and the discussion I mentioned supports that
interpretation.
I propose two new options to solve this
The issue of identifying the proper CPS for older certificates raises
the important overall question of how this should be managed on an
industry wide basis:
Note: All examples use numerically invalid values, such as OIDs
beginning with "5." or non-existent dates in the Gregorian calendar.
I'm against having to continually update the exact URL of the CP and CPS in the
CCADB. It's pretty easy to find the current CP and CPS from a legal
repository. Plus, if we point to an exact one in the CCADB, it might not be
the one that is applicable to a given certificate that was issued
Hi Corey,
FWIW, at least one of those CAs are no longer active, such as 5388 WoSign:
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
- do old CAs get removed from CCADB or marked inactive in that system?
I do like the idea of linking the specific
2019. május 3., péntek 3:53:49 UTC+2 időpontban Corey Bonnell a következőt írta:
> 3209, "Microsec Ltd.", "e-Szigno Class2 CA 2017",
> https://static.e-szigno.hu/docs/szsz--fok--sea--EN--v2.8.pdf, 404
> 3211, "Microsec Ltd.", "e-Szigno Class3 CA 2017",
>
Hello,
my main concern about applying this would be that this would lead to forbid the
option to suspend a personal certificate.
On a side note about suspension... I was not active in the forums when this was
discussed and adopted and I'm sure there was a clear benefit on disallowing
Hello Ryan,
thank you for your reply! I actually saw the github link, but I was't sure in
which repository I should open a ticket. As for the forum, I didn't knew it and
I don't see a link at crt.sh
I have posted an email there
Take care,
Daniel
___
10 matches
Mail list logo