Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

2019-08-30 Thread Alex Cohn via dev-security-policy
On Fri, Aug 30, 2019 at 10:26 AM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Is our answer right though? I wasn't sure. I said "Good" because "a > promise to issue a cert" could be considered the same issued. In that case > the BRs say you must respond

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Nick Lamb via dev-security-policy
On Fri, 30 Aug 2019 12:02:42 -0500 Matthew Hardeman via dev-security-policy wrote: > What's not discussed in that mechanism is how Google decides what > pages are unsafe and when? Yes, but the point was to show what shape Safe Browsing API is, I guess I'd assumed this makes it obvious that EV

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread James Burton via dev-security-policy
Kirk, I know you are really passionate about extended validation and it does come across in your correspondences on this forum and the CAB Forum but sometimes our passion or frustration leads us to divulge private information which shouldn't have been released into the public domain. Before you

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Kirk Hall via dev-security-policy
On Friday, August 30, 2019 at 11:38:55 AM UTC-7, Peter Bowen wrote: > On Fri, Aug 30, 2019 at 10:22 AM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > I'll just reiterate my point and then drop the subject. EV certificate > > subject information is used

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Ryan Sleevi via dev-security-policy
On Fri, Aug 30, 2019 at 12:06 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > This is super easy, and doesn't even require you to do any work, like > contacting Google Safe Browsing and asking them to participate in this > conversation. > > Here's the

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

2019-08-30 Thread Ryan Sleevi via dev-security-policy
On Fri, Aug 30, 2019 at 11:26 AM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Is our answer right though? I wasn't sure. I said "Good" because "a > promise to issue a cert" could be considered the same issued. In that case > the BRs say you must respond

Google Trust Services - CRL handling of expired certificates not fully compliant with RFC 5280 Section 3.3

2019-08-30 Thread Andy Warner via dev-security-policy
This is an initial report and we expect to provide some additional details and the completion timeline after a bit more verification and full deployment of in-flight mitigations. We are posting the most complete information we have currently to comply with Mozilla reporting timelines and will

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Peter Bowen via dev-security-policy
On Fri, Aug 30, 2019 at 10:22 AM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I'll just reiterate my point and then drop the subject. EV certificate > subject information is used by anti-phishing services and browser phishing > filters, and it would be a

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Kirk Hall via dev-security-policy
> OK, I'll try one last time to see if you are willing to share Google > information that you have with this group on the question at hand (Do browser > phishing filters and anti-virus apps use EV data in their anti-phishing > algorithms). > > This is super easy, and doesn't even require

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Matthew Hardeman via dev-security-policy
On Fri, Aug 30, 2019 at 11:56 AM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > For readers unfamiliar, let me briefly explain what Safe Browsing gives > browsers: > > For every URL you're considering displaying you calculate a whole bunch > of cryptographic

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Nick Lamb via dev-security-policy
On Thu, 29 Aug 2019 18:44:11 -0700 (PDT) Kirk Hall via dev-security-policy wrote: > OK, I'll try one last time to see if you are willing to share Google > information that you have with this group on the question at hand (Do > browser phishing filters and anti-virus apps use EV data in their >

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Matthew Hardeman via dev-security-policy
> > I’m not saying that this is the case, but merely to say that the > Yes/No/IDK does not represent the full set of feasible responses. > So let's add "I decline to make inquiries, official or otherwise" and "Policy prevents me from discussing that" to the list. It would be interesting to get

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Neil Dunbar via dev-security-policy
> On 30 Aug 2019, at 02:44, Kirk Hall via dev-security-policy > > wrote: > > OK, I'll try one last time to see if you are willing to share Google > information that you have with this group on the question at hand (Do browser > phishing filters

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Kirk Hall via dev-security-policy
On Thursday, August 29, 2019 at 6:15:44 PM UTC-7, Ryan Sleevi wrote: > On Thu, Aug 29, 2019 at 8:54 PM Kirk Hall via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > What the heck does it mean when sometimes you say you are posting "in a > > personal capacity" and

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-30 Thread Leo Grove via dev-security-policy
On Thursday, August 29, 2019 at 5:26:55 PM UTC-5, Kirk Hall wrote: > On Thursday, August 29, 2019 at 3:10:49 PM UTC-7, Ryan Sleevi wrote: > > On Thu, Aug 29, 2019 at 5:18 PM Kirk Hall via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > > > > > > Don't argue with me,

RE: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

2019-08-30 Thread Jeremy Rowley via dev-security-policy
Is our answer right though? I wasn't sure. I said "Good" because "a promise to issue a cert" could be considered the same issued. In that case the BRs say you must respond good. However, if "a promise to issue a certificate" is not the same as issuance, the BRs don't apply to the OCSP until the

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

2019-08-30 Thread Kurt Roeckx via dev-security-policy
On 2019-08-30 12:14, Jakob Bohm wrote: On 30/08/2019 01:36, Jacob Hoffman-Andrews wrote: Also filed at https://bugzilla.mozilla.org/show_bug.cgi?id=1577652 On 2019.08.28 we read Apple’s bug report at https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 about DigiCert’s OCSP responder

Re: 2019.08.28 Let’s Encrypt OCSP Responder Returned “Unauthorized” for Some Precertificates

2019-08-30 Thread Jakob Bohm via dev-security-policy
On 30/08/2019 01:36, Jacob Hoffman-Andrews wrote: > Also filed at https://bugzilla.mozilla.org/show_bug.cgi?id=1577652 > > On 2019.08.28 we read Apple’s bug report at > https://bugzilla.mozilla.org/show_bug.cgi?id=1577014 about DigiCert’s OCSP > responder returning incorrect results for a