Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-04 Thread Matt Palmer via dev-security-policy
On Wed, Sep 04, 2019 at 03:50:40PM +0200, Kurt Roeckx via dev-security-policy wrote: > On 2019-09-04 14:14, Matt Palmer wrote: > > If EV information is of use in anti-phishing efforts, then it would be best > > for the providers of anti-phishing services to team up with CAs to describe > > the

Re: Question about the issuance of OCSP Responder Certificates by technically constrained CAs

2019-09-04 Thread Jakob Bohm via dev-security-policy
On 04/09/2019 17:14, Ryan Sleevi wrote: > On Wed, Sep 4, 2019 at 11:06 AM Ben Wilson wrote: > >> I thought that the EKU "id-kp-OCSPSigning" was for the OCSP responder >> certificate itself (not the CA that issues the OCSP responder certificate). >> I don't think I've encountered a problem

Re: Question about the issuance of OCSP Responder Certificates by technically constrained CAs

2019-09-04 Thread Ryan Sleevi via dev-security-policy
On Wed, Sep 4, 2019 at 11:06 AM Ben Wilson wrote: > I thought that the EKU "id-kp-OCSPSigning" was for the OCSP responder > certificate itself (not the CA that issues the OCSP responder certificate). > I don't think I've encountered a problem before, but I guess it would > depend > on the

RE: Question about the issuance of OCSP Responder Certificates by technically constrained CAs

2019-09-04 Thread Ben Wilson via dev-security-policy
I thought that the EKU "id-kp-OCSPSigning" was for the OCSP responder certificate itself (not the CA that issues the OCSP responder certificate). I don't think I've encountered a problem before, but I guess it would depend on the implementation? -Original Message- From:

Re: Question about the issuance of OCSP Responder Certificates by technically constrained CAs

2019-09-04 Thread Ryan Sleevi via dev-security-policy
On Wed, Sep 4, 2019 at 9:47 AM Peter Mate, Erdosi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > My question is the following: is it allowed to issue an OCSP Responder > certificate with "id-kp-OCSPSigning" EKU from a technically constrained CA > if the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-04 Thread Kurt Roeckx via dev-security-policy
On 2019-09-04 14:14, Matt Palmer wrote: If EV information is of use in anti-phishing efforts, then it would be best for the providers of anti-phishing services to team up with CAs to describe the advantages of continuing to provide an EV certificate. If site owners, who are presumably smart

Question about the issuance of OCSP Responder Certificates by technically constrained CAs

2019-09-04 Thread Peter Mate, Erdosi via dev-security-policy
Dear list, I have a question about the issuance of the OCSP responder certificates in case of technically constrained CAs. I apologize for the long introduction, but this may be an important audit question in the (near) future. --- BEGIN INTRO --- I would like to cite five points from the

Re: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-09-04 Thread Matt Palmer via dev-security-policy
On Tue, Sep 03, 2019 at 06:16:23PM -0700, Kirk Hall via dev-security-policy wrote: > However, I did receive authority to post the following statement from > someone who works for a major browser phishing filter (but without > disclosing the person's name or company). Here is the authorized >