Re: [FORGED] Re: How Certificates are Verified by Firefox

>> > to other browsers. >> > >> > You may be further dismayed to learn that Firefox will soon implement >> > intermediate preloading [1] as a privacy-preserving alternative to AIA >> chasing. >> > >> > - Wayne >> > >> > [1

Re: [FORGED] Re: How Certificates are Verified by Firefox

wrote: > >> >> >> On Thu, 28 Nov 2019 at 20:22, Peter Gutmann >> wrote: >> >>> Ben Laurie via dev-security-policy < >>> dev-security-policy@lists.mozilla.org> writes: >>> >>> >In short: caching considered harmful. >

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Thu, 28 Nov 2019 at 20:22, Peter Gutmann wrote: > Ben Laurie via dev-security-policy > writes: > > >In short: caching considered harmful. > > Or "cacheing considered necessary to make things work"? If you happen to visit a bazillion sites a day. > In

Re: How Certificates are Verified by Firefox

One of the things that was quite annoying when developing CT was browser behaviour wrt intermediates - caching them and filling in missing ones means that failure to present correct cert chains is common behaviour. Which means that anything that _doesn't_ see a lot of certs has quite a low chance o

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

On Fri, 16 Aug 2019 at 14:31, Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > DB: Yes, that's true. I was saying that phishing sites don't use EV, not > that EV sites don't get phished Surely this shows that EV is not needed to make phishing work, not that

Re: Violation report - Comodo CA certificates revocation delays

On Fri, 19 Oct 2018 at 10:38, Rob Stradling wrote: > On 18/10/2018 22:55, Ben Laurie wrote: > > On Fri, 12 Oct 2018 at 19:01, Rob Stradling wrote: > > > > On 12/10/18 16:40, Ryan Sleevi via dev-security-policy wrote: > > > On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie >

Re: Violation report - Comodo CA certificates revocation delays

On Fri, 12 Oct 2018 at 19:01, Rob Stradling wrote: > On 12/10/18 16:40, Ryan Sleevi via dev-security-policy wrote: > > On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie wrote: > > >> This is one of the reasons we also need revocation transparency. > > > > As tempting as the buzzword is, and as much as

Re: Violation report - Comodo CA certificates revocation delays

On Fri, 12 Oct 2018 at 16:41, Ryan Sleevi wrote: > > > On Fri, Oct 12, 2018 at 8:33 AM Ben Laurie wrote: > >> >> >> On Fri, 12 Oct 2018 at 03:16, Ryan Sleevi via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> I believe that may be misunderstanding the concern. >>>

Re: Violation report - Comodo CA certificates revocation delays

On Fri, 12 Oct 2018 at 13:54, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 12/10/2018 14:33, Ben Laurie wrote: > > On Fri, 12 Oct 2018 at 03:16, Ryan Sleevi via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > >> I believe tha

Re: Violation report - Comodo CA certificates revocation delays

On Fri, 12 Oct 2018 at 03:16, Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I believe that may be misunderstanding the concern. > > Once these certificates expire, there's not a good way to check whether or > not they were revoked, because such revocation in

Re: GoDaddy Revocation Disclosure

On Fri, 17 Aug 2018 at 18:22, Daymion Reynolds via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Revoke Disclosure > > GoDaddy has been proactively performing self-audits. As part of this > process, we identified a vulnerability in our code that would allow our > validation

Re: How do you handle mass revocation requests?

On 28 February 2018 at 21:37, Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Wed, 28 Feb 2018 20:03:51 + > Jeremy Rowley via dev-security-policy > wrote: > > > The keys were emailed to me. I'm trying to get a project together > > where we self-sign a ce

Re: How do you handle mass revocation requests?

On 28 February 2018 at 19:40, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The end user agreed to the subscriber agreement, not Trustico. Our > analysis follows what Peter B. posted – the subscriber is the “natural > person or Legal Entity to whom a Certi

Re: Anomalous Certificate Issuances based on historic CAA records

On 29 November 2017 at 22:33, Paul Wouters wrote: > > > > On Nov 29, 2017, at 17:00, Ben Laurie via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > This whole conversation makes me wonder if CAA Transparency should be a > >

Re: Anomalous Certificate Issuances based on historic CAA records

This whole conversation makes me wonder if CAA Transparency should be a thing. On 29 November 2017 at 20:44, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The Thawte records aren't showing any CAA record preventing wildcards > either. > > Here's the Thawt

Re: .tg Certificates Issued by Let's Encrypt

On 4 November 2017 at 19:54, Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 11/4/17 5:36 AM, Daniel Cater wrote: > >> I notice that on https://crt.sh/mozilla-onecrl there are lots of >> certificates that have recently been added to OneCRL from the .tg