Top Level Module Committee Response to Dark Matter Root Inclusion Request Appeal

2020-02-24 Thread Eric Rescorla via dev-security-policy
All, Please find below the TLMC's resolution of Dark Matter's appeal. -Ekr [for the TLMC] Introduction On December 28, 2017, Scott Rae on behalf of Dark Matter filed a bug [ https://bugzilla.mozilla.org/show_bug.cgi?id=1427262] asking for inclusion in the Mozilla Root store for four new trust

Re: Fwd: Intent to Ship: Move Extended Validation Information out of the URL bar

2019-08-15 Thread Eric Rescorla via dev-security-policy
On Thu, Aug 15, 2019 at 2:46 PM Doug Beattie via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Peter, > > Do you have any empirical data to backup the claims that there is no > benefit > from EV certificates? From the reports I've seen, the percentage of > phishing and

Re: FF52 beta send SSL record layer with min=1 and max=3or4

2017-02-21 Thread Eric Rescorla via dev-security-policy
This was filed as: https://bugzilla.mozilla.org/show_bug.cgi?id=1341375 For those following at home: 1. This is conformant behavior, though apparently it makes some servers sad. 2. I can't repro it in FF 52, so I'm going to need more detail to work on it -Ekr On Tue, Feb 21, 2017 at 8:10 AM,

Re: Firefox 50.1.0 still does not offer any secure SSL / TLS ciphers

2016-12-23 Thread Eric Rescorla
On Fri, Dec 23, 2016 at 10:02 AM, wrote: > Eric, > > thanks for your help again. > > > > As far as I have understood, the consensus is that there are bad > > > (insecure) ECs (those from NIST which seem to be intentionally > weakened / > > > broken by various tricks) and good

Re: Firefox 50.1.0 still does not offer any secure SSL / TLS ciphers

2016-12-23 Thread Eric Rescorla
On Fri, Dec 23, 2016 at 1:53 AM, wrote: > Eric, > > > I don't believe that this claim reflects the consensus of the security > > community. > > As far as I have understood, the consensus is that there are bad > (insecure) ECs (those from NIST which seem to be intentionally

Re: Firefox 50.1.0 still does not offer any secure SSL / TLS ciphers

2016-12-22 Thread Eric Rescorla
On Wed, Dec 21, 2016 at 11:58 PM, wrote: > Hi all, > > I already have reported the following issue in the bug tracking system and > now have been told that the bug has been closed and that I should put it > for discussion here. > > Please note that I am no way a security expert,

Re: Deficiencies in the Web PKI and Mozilla's shepherding thereof, exposed by the WoSign affair

2016-10-04 Thread Eric Rescorla
On Mon, Oct 3, 2016 at 9:44 PM, Peter Bowen wrote: > On Mon, Oct 3, 2016 at 5:24 PM, Jakob Bohm wrote: > > On 03/10/2016 20:41, Kyle Hamilton wrote: > >> WoSign is known to be cross-signed by several independent CAs (as well > as > > > >> 2. There is