On 2/5/19 4:36 μ.μ., Ryan Sleevi via dev-security-policy wrote:
> On Thu, May 2, 2019 at 9:14 AM Fotis Loukos wrote:
>
>> The PCA (I am calling it PCA even if it does not follow all the design
>> and architecture of RFC5288 PCAs for simplicity's sake) has the
>> te
Hello,
On 30/4/19 8:26 μ.μ., Ryan Sleevi via dev-security-policy wrote:
> On Tue, Apr 30, 2019 at 1:10 PM Fotis Loukos wrote:
>
>> I am just arguing that there is no risk involved in having a single
>> certificate. I do agree that the model you proposed with the two
>>
Hello,
On 30/4/19 6:59 μ.μ., Ryan Sleevi via dev-security-policy wrote:
> On Tue, Apr 30, 2019 at 11:49 AM Fotis Loukos wrote:
>
>> On 30/4/19 6:34 μ.μ., Ryan Sleevi via dev-security-policy wrote:
>>> On Tue, Apr 30, 2019 at 8:51 AM Fotis Loukos wrote:
>>>
>>
On 30/4/19 6:34 μ.μ., Ryan Sleevi via dev-security-policy wrote:
> On Tue, Apr 30, 2019 at 8:51 AM Fotis Loukos wrote:
>
>> Hello Ryan,
>>
>> On 29/4/19 5:20 μ.μ., Ryan Sleevi via dev-security-policy wrote:
>>> On Fri, Apr 26, 2019 at 7:02 PM Wayne Thayer
an S/MIME intermediate under that hierarchy.
>
> As it's unclear to me the benefit of accommodating the PCAs, because as you
> note, it's more complexity to the policy, and because it seems to be
> systemically more riskier for end-users and more expensive for CAs, I do
om/mozilla/pkipolicy/commit/a8353e12db6128d9a01de7ab94949180115a2d92
> [2] https://github.com/mozilla/pkipolicy/issues/172
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
--
Fotis Loukos,
irements set by the Mozilla Root Store Policy. This linter is set up
to lint the tbsCertificates at the same time as the aforementioned linters.
- The compliance department will provide feedback to the team that
maintains the linter in order to keep it up to date.
Best regards,
Fotis
--
Fotis
'legalizing' BR violations after browsers' concent (granting
an exception). Before two paragraphs you stated that you never proposed
making an extended revocation legal.
Regards,
Fotis
>
>
> Dimitris.
>
>
>
> On 4/12/2018 8:00 μ.μ., Fotis Loukos via dev-securi
On 4/12/18 8:30 μ.μ., Ryan Sleevi via dev-security-policy wrote:
> On Tue, Dec 4, 2018 at 5:02 AM Fotis Loukos
> wrote:
>
>> An initial comment is that statements such as "I disagree that CAs are
>> "doing their best" to comply with the rules." because so
k that a CA will be able to do this risk assessment and how can root
store operators decide on this within 24h in order to extend this
period? If no, would you trust such a risk assessment?
Regards,
Fotis
>
>
> On 04/12/2018 11:02, Fotis Loukos wrote:
>> Hello everybody,
&g
Hello everybody,
First of all, I would like to note that I am writing as an individual
and my opinion does not necessarily represent the opinion of my employer.
An initial comment is that statements such as "I disagree that CAs are
"doing their best" to comply with the rules." because some CAs are
time, possibly revoke the problematic certificates and at least
momentarily pause the issuance of new certificates until the issue is
resolved. I consider this a serious issue that displays problematic
practices within the CA.
Regards,
Fotis
--
Fotis Loukos, PhD
Director of Security Architecture
ns
> of interpretation - of BRs or policies - happen on the list, that the
> module owner is the decision maker, and that public participation is fully
> welcomed, whether peers or otherwise. In that model - of transparency -
> doesn't support the claims being presented here as 'f
On 04/11/2017 02:36 μμ, Daniel Cater via dev-security-policy wrote:
> I notice that on https://crt.sh/mozilla-onecrl there are lots of certificates
> that have recently been added to OneCRL from the .tg TLD (Togo), including
> ones for high-profile domains such as google.tg. The issuances occurre
performed by LSTI. The last audit took place from 27th to 30th September
>> 2016 in applying the relevant ETSI Technical Specifications ETSI TS
>> 102042v2.4.1.
>
> And that audit includes a BR audit?
>
> Did the audit report have any qualifications?
>
> Gerv
>
On 09/10/2016 05:43 PM, Erwann Abalea wrote:
> Bonjour,
>
> Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit :
>> I am using Cloudflare's DNS service and I found that Cloudflare has issued a
>> certficate to their server including my domain. But I didn't use any SSL
>> service of th
16 matches
Mail list logo