This blog post is very vague, one can understood from it that Microsoft will
not trust any new certificates from these two CAs:
"Microsoft will begin the natural deprecation of WoSign and StartCom
certificates by setting a “NotBefore” date ... Windows 10 will not trust any
new certificates from
On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote:
> 7. At Quihoo: Actually get rid of Richard Wang, not just change his
>title from CEO to COO.
I didn't map the new hierarchy of the "Spanish" StartCom CA ("StartCom CA Spain
Sociedad Limitada"), having trouble registering to t
Trust is something you *gain*.
I want to believe the internet has come a long way from PGP signing parties.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On Monday, July 10, 2017 at 9:00:04 AM UTC+3, Richard Wang wrote:
> " 5. Provide auditor[3] attestation that a full security audit of the CA’s
> issuing infrastructure has been successfully completed. "
> " [3] The auditor must be an external company, and approved by Mozilla. "
What is the sourc
Mr. Wang is mentioned on the end of the document, what is Richard Wang current
official responsibility of Mr. Wang at WoSign?
According to the incident report, release on October 2016 [1], Mr. Wang was
suppose to be relieved of his duties as CEO, this is mentioned in 3 separate
paragraphs (P.17
The next step, if Symantec wish to continue to use their current PKI in the
future, should be logging (ASAP) *all* of the certificates they issued to a CT
log, then we'll know how deep is the rabbit hole.
___
dev-security-policy mailing list
dev-securit
On Thursday, April 20, 2017 at 4:03:36 PM UTC+3, Gervase Markham wrote:
> Mozilla also doesn't believe that it's the job of CAs to police phishing
CAs should police as long as the browser gives positive reinforcement to the
end-users when they access a [phishing] site.
There were suggestions in
On Tuesday, February 28, 2017 at 6:00:47 PM UTC+2, Nick Lamb wrote:
> This is useful independent evidence that (at least some of) the names did
> exist at one time.
The problem is that they're "re-keying" certificates for domains that are no
longer in control of their subscribers (as Andrew Ayer
On Tuesday, February 28, 2017 at 5:49:32 PM UTC+2, Andrew Ayer wrote:
> Note that the BRs do not require a domain to exist when a CA issues a
> DV/OV certificate for it. The BRs only require that the CA validated
> the domain at some point in the 39 months prior to issuance.
Sad to know. Pasting
On Tuesday, February 28, 2017 at 1:38:25 PM UTC+2, Gervase Markham wrote:
> I think that without more evidence we must assume that GlobalSign
> validated this domain correctly at a time when it existed.
There are many more test*.* domains, non of those (about 10) I checked exist. I
will compose a
How those lines are parsed? what happens when a client reaches a whitespace?
Will this allow 'vietnamairlines.com' to use 'owa', 'mail' and 'autodiscover'
in their internal infrastructure?
___
dev-security-policy mailing list
dev-security-policy@lists.
I talked with Ofer from Incapsula, he said the domain exist at some point;
Someone have access to domain tools or other tool to verify this matter? Based
on domaintools I can say the domain did exist but I can't tell when it cease to
exist.
https://research.domaintools.com/research/whois-histor
This practice seem to go back to Apr 2014.
Link: https://crt.sh/?dNSName=testslsslfeb20.me
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On Wednesday, January 11, 2017 at 5:03:08 AM UTC+2, Wayne Thayer wrote:
> ... and will also be logged to the Google Pilot CT log.
Why not posting _ALL_ certificates issues via that method to CT log?
___
dev-security-policy mailing list
dev-security-polic
On Monday, November 7, 2016 at 10:46:32 AM UTC+2, Rami Kogan wrote:
> Just came across the following Phishing site which is using a StartCom cert:
>
> serviices-intl[.]com
Did you contact them, if you did, what was their reply? It's better to contact
the CA first, and only if issues arouse then
On Sunday, November 6, 2016 at 12:11:43 AM UTC+2, Ryan Sleevi wrote:
> Can you tell me where that clause indicates that they should use the Alexa
> Top 1 million to consider a request "High Risk"?
It doesn't, "High risk" is left for the CA's interpretation. But after the fact
you can say that th
On Friday, November 4, 2016 at 12:18:40 PM UTC+2, Gervase Markham wrote:
> ... But because WoSign had done the appropriate domain control checks,
> we did not consider this a mistake by WoSign.
(to my understanding) They did violate a "SHALL" guideline:
"The CA SHALL develop, maintain, and implem
On Wednesday, November 2, 2016 at 5:22:30 PM UTC+2, Gervase Markham wrote:
> Hi Daniel,
>
> On 02/11/16 14:11, Itzhak Daniel wrote:
> As far as the DigiCert certs go, it is far too early to have an opinion
> on what Mozilla is or isn't doing.
I have to agree, the time span is
Interesting that Comodo and DigiCert are getting a different treatment, I
wonder if WoSign/StartCom had ignored Mozilla Security Community at some
degree, the same way Comodo and DigiCert are doing, would it saved them.
(I don't know if there are chatters in the back, maybe I missed something an
19 matches
Mail list logo