.html
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søbo
st a lot longer)
values for cryptographic values (such as RSA moduli), it would make
sense for the NSS team to raise any such arbitrary limits to whatever
(non-)limit is implemented for large numbers used in cryptographic
values.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://
On 03/12/2015 11:25, Gervase Markham wrote:
On 30/11/15 22:37, Jakob Bohm wrote:
1.1. Certificates that are used on servers that don't implement
OCSP stapling.
No-one is suggesting dropping support for non-stapling web servers. But
the revocation options will not be as good.
Good.
On 04/12/2015 02:20, Matt Palmer wrote:
On Thu, Dec 03, 2015 at 07:32:43PM +0100, Jakob Bohm wrote:
On 03/12/2015 11:25, Gervase Markham wrote:
On 30/11/15 22:37, Jakob Bohm wrote:
1.2. Certificates that are moved from a server software implementation
that does do OCSP stapling to another
On 04/12/2015 11:19, Kurt Roeckx wrote:
On 2015-12-04 02:55, Jakob Bohm wrote:
How huge and unwieldy are CRLs really, especially if letting the
computer (NSS/Firefox) do the updating?
Individual CRLs are in the range of a few kB to a few MB. For the CA
that issues the subscriber certificates
On 04/12/2015 15:58, Kurt Roeckx wrote:
On 2015-12-04 15:21, Jakob Bohm wrote:
On 04/12/2015 11:19, Kurt Roeckx wrote:
On 2015-12-04 02:55, Jakob Bohm wrote:
How huge and unwieldy are CRLs really, especially if letting the
computer (NSS/Firefox) do the updating?
Individual CRLs are in the
provided that the CA
maintains documented evidence that the method of confirmation
establishes that the Applicant is the Domain Name Registrant or has
control over the FQDN to at least the same level of assurance as those
methods previously described.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partn
for the foreseeable future.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Servi
es. Example 4: A CA company may run all its CAs as
subordinates under a single root, but only some of those subCAs meet
Mozilla criteria. Example 5: Some historic roots, such a Equifax,
have been subsequently used as the root CA signing the new CAs as
subCAs.
Enjoy
Jakob
--
Jako
On 07/01/2016 22:21, Paul Wouters wrote:
On Thu, 7 Jan 2016, Jakob Bohm wrote:
It would appear from this information, that this CA (and probably
others like it) is deliberately serving a dual role:
1. It is the legitimate trust anchor for some domains that browser
users will need to access
s advocate).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs,
OP3
etc.), thus exposing themselves to wiretapping by parties other than
the government in question.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may
On 08/01/2016 23:31, Florian Weimer wrote:
* Jakob Bohm:
Could they, hypothetically, simply claim to use the real certificate on
the connection from their MiTM machines to the real server to do
practical control validation? They would have to claim, also, that
they are holding the private key
hat happen
not to be allies of the USA. So far, the best suggestion (other than
to stall them on technicalities) is to find an interpretation of the
existing CA rules which cannot be satisfied by any MiTM CA.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transfo
oots
that are self-signed (historically) using SHA-1, but which no longer
issue certificates signed with SHA-1 (this is possible for non-DSA
roots only).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This
On 18/01/2016 22:18, Richard Barnes wrote:
On Mon, Jan 18, 2016 at 11:07 AM, Jakob Bohm wrote:
On 18/01/2016 16:19, Richard Barnes wrote:
"Failed" might be a bit strong :) We had a temporary setback.
Like the blog post says, we're working on more precisely characterizing
Such compatibility SHA-1 certificates typically have to chain to
existing roots too (again because of relying party software
limitations).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public d
etry isn't trivially easy and reliable.
...
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Manag
ebsites.
Bandwidth and time delays to download OCSP responses has to occur at
the time of the request and cannot be easily preloaded.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discus
certified
copy. This would catch a fraudulent application accompanied by a
perfectly forged certified copy of such records.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This publi
SR, signed paperwork, copies of
official documents, callback phone numbers, revocation passwords etc.)
remain confidential?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion mes
s not that
important.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service
ed at the end entity tier.
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+steve.medin=verizonbusiness@lists.mo
zilla.org] On Behalf Of Jakob Bohm
Sent: Thursday, February 11, 2016 1:23 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: New requ
al
certificates of the types I mentioned.
Thus the exception was meant to allow current practice in cases where
it is obviously completely safe, but to reign in this to such obviously
safe cases in a way that can be routinely checked in both Mozilla
monitoring and independent official audits.
On
about the
idea that the only thing better than more is more more more.
Kind regards,
Steve
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+steve.medin=verizonbusiness@lists.mozilla.org]
On Behalf Of Jakob Bohm
Sent: Sunday, February 14, 2016 5:08 P
riginal Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+steve.medin=verizonbusiness@lists.mozilla.org]
On Behalf Of Jakob Bohm
Sent: Sunday, February 14, 2016 5:08 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: [E] Re: New requirement: certlint testi
n issuance (and
associated m of n methods), post-audit, and delivery whether a subordinate
CA or a responder certificate.
Good for you (and all your relying parties), doesn't extend to all the
other CAs unless backed by requirements.
Kind regards,
Steve Medin
On Tue, Feb 16, 2016 at 10:03
east Debian and Ubuntu) use the Mozilla CA list as the
basis for their system-wide general purpose certificate stores.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-
each known single certificate query, as
the random value only needs to change when the rest of the response
changes, so a pre-computed response would contain a pre-computed
random value.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søbor
On 10/03/2016 00:22, Peter Gutmann wrote:
Jakob Bohm writes:
2. Find a way to add OCSP responder chosen random data in each OCSP
response.
Responder or requester? You've got the OCSP nonce, although since every
(public) CA has disabled it that probably won't help much.
ghtful and constructive feedback.
Thanks,
Kathleen
General: Throughout this document you use phrases such as "all
certificates that directly or transitively chain to your root
certificate(s) included in Mozilla's CA Certificate Program",
shouldn't those phrases ex
p new roots
for supporting those is not viable, and not every CA has an old root
they can "throw away", like Symantec did with some of the branded roots
they had accumulated.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg,
On 11/03/2016 09:55, Kurt Roeckx wrote:
On 2016-03-11 01:14, Jakob Bohm wrote:
- Non-PrintableString/UTF8String in DNs. Workaround to be removed in
Bug #[TBD].
Does this also apply to "pure ASCII" fields such as country ("C=US")
etc.? Some of those were historically c
to be signed does not facilitate
SHA-1 collisions. The major CAs probably did that before the 1/1/2016
deadline, but some of the smaller CAs may have not gotten that done yet.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denma
nal
> methods, or to make any major or meaningful change to the CP/CPS. Of
> course ComSign is obligated and WILL notify Mozilla of any meaningful
> change in its CP/CPS, but this is not relevant to this section.
...
Eli Spitzer, Information security & System Management, Comsign
double check any such
certificate before issuing it.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management
istinfo/dev-security-policy
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs,
rbird, the vast majority of 3rd party e-mail clients
and the OS level root CA list of most operating systems releases,
such as Microsoft Windows and the various Linux distributions.
9. All procedures performed to comply with the above rules must be
documented in the relevant CPS and verified by
nt to do so.
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org]
On Behalf Of Jakob Bohm
Sent: Wednesday, March 30, 2016 12:06 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: SHA-1 S/MIME cer
, March 30, 2016 10:54 PM
To: Jakob Bohm ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: SHA-1 S/MIME certificates
I think a required move away from SHA1 client certs requires a bit more
planning.
1) There hasn't been a formal deprecation of all SHA-1 certificates in any root
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org]
On Behalf Of Jakob Bohm
Sent: Friday, April 1, 2016 4:55 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: SHA-1 S/MIME certificates
On 01/04/2016 12:44, Varga Viktor wrote:
Hi,
My replies are inline
df
[2]
http://www.scmagazine.com/researchers-detect-ssl-mitm-attacks-method-implemented-by-facebook/article/346994/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Richard
En
lly outdated browser.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Mana
e issued regardless of bugs).
Similarly, as a public audit, someone could routinely set up throw-away
domains with CAA records, then request banned certificates to name and
shame bad issuance if actually issued (A "Mystery shopper" test
strategy). Of cause this should involve some che
utomated test
script that scans issued certificates for the problem and raises an
alarm so such certificates would be reissued (with distinct serial
numbers) and revoked within a few days of each failure.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej
d from the lists because those signed
e-mails need to remain checkable at a later time, regardless if the
original signer cooperates or tries to repudiate his own signature.
Once the last TLS certificate is gone from the list, the expiry
period of the .jar files is increased significantly
SCTs in the certs, I thought the
plan was to have the problematic CA *not* issue more certs...
Indeed, I have found that a number of common web server implementations
simply lack the ability to do OCSP stapling at all.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.c
SL/TLS front end: No OCSP
stapling support in the standard version.
IIS for Windows Server 2008 (latest IIS supporting pure 32 bit
configurations): No obvious (if any) OCSP stapling support.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29,
On 06/09/2016 15:37, Kurt Roeckx wrote:
On 2016-09-06 14:16, Jakob Bohm wrote:
On 06/09/2016 10:25, Kurt Roeckx wrote:
If you think there is something we can do in OpenSSL to improve this,
please let us know.
Here are a list of software where I have personally observed bad OCSP
stapling
ard way of writing a derisive laughter in response to a bad
unfunny joke.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wis
ed PKI criticism, it is noted that some
of the many new CAs found in root stores are governments who (unlike
commercial CAs) are the actual authority on the identity of their
citizens.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Den
On 06/09/2016 16:43, Martin Rublik wrote:
On Tue, Sep 6, 2016 at 2:16 PM, Jakob Bohm wrote:
Here are a list of software where I have personally observed bad OCSP
stapling support:
IIS for Windows Server 2008 (latest IIS supporting pure 32 bit
configurations): No obvious (if any) OCSP
On 06/09/2016 18:15, Ryan Hurst wrote:
On Tuesday, September 6, 2016 at 7:54:14 AM UTC-7, Jakob Bohm wrote:
On 06/09/2016 16:43, Martin Rublik wrote:
On Tue, Sep 6, 2016 at 2:16 PM, Jakob Bohm wrote:
Here are a list of software where I have personally observed bad OCSP
stapling support
#x27;s systems don't work.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service
than the identified
subject to possess the private key for a publicly-trusted certificate.
It does; have you notified GeoTrust using whatever mechanism they make
available for such notifications? They are supposed to have one, according
to the BRs. I'm not sure posting here would count.
Enjoy
efore date? If so, that would be
cryptographic evidence that the certificates were signed after those
SCT entries were generated.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussi
,
but the relevant formal documents do not, then that would be a separate
but related issue, which should get it's own letter on the Wiki page.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
T
issuing millions (or just hundreds) of certificates without
proper validation etc.
Am I reading something wrong, or is their an unintended loophole in the
Mozilla Policy, as written, in this regard?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
On 10/09/2016 14:45, Gervase Markham wrote:
On 09/09/16 11:53, Jakob Bohm wrote:
As I read the Wiki description of WoSign issue L: Arbitrary High port
validation, the description notes a case of port 8080 validation as an
instance of this.
If the BR and or CP/CPS indeed classify port 8080 as a
On 10/09/2016 14:39, Gervase Markham wrote:
On 09/09/16 11:59, Jakob Bohm wrote:
Since a major root compromise is generally considered the worst
possible security event for a trusted CA, this wording could easily be
(mis?)understood not to require reporting of lesser security failures,
such as
and procedures. For example, I don't think
there would be specific BRs covering if they remember to lock the door
to the server room.
This would be very similar to how financial auditors does do some
checking if the day to day accounting practices are sound in terms of
avoiding fraud.
Enjoy
f starts to play fast
and loose with the identity of the proxied domains, that becomes a
security concern in itself, unrelated to CA inclusion policy.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This
On 12/09/2016 21:57, Rob Stradling wrote:
On 12/09/16 18:57, Jakob Bohm wrote:
On 11/09/2016 07:49, Peter Bowen wrote:
On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei wrote:
So when I delegated the DNS service to Cloudflare, Cloudflare have
the privilege to issue the certificate by default? Can
On 12/09/2016 23:48, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 2:33:47 PM UTC-7, Jakob Bohm wrote:
I find fault in CloudFlare (presuming the story is actually as
reported).
Why? Apologies, but I fail to see what you believe is "wrong", given how
multiple people have poin
On 13/09/2016 01:28, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 3:51:56 PM UTC-7, Jakob Bohm wrote:
Note that this is *entirely* outside CA/B and CA inclusion related
guidelines, since CloudFlare is (presumably) not a CA and thus not
subject to such guidelines.
Then isn't it
ieval environment and
compromised private key.
-Kyle H
On 9/7/2016 00:41, Jakob Bohm wrote:
Given the specific name in those certificates, and the place where the
private key was seen, I would guess the actual use case is this:
...
Just to clarify, I never said that the use was for a "captiv
ure by creating new intermediary
certs for which no trust restrictions exist.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain e
On 13/09/2016 11:50, Gervase Markham wrote:
Hi Jakob,
On 12/09/16 18:30, Jakob Bohm wrote:
Our current evidence seems to be an unfortunate mix of actual issues
(such as the github.io certificates), and semi-irrelevant smear, which
means we will need to separate the chaff from the wheat before
On 13/09/2016 11:50, Gervase Markham wrote:
On 12/09/16 19:02, Jakob Bohm wrote:
Wouldn't this fall under the general auditable requirement of being
careful in their practices and procedures.
Ask an auditor, and they will tell you that "be careful" is not an
auditable require
On 13/09/2016 16:47, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 8:30:07 PM UTC-7, Jakob Bohm wrote:
A variation of this, would be to create (compacted) whitelists for
specific old intermediary certs,
It sounds like you haven't been following this conversation, but the entire
s.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones an
On 14/09/2016 16:11, Kyle Hamilton wrote:
On 9/12/2016 20:20, Jakob Bohm wrote:
On 13/09/2016 03:03, Kyle Hamilton wrote:
I would prefer not to see a securelogin-.arubanetworks.com
name, because such makes it look like Aruba Networks is operating the
captive portal. If (for
ere present, not all
certificate requests will come from DNSSEC signed domains. After all,
if they did, DANE would soon be a substitute for DV certs.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
Th
uot;forums",
and you appear to be using that Google web app, but not everyone does.
If the Google web app is blocked in China, then the Chinese
participants (I have read messages from at least 2 people from China in
the past week here), are presumably not using the Google web app.
Enjoy
ates for "odd" subdomains such as "extranet.example.com"
2.2 Certificates for e-mail
2.3 Code signing certificates
2.4 Others?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
Thi
ihoo 360 for
reporting this bug to the OpenSSL team, thus helping to protect us all.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wi
On 23/09/2016 12:51, Peter Gutmann wrote:
Jakob Bohm writes:
While you are at it:
1. How many WoSign/StartCom certificates did you find with domains not
on that IANA list?
2. How many WoSign/StartCom certificates did you find for other uses
than https://www.example.tld:
2.1
ays a fee and passes a full BR audit by Ernst, Young or
Deloite".
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo -
only "permitted"
algorithms are all broken before replacements become "permitted".
having a specific BR rule banning any curve except 3 curves from a
single government project in a single country certainly looks like a
very bad idea.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner,
y. Or the
attacker could choose a CA with too long expiry times on their CRLs and
OCSP responses.
Mechanisms such as OneCRL tend to be horribly incomplete. Just in the
past few months there has been repeated mention on this list of revoked
certificates that were not on OneCRL, only on the CA CRLs.
On 23/09/2016 17:18, Rob Stradling wrote:
On 22/09/16 18:48, Jakob Bohm wrote:
While you are at it:
1. How many WoSign/StartCom certificates did you find with domains not
on that IANA list?
Hi Jakob. I wasn't looking for this sort of thing, because Gerv was
only interested in &q
On 23/09/2016 18:46, Ryan Sleevi wrote:
On Friday, September 23, 2016 at 9:15:48 AM UTC-7, Jakob Bohm wrote:
they are nowhere as bad as proponents of
extreme centralization schemes claim.
Citation needed. It would seem that you're not familiar with the somewhat
well-accepted industry
r files not received with a
mime-type, like ftp: and file: URLs) and many other software systems.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and m
On 27/09/2016 09:31, Kurt Roeckx wrote:
On 2016-09-27 01:18, Jakob Bohm wrote:
It would perhaps be useful if you could dispute, using Firefox as an
example, and considering the real deployment (not the theorhetical
abstract of ways in which someone 'might' configure about:flags, but
s etc.) new
SHA-1 certs until the hardware dies. On a trust policy/BR level, the
key detail here is that the issuing root cert is a SHA-1 cert itself
and would thus be distrusted by SHA-1-distrusting systems anyway.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tr
On 30/09/2016 13:21, Gervase Markham wrote:
On 30/09/16 07:50, Jakob Bohm wrote:
SHA-1 certs until the hardware dies. On a trust policy/BR level, the
key detail here is that the issuing root cert is a SHA-1 cert itself
and would thus be distrusted by SHA-1-distrusting systems anyway.
That&#
his they will
immediately distrust all Wosign/StartCOM certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote S
around and worked
around -- most recently with Certificate Transparency -- when the actual
reason for the problem was simply "end entities cannot do risk management
within the current protocols".
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformer
large numbers to end users in the form of phones, PDAs etc.
Ideally, there should also be a way for TLS servers (such as web
servers) to detect if the TLS client suffers from historic public key
limitations such as SHA-1 only, low maximum DH key size etc., thus
allowing the TLS server to use str
On 06/10/2016 15:58, Gervase Markham wrote:
On 06/10/16 12:38, Jakob Bohm wrote:
Which is why I have repeatedly suggested that maybe the rules should be
changed to promote/demote some of the historic SHA-1 root certs into
"SHA-1 forever" roots that can service older devices and brow
StartCom has not yet decided
on a technical separation plan, could one acceptable option for such a
plan be to reactivate the old (pre-acquisition) infrastructure and
software and take it from there?
An answer to that might help StartCom choose an acceptable plan.
Enjoy
Jakob
--
Jakob Bohm, CIO
f cross-signatures of a
CA that might be distrusted, disclosure of e-mail only cross signatures
and e-mail only subCAs still need to be disclosed in order to maintain
root program integrity.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denm
s. Thus B
would loose 15 months of income while keeping up significant
operational costs just for the hope of maybe getting readmitted.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public disc
to ensure that Richard Wang or his
underlings have not used that key in ways not logged in the log files
and databases now controlled by the new StartCOM?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
the Qihoo 360 HQ
vault, is this the HSM for the StartCOM CA root, and/or the HSM for the
Intermediary certificates?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-b
Qihoo 360 shareholders.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Emb
st some of the Mozilla-root-list-copying open source
projects seem not to be aware of yet.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain e
On 18/10/2016 00:39, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote:
Over the past few years, this has caused the Mozilla root list to
become less and less useful for the rest of the open source world, a
fact which at least some of the Mozilla-root-list-copying
ents, and if so, which one.
5. If this was e-mailed to all potentially affected certificate
holders, or just dumped in some public forums which certificate
holders might not see in time to take necessary action.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tr
On 18/10/2016 01:22, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:39:42AM +0200, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote:
Over the past few years, this has caused the Mozilla root list to
become less and less useful for the rest of the open source world
1 - 100 of 644 matches
Mail list logo
