On 18/10/2016 14:35, Gervase Markham wrote:
On 17/10/16 16:35, Jakob Bohm wrote:
In the not so distant past, the Mozilla root program was much more
useful due to different behavior:
1. Mozilla managed the root program based on an assumption that relying
parties would use the common standard
e does Chrome use to validate
signatures on the PPAPI plug ins it is currently forcing developers to
switch to?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding a
On 18/10/2016 20:50, douglas.beat...@gmail.com wrote:
On Monday, October 17, 2016 at 4:19:34 PM UTC-7, Jakob Bohm wrote:
On 16/10/2016 09:59, Adrian R. wrote:
Hello
i read in the news (but not here on m.d.s.p) that a few days ago Globalsign
revoked one of their intermediary roots and then un
nceptual rather than just a
technical level).
Each of my examples above are examples of changes that could (and have
apparently in the past) lead downstream stores astray without that
tidbit of information.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transforme
as
not yet completed.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones an
mailing list to them.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs,
that
were not published.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service
On 22/10/2016 14:59, Ryan Sleevi wrote:
On Saturday, October 22, 2016 at 5:11:29 AM UTC-7, Jakob Bohm wrote:
Talking of codesigning, which root store does Chrome use to validate
signatures on the PPAPI plug ins it is currently forcing developers to
switch to?
I've mentioned to you repea
eone else mentioned that earlier, Ryan Sleevi of Google
explained that their customer announcement didn't rule out reinclusion,
they simply didn't say anything. So as far as the official Google
announcement goes, there is no (published) minimum return date for
Chrome (the second largest
llegations are in any way comparable to armed robbery. Only that
the CA operational principle in question might be the same.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message
On 02/11/2016 17:08, Peter Bowen wrote:
On Wed, Nov 2, 2016 at 8:26 AM, Tom Ritter wrote:
On 2 November 2016 at 09:44, Jakob Bohm wrote:
The only thing that might be a CA / BR issue would be this:
There's been (some) mention that even if a user moves off Cloudflare,
the CA is not obli
raight away. I was
surprised when https://crt.sh/atom?q=crt.sh alerted me to
https://crt.sh/?id=42619974
So I guess you haven't added your own domains (such as crt.sh) to the
list of "high-value manual review" domains for your own certificate
issuance processes?
Enjoy
Jak
for
e-mail (because some non-Mozilla e-mail clients were very late to
supporting SHA-2 e-mail signatures).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and m
state
that the CA must do so if made aware that the "service agreement"
allowing the issuance has been terminated.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion
On 04/11/2016 11:21, Gervase Markham wrote:
On 03/11/16 21:17, Jakob Bohm wrote:
Note that the GlobalSign SHA-1 intermediaries chain only to their old
SHA-1 root which is (I believe) not used for any SHA-256 certs, except
a cross-cert that signs their current SHA-256 root.
Nevertheless, it is
logs be independent of the issuing CA (e.g.
Symantec/Thawte can run a CT log, but it only counts for certificates
from other CAs).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion
On 04/11/2016 15:42, Hanno Böck wrote:
On Fri, 4 Nov 2016 14:09:55 +0100
Jakob Bohm wrote:
* How do we allow organization internal non-public CAs to not reveal
their secret membership/server lists to public CT systems or
otherwise run the (administratively and technically) expensive
He wasn't claiming that.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phon
tion time in UTC, not UK local time, e.g. 12:00 noon
UTC.
P.S.
I am aware of the current zero-difference between UK local time and
UTC, but this was not so just 10 days ago.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denm
backhanded tactics to subvert a log operator that is entirely outside
its direct jurisdiction.
History has taught us that such things do happen from time to time.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 1
On 08/11/2016 20:51, Ryan Sleevi wrote:
On Tue, Nov 8, 2016 at 11:24 AM, Jakob Bohm wrote:
Diversity requirements are about reducing the likelihood of
simultaneous coercion, as it can never be ruled out that some powerful
organization already engaged in such things could use some of its
On 08/11/2016 20:37, Gervase Markham wrote:
On 08/11/16 19:11, Jakob Bohm wrote:
However because all the sources are from a single entity (the UK
government), that entity could manipulate the results, thus falsifying
the provable randomness of the process.
I think you are bikeshedding the
;t check this either?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management
part of the transition away from SHA-1, those roots were
usually cross signed by their already trusted SHA-1 roots).
Perhaps a better text would be
"1 and a half) The CA private key must not be used for any other CA or
entity, but a CA may have more than one CA Certificate for that private
e paths to easy TCSC
creation.
#3 would be in apparent violation of the BR applicability document you
proposed in another thread. Alternative would be to pre-create
resellable TCSC key pairs in advance during auditor visits, then throw
away unsold ones at the next such ceremony.
Enjoy
Jakob
--
t accept 'but we
have a lot of certs under TCSCs which will be affected by this' as a
valid reason not to do something. In other words, if you hide stuff and
it breaks, you get to keep both pieces. But in practice, such a line
might not hold.
Thoughts and suggestions?
Gerv
Enjoy
Jakob
On 14/11/2016 18:59, Gervase Markham wrote:
On 14/11/16 16:56, Jakob Bohm wrote:
If this is the only privacy mechanism in 6962bis, I would suggest that
everyone not employed by either Google or another mass-monitoring
service block its adoption on human rights grounds and on the basis of
being
On 14/11/2016 21:37, Nick Lamb wrote:
On Monday, 14 November 2016 16:57:20 UTC, Jakob Bohm wrote:
If this is the only privacy mechanism in 6962bis, I would suggest that
everyone not employed by either Google or another mass-monitoring
service block its adoption on human rights grounds and on
But it's best
for you to hire a professional translator.
Since CPS is very critical, I hope you understand what I said before. I don't
want another Wosign incident happen again.
Note that he said most of these things already in his post dated Thu,
27 Oct 2016 03:21:53 -0700 (PDT)
Enjoy
On 16/11/2016 02:13, Nick Lamb wrote:
On Tuesday, 15 November 2016 09:35:17 UTC, Jakob Bohm wrote:
The HTTPS-everywhere tendency, including the plans of some people to
completely remove unencrypted HTTP from implementations, makes it
necessary for non-public stuff connected to the Internet to
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Emb
On 17/11/2016 01:14, Matt Palmer wrote:
On Wed, Nov 16, 2016 at 04:35:18PM +0100, Jakob Bohm wrote:
Redacted CT records that tell the world that "there is this single
certificate with this full TBS hash and these technical extensions
issued to some name domain/e-mail under example.com, b
glish has not
been posted yet, indicating that Mozilla will just have to put the
inclusion request on hold until then.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is
s,
.gov, .mil and .edu, CN has .cn, .hk etc., DK has .dk, .gl and .fo,
etc.) name constraints allowing that set of alternatives or a subset
would be accepted.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45
ual certificate validity and note that
the organizations running TCSCs need to be aware that if they don't
keep up to date with the policies that apply to the parent CA,
certificates that don't follow those policies might stop working due
to 3rd parties (such as Browser vendors) enforcing
y the Mozilla
organization.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Emb
ith original" and "2016 with original"
certificates) should point to different CRL and OCSP URLs that are
signed with SHA-256, but still reports all the old revoked SHA-1 certs.
P.S.
Be careful when revoking the "original with 2012" certificate, when
GlobalSign recentl
On 04/12/2016 06:00, capuchin...@gmail.com wrote:
Jakob Bohm於 2016年12月4日星期日 UTC+8上午1時23分16秒寫道:
You have made a fundamental technical mistake.
I do not understand that why do you said that we made a fundamental technical
mistake? As I had participated in drafting RFC 5280, I am sure that our
uments as their own, even though such other CA operators are
encouraged to participate in the permitted activities, such as publicly
talking about the practices of their competitor.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denma
, would be in scope, unless all such names were excluded by
the name constraints.
Not sure about whether you would want to include the URL type.
Someone who knows the NSS code should also check which values the
current NSS accepts for various scenarios/actual usages.
Enjoy
Jakob
--
Jakob
On 09/12/2016 00:48, David E. Ross wrote:
On 12/8/2016 1:41 PM, Jakob Bohm wrote [in part]:
It is in particular noted that these things are a lot less than what
any of the regular CC licenses permit. For example, Mozilla has no
reason to require that other CA operators be permitted to reuse
LS, CA and OCSP-signing certificates, and the former have
3 month lifetime).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo -
g a bit
too close to the edge of what the spec allows. I don't think it should
be much of a cost to pregenerate responses for both forms of CertID
(SHA-256 and SHA-1) and send the response matching the query what is
asked.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wis
On 16/12/2016 12:22, Hanno Böck wrote:
On Fri, 16 Dec 2016 02:51:47 +0100
Jakob Bohm wrote:
[Snip: Discussion of potential odd client bug]
...
I wonder if Let's Encrypt ever issued SHA-1 certificates, and if any
of those are non-expired.
Almost certainly not. Given 3 month lifeti
ces exist.
But it seems most objections have been ignored and the draconian rule
instated.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bindi
c EC functions,
it doesn't list curves that won't work in that particular context.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may con
domain (hostmas...@example.com).
Google (for non-certificate purposes) used to verify a url that just
had to return a string that said "google-site-verification: URL" where
URL was the file name part of the Url, this may or may not have been
foolable. This was done per exact domain.
their
issuance infrastructure, both testing that certificates are issued for domains
they should be, and that they are not issued for domains that they should
not be, under an adversarial threat model.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29,
s no set of non-ETSI audit criteria for e-mail certificates as
trusted by Mozilla Thunderbird.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may co
d have no problem
generating such hashes for the documents audited, and a future update
of the Mozilla "CA community portal" might include a script that checks
these hashes while archiving the CP/CPS documents.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
T
On 18/01/2017 01:12, Nick Lamb wrote:
On Tuesday, 17 January 2017 23:34:20 UTC, Jakob Bohm wrote:
How about "_and versions and strong (>= 256 bits) hashes_",
Frankly any _cryptographic_ hash should be adequate for this purpose. Even for
the most creaky crypto hashes I can think
On 18/01/2017 16:20, Gervase Markham wrote:
On 17/01/17 23:27, Jakob Bohm wrote:
Notes on the text in that branched section (other than the actual
change discussed here):
This paranthesis indicates none of these are in scope for this
particular issue, just something that might be their own
encyreport/https/ct/
Not at all relevant to this newsgroup.
...somebody has to lead by example and soon!
Hopefully not you.
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-bindin
On 20/01/2017 00:35, Nick Lamb wrote:
On Thursday, 19 January 2017 20:20:24 UTC, Jakob Bohm wrote:
Google's CT initiative in its current form has serious privacy problems
for genuine certificate holders. I applaud any well-run CA that stands
up to this attack on the Internet at large
e victim
domain admin, so there is a lot less to make the victim organization
aware what is going on. Not sending e-mails to legitimate users is
necessary because of the need to facilitate automation with the short
certificate lifespans and other limitations of the Let's encrypt system.
E
certificates expire.
Those obvious examples make it important to explicitly consider and
decide which of the EE requirements happen to be the same for CA
certs, and not just blindly copy rules.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29,
ds for URLs for both the
original language version and the English language version of each document.
This is: https://github.com/mozilla/pkipolicy/issues/6
Tiny nit: What if the original language of the CP/CPS is English. Then
there can't be a "translation" etc.
Enjoy
Jak
On 25/01/2017 09:40, okaphone.elektron...@gmail.com wrote:
On Wednesday, 25 January 2017 08:25:41 UTC+1, Jakob Bohm wrote:
Tiny nit: What if the original language of the CP/CPS is English. Then
there can't be a "translation" etc.
Mmmm... indeed.
It actually says "The En
https://packages.debian.org/sid/ca-certificates
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Mana
ideline - these certificates each had "O=test". Our
investigation is continuing.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Enjoy
Jakob
--
Jakob Bohm,
ificates
which were still valid that had not previously been revoked within the 24
hour CA/B Forum guideline - these certificates each had "O=test". Our
investigation is continuing.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Sø
On 27/01/2017 10:06, Gervase Markham wrote:
On 26/01/17 14:12, Jakob Bohm wrote:
Given that Mozilla has been reducing the scope and generality of their
root store over the past few years, I would suggest reaching out to
those organizations that base their public root stores on the Mozilla
store
quot;RSA
PKCS#1 v1.5 with SHA-256"). This is typically done where there is no
security downside to using the same certificate and public key with
different hash algorithms, padding schemes etc.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 286
On 28/01/2017 07:51, Peter Gutmann wrote:
Jakob Bohm writes:
DSA and ECDSA signatures are only secure if the hash algorithm is specified
in the certificate, presumably as part of the AlgorithmIdentifier in the
SubjectPublicKeyInfo.
It's in the (badly-named) signature field of the cer
On 30/01/2017 14:24, Peter Gutmann wrote:
Jakob Bohm writes:
Surprised you didn't know that, considering who you are.
Uhh, I did know that, that's why I checked it about 15-odd years ago to see if
anything would notice if it was done wrong (I can't remember the exact date,
it
nd provinces of large countries such as
Australia, Canada, China, and Russia. Thus confusing some form
designers to presume those tables indicate that such listed items are
actual states/provinces.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
bug.cgi?id=1334377.
The direct attachment link is:
https://bugzilla.mozilla.org/attachment.cgi?id=8831933.
The bug report contains additional documentation supporting our response.
Kind regards,
Steven Medin
PKI Policy Manager, Symantec Corporation
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner
t follow rule 2, the CA
must publish a list of the exact IssuerDN encodings used in such
certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding
On 03/02/2017 05:22, Ryan Sleevi wrote:
On Thu, Feb 2, 2017 at 3:59 PM, Jakob Bohm wrote:
On 02/02/2017 00:46, Kathleen Wilson wrote:
All,
I've added another Potentially Problematic Practice, as follows.
https://wiki.mozilla.org/CA:Problematic_Practices#Issuer_Encoding_in_CRL
The enc
On 03/02/2017 14:30, Ryan Sleevi wrote:
On Thu, Feb 2, 2017 at 9:37 PM Jakob Bohm wrote:
On 03/02/2017 05:22, Ryan Sleevi wrote:
On Thu, Feb 2, 2017 at 3:59 PM, Jakob Bohm
wrote:
On 02/02/2017 00:46, Kathleen Wilson wrote:
All,
I've added another Potentially Problematic Practic
es previously withdrawn for this purpose are encouraged
to report this fact to Mozilla by and to maintain valid entries in
the CCADB for such roots, all for the benefit of organizations that
maintain or service software that are or interoperate with such older
software.
Enjoy
Jakob
--
Jako
On 07/02/2017 20:49, David E. Ross wrote:
On 2/7/2017 11:15 AM, Jakob Bohm wrote:
Root certificates previously withdrawn for this purpose are encouraged
to report this fact to Mozilla by and to maintain valid entries in
the CCADB for such roots, all for the benefit of organizations that
On 08/02/2017 10:55, Gervase Markham wrote:
On 07/02/17 19:15, Jakob Bohm wrote:
Point 2 does not apply if the certificate is an OCSP signing certificate
manually issued directly from a root.
Should be point 1 (on OCSP signing certificate is an EE cert)
Nope, I'm fairly sure I mean po
a50d383f89f0aa13a6ff2e0894ba5ff
SHA-512:
f39a04842e4b28e04558496beb7cb84654ded9c00b2f873c3ef64f9dfdbc760cd0273b816858ba5b203c0dd71af8b65d6a0c1032e00e48ace0b4705eedcc1bab
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Enjoy
Jakob
--
Jakob Bohm, CIO, Part
issued with
the same processing bug and arrange to have any such certificates
similarly fixed.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may cont
d with an X, which your server shouldn't send)
NiceCA-via-JoeRA-SSL-Regular-March-2017.cer (PEM format)
X NiceCA-SHA256RSA-Root-2016.cer (PEM format)
NiceCA-SHA256RSA-Root-2016-cross-by-UserFirst.cer (PEM format)
X UserFirst-ancient-root.cer (PEM format)
--- End example ---
En
verify [certificatefile]", which other CAs' revoked and unrevoked
certificates are working fine with.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-b
On 03/03/2017 06:44, Ryan Sleevi wrote:
Hi Jakob,
On Thu, Mar 2, 2017 at 9:14 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
I read his previous answer as saying that the system will in no case
extend the validity of a validation beyond the durat
ificates remain valid, though no further
such certificates were issued in this interim period.
Similarly could Google and/or GTS issue a dedicaed CP/CPS pair for the
new roots during the brief period where Google (not GTS) had control of
those new roots.
Enjoy
Jakob
--
Jakob Bohm, CIO, Part
number of similar RAs handle in-person verification steps for a
small geographic area (such as schemes where each city hall handles
checking photo ID of applicants as part of validation at better
than EV level).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transform
On 08/03/2017 01:40, Ryan Sleevi wrote:
On Tue, Mar 7, 2017 at 6:26 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 07/03/2017 21:37, Ryan Sleevi wrote:
To make it simpler, wouldn't be a Policy Proposal be to prohibit Delegated
Third P
On 08/03/2017 04:21, Ryan Sleevi wrote:
On Tue, Mar 7, 2017 at 8:08 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
I contradicted you in saying that RAs (or DTP as you now want to call
them) were not supposed to be banned by the policy change.
On 08/03/2017 06:27, Ryan Sleevi wrote:
On Tue, Mar 7, 2017 at 11:23 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
I saw nothing in Gervs posting suggesting that banning all kinds of
RA/DTP relationships was the intended effect.
But would yo
On 08/03/2017 14:18, Ryan Sleevi wrote:
On Wed, Mar 8, 2017 at 1:36 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
I am simply going by the wording in Gervs posting not stating what you
stated. I presume that if Gerv wanted to complete eliminate t
't display CA names.
At least in one Mozilla-based browser, the UI shows the name of the
Intermediary as a tooltip, not of the root. So OK for this case.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 1
during the
transition and the discussed inapplicability of some wording in the
old Google CP/CPS to the new situation.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non
es in root certificates not to match the current owner, those who are
looking at certificate chains should not be relying on the value in the root
certificate in the first place wrong in very significant situations.
Ryan
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wise
nt-in-time audit.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones an
t their certificate.
The computing world at large would be significantly inconvenienced if
Symantec was forced to close down its CA business, in particular the
parts of that business catering to other markets than general WebPki
certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S
On 23/03/2017 20:27, Ryan Sleevi wrote:
On Thu, Mar 23, 2017 at 1:38 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 23/03/2017 17:09, Ryan Sleevi wrote:
(Posting in a Google Capacity)
I just wanted to notify the members of this Forum that w
ch? Note that this requires a pretty
significant mindset change in what it means to test applications/systems, most
notably because of the use of reserved, test-only domains. But I'd be really
interested in what others think.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https:/
On 24/03/2017 05:54, Walter Goulet wrote:
On Thursday, March 23, 2017 at 8:13:38 PM UTC-5, Jakob Bohm wrote:
On 23/03/2017 22:59, Walter Goulet wrote:
Hi all,
This is not directly related to Mozilla policy, CA issues or really any of the
normal discussions that I typically see in the group
A
cannot outsource to a third party would in this case not be allowed to
be "insourced" from the "CA operator" to the nominally responsible
organization.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direc
On 24/03/2017 17:12, Peter Bowen wrote:
On Fri, Mar 24, 2017 at 9:06 AM, Ryan Sleevi via dev-security-policy
wrote:
(Wearing an individual hat)
On Fri, Mar 24, 2017 at 10:35 AM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
One common scenario that
On 24/03/2017 19:08, Ryan Sleevi wrote:
On Fri, Mar 24, 2017 at 1:30 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Examples discussed in the past year in this group include the Taiwan
GRCA roots and several of the SubCAs hosted by Verizon prior
On 24/03/2017 21:03, Jakob Bohm wrote:
On 24/03/2017 19:08, Ryan Sleevi wrote:
On Fri, Mar 24, 2017 at 1:30 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Examples discussed in the past year in this group include the Taiwan
GRCA roots and several
sions during the upcoming
Christian Easter holiday (which is also frequently used for scheduled
server downtime).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is no
On 27/03/2017 23:41, Rob Stradling wrote:
On 27/03/17 22:37, Jakob Bohm via dev-security-policy wrote:
It should also be made a requirement that the issued SubCA certificate
is provided to the CCADB and other root programs before providing it to
the SubCA owner/operator,
That'd be
mailto:dev-security-policy-bounces+ben=digicert@lists.mozilla.org] On
Behalf Of Jakob Bohm via dev-security-policy
Sent: Monday, March 27, 2017 3:58 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Grace Period for Sub-CA Disclosure
On 27/03/2017 23:41, Rob Stradling wrote:
On 27/0
recursion, but would not have
given Mozilla sufficient assurance it is using this ability in a policy
compliant manner.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-
101 - 200 of 644 matches
Mail list logo
