I don't think there is anything important on example.com though
From: Eric Mill
Sent: Wednesday, May 31, 2017 4:34:20 PM
To: Jeremy Rowley
Cc: Kurt Roeckx; Yuhong Bao; mozilla-dev-security-pol...@lists.mozilla.org;
Matthew Hardeman
Subject: Re: Sta
curity-pol...@lists.mozilla.org
Subject: Re: StartCom issuing bogus certificates
On Wednesday, May 31, 2017 at 12:04:51 PM UTC-5, Yuhong Bao wrote:
> It would be better to use example.com and not test.com or anything like that,
> as that is defined by IANA as a reserved domain.
No, it is necessar
It would be better to use example.com and not test.com or anything like that,
as that is defined by IANA as a reserved domain.
From: dev-security-policy
on
behalf of Inigo Barreira via dev-security-policy
Sent: Wednesday, May 31, 2017 9:21:00 AM
To: pa
identical prefix, not chosen prefix. I was more interested in an SHA-1
collision ASIC.
From: dev-security-policy
on
behalf of Adrian R. via dev-security-policy
Sent: Thursday, February 23, 2017 8:26:10 AM
To: mozilla-dev-security-pol...@lists.mozilla.o
In this case, Nest's 404 page happens not to include the original URL in the
HTML so they are not affected, but you see what I mean now.
From: Ryan Sleevi
Sent: Wednesday, January 11, 2017 6:41:46 PM
To: Yuhong Bao
Cc: Richard Wang; Wayne Thayer
That is what the current certificate by Google Internet Authority says.
What I am referring to is that before Google bought Nest they used GoDaddy as
the CA.
From: Richard Wang
Sent: Wednesday, January 11, 2017 5:01:08 PM
To: Yuhong Bao; Wayne Thayer; dev
I wonder if nest.com is now considered high-risk now. They recently switched
from GoDaddy to Google Internet Authority.
From: dev-security-policy
on
behalf of Wayne Thayer
Sent: Tuesday, January 10, 2017 7:02:28 PM
To: dev-security-policy@lists.mozilla.
AFAIK one of the reasons DHE was dropped was that 1024-bit DHE was common. Java
used to hardcode 768-bit DHE.
From: dev-security-policy
on
behalf of i...@binarus.de
Sent: Friday, December 23, 2016 4:41:48 PM
To: mozilla-dev-security-pol...@lists.mozilla
> I know of one blocker: Microsoft. Their TechNet article at aka.ms/sha1 says
> that CAs are allowed to use SHA-1 and SHA-2 for OCSP signing certs and OCSP
> responses, to allow continued support for XP SP1 and 2, and Server 2003.
> Using SHA-2 only for OCSP signing certs and OCSP responses will
> On Tue, 23 Feb 2016 18:57:41 +
> Gervase Markham wrote:
>
>> Please comment on whether this proposal seems reasonable, being aware
>> of the short timelines involved.
>
> I am opposed. There is no telling how many other organizations are in a
> similar situation due to poor planning or "over
> "Class 3 Public Primary Certification Authority - G2" is still trusted
> for serverAuthentication in Microsoft's root program.
Actually the same is true for the G1 one too (they just added the tr
rom: e...@konklone.com
> To: yuhongbao_...@hotmail.com
> CC: mozilla-dev-security-pol...@lists.mozilla.org; k...@roeckx.be
>
> The G2 root identified by Peter is 2048-bit.
>
> -- Eric
> On Dec 12, 2015 7:56 PM, "Yuhong Bao" wrote:
>
>> I think this and most o
I think this and most of the other 1024-bit roots was removed or restricted to
email in Mozilla some time ago (last remaining one is Equifax). They had been
consider obsolete for a long time.
> Date: Sun, 13 Dec 2015 00:41:45 +0100
> From: k...@roeckx.be
> To: mozilla-dev-security-pol...@lists.m
Mozilla is not dropping HMAC-SHA1 TLS ciphersuites. TLS 1.0 would not work
without them.
> Date: Fri, 6 Nov 2015 08:47:45 -0800
> Subject: SHA256/GCM DHE support when SHA1 support is dropped
> From: loths...@gmail.com
> To: mozilla-dev-security-pol...@list
What is also fun is that they released it two weeks before Oracle released it's
own patch for paid Java 6/7 customers, before which the 768-bit DHE was
hardcoded.
> Subject: Re: Firefox security too strict (HSTS?)?
> From: k...@caspia.com
> Date: Wed, 23
>> On Sep 17, 2015, at 8:29 PM, AnilG wrote:
>>
>> On Friday, 18 September 2015 12:29:46 UTC+10, Peter Gutmann wrote:
>>> base. If you look at Mozilla's own figures at
>>> https://input.mozilla.org/en-US/, they have a 90% dissatisfaction rating
>>> from
>>
>> To make my point again, I can't acces
> On Friday, 18 September 2015 12:29:46 UTC+10, Peter Gutmann wrote:
>> base. If you look at Mozilla's own figures at
>> https://input.mozilla.org/en-US/, they have a 90% dissatisfaction rating from
>
> To make my point again, I can't access https://input.mozilla.org/en-US/ from
> Firefox, I have
de
> Signing), and the current and new CAs should inform Mozilla's CA
> Certificate Module Owner if one or more of the trust bits should be
> turned off. Of course, to turn a trust bit on requires the new CA to go
> through Mozilla's root change process -
> https://wiki.mozilla.o
18 matches
Mail list logo