On 3/4/14, 2:51 PM, Kathleen Wilson wrote:
On 1/28/14, 4:25 PM, Kathleen Wilson wrote:
DigiCert has applied to include 5 new root certificates that will
eventually replace the 3 DigiCert root certificates that were included
in NSS via bug #364568. The request is to turn on all 3 trust bits and
e
On 1/28/14, 4:25 PM, Kathleen Wilson wrote:
DigiCert has applied to include 5 new root certificates that will
eventually replace the 3 DigiCert root certificates that were included
in NSS via bug #364568. The request is to turn on all 3 trust bits and
enable EV for all of the new root certs.
1)
On 2/20/2014 6:45 AM, Paul Tiemann wrote:
> On Feb 19, 2014, at 11:03 AM, I previously wrote:
>>
>> Please post either to the mozilla.dev.security.policy newsgroup OR to
>> the dev-security-policy@lists.mozilla.org mailing list, BUT NOT BOTH.
>> Each feeds into the other.
>
> Did you get this mess
On Feb 19, 2014, at 11:03 AM, David E. Ross wrote:
> On 2/18/2014 9:42 PM, Paul Tiemann wrote:
>> (Sorry -- I must have posted this from an non-member email address so
>> it didn't get onto the list earlier.)
>>
>> On Feb 17, 2014, at 4:49 AM, Erwann Abalea
>> wrote:
>>
>>> There's some minor
On 2/18/2014 9:42 PM, Paul Tiemann wrote:
> (Sorry -- I must have posted this from an non-member email address so
> it didn't get onto the list earlier.)
>
> On Feb 17, 2014, at 4:49 AM, Erwann Abalea
> wrote:
>
>> There's some minor points: - the CRLs include a revoked certificate
>> with a rea
(Sorry -- I must have posted this from an non-member email address so it didn't
get onto the list earlier.)
On Feb 17, 2014, at 4:49 AM, Erwann Abalea wrote:
> There's some minor points:
> - the CRLs include a revoked certificate with a reason "unspecified", RFC5280
> states that it SHOULD be
(Sorry -- I must have posted this from an non-member email address so it didn't
get onto the list earlier.)
On Feb 17, 2014, at 4:49 AM, Erwann Abalea wrote:
> There's some minor points:
> - the CRLs include a revoked certificate with a reason "unspecified", RFC5280
> states that it SHOULD be
On Feb 17, 2014, at 4:49 AM, Erwann Abalea wrote:
> There's some minor points:
> - the CRLs include a revoked certificate with a reason "unspecified", RFC5280
> states that it SHOULD be absent (instead of using this reason code); SHOULD
> isn't a MUST
> - the OCSP responders, when asked about t
Le lundi 17 février 2014 13:09:49 UTC+1, Rob Stradling a écrit :
> On 17/02/14 11:49, Erwann Abalea wrote:
>
> > - the ECC certificates have a keyUsage set to digitalSignature and
> > keyAgreement;
> > keyAgreement is correct wrt the public key (id-ecPublicKey covers both
> > ECDSA and
> > ECD
Rob Stradling writes:
>RFC5820 4.2.1.12 seems to say it's _not_ entirely useless in TLS:
> "id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
> -- TLS WWW server authentication
> -- Key usage bits that may be consistent: digitalSignature,
> -- keyEncipherment _or keyAgreement_
On 17/02/14 11:49, Erwann Abalea wrote:
- the ECC certificates have a keyUsage set to digitalSignature and
keyAgreement;
keyAgreement is correct wrt the public key (id-ecPublicKey covers both ECDSA and
ECDH keys), but is useless in TLS (not a security problem at all)
RFC5820 4.2.1.12 seems
Le mercredi 29 janvier 2014 01:25:28 UTC+1, Kathleen Wilson a écrit :
> DigiCert has applied to include 5 new root certificates that will
> eventually replace the 3 DigiCert root certificates that were included
> in NSS via bug #364568. The request is to turn on all 3 trust bits and
> enable EV
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: DigiCert Request to Include Renewed Roots
On 01/29/2014 08:50 PM, From Jeremy Rowley:
> 1) These root certificates are used in many different systems, not
> just Mozilla. If Mozilla doesn't embed all of them, the ones not
On 01/29/2014 08:50 PM, From Jeremy Rowley:
1) These root certificates are used in many different systems, not just
Mozilla. If Mozilla doesn't embed all of them, the ones not embedded will
essentially be untrusted. The roots proposed are simply replacements for
our existing root certificates,
On 1/29/14 11:22 AM, Ryan Sleevi wrote:
On Wed, January 29, 2014 10:50 am, Jeremy Rowley wrote:
5) Having only one root with multiple sub CAs emphasizes the "Too Big To
Fail" issue. At DigiCert, and in the spirit of the Microsoft root policy,
we try to segregate the type of certificates i
ering ECC certs,
which offers better performance for everyone.
> -Original Message-
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla
> .org] On Behalf Of Gervase Markham
> Sent: Wednesday, January 29, 2014 4:31 AM
1 AM
To: Brian Smith; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: DigiCert Request to Include Renewed Roots
On 29/01/14 05:08, Brian Smith wrote:
>>> Benefits of my counter-proposal:
>>> 1. Fewer roots for us to manage.
Only for a very narrow definition of the w
On 29/01/14 05:08, Brian Smith wrote:
>>> Benefits of my counter-proposal:
>>> 1. Fewer roots for us to manage.
Only for a very narrow definition of the word "root". There's the same
number of embedded trust anchor points.
>>> 3. Because of #1, there is potential for us to design a simpler root
>
On Tue, Jan 28, 2014 at 8:45 PM, David E. Ross wrote:
> On 1/28/2014 4:37 PM, Brian Smith wrote :
>> Benefits of my counter-proposal:
>> 1. Fewer roots for us to manage.
>> 2. Sites that forget to include their intermediates in their TLS cert
>> chain are more likely to work in Firefox, without us
On 1/28/2014 4:37 PM, Brian Smith wrote :
> On Tue, Jan 28, 2014 at 4:25 PM, Kathleen Wilson wrote:
>> DigiCert has applied to include 5 new root certificates that will eventually
>> replace the 3 DigiCert root certificates that were included in NSS via bug
>> #364568. The request is to turn on al
On Tue, Jan 28, 2014 at 4:25 PM, Kathleen Wilson wrote:
> DigiCert has applied to include 5 new root certificates that will eventually
> replace the 3 DigiCert root certificates that were included in NSS via bug
> #364568. The request is to turn on all 3 trust bits and enable EV for all of
> the n
DigiCert has applied to include 5 new root certificates that will
eventually replace the 3 DigiCert root certificates that were included
in NSS via bug #364568. The request is to turn on all 3 trust bits and
enable EV for all of the new root certs.
1) DigiCert Assured ID Root G2 -- This SHA-25
22 matches
Mail list logo
