Re: [FORGED] Re: How Certificates are Verified by Firefox

On 2019-12-09 11:44, Ben Laurie wrote: On Wed, 4 Dec 2019 at 22:13, Ryan Sleevi wrote: Yes, I am one of the ones who actively disputes the notion that AIA considered harmful. I'm (plesantly) surprised that any CA would be opposed to AIA (i.e. supportive of "considered harmful", since it's

Re: [FORGED] Re: How Certificates are Verified by Firefox

t; -Tim >> >> > -Original Message- >> > From: dev-security-policy < >> dev-security-policy-boun...@lists.mozilla.org> >> On >> > Behalf Of Wayne Thayer via dev-security-policy >> > Sent: Monday, December 2, 2019 3:29 PM >> >

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Mon, 2 Dec 2019 at 20:28, Wayne Thayer wrote: > Why not "AIA chasing considered harmful"? The current state of affairs is > that most browsers [other than Firefox] will go and fetch the intermediate > if it's not cached. This manifests itself as sites not working in Firefox, > and users

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Sun, Dec 8, 2019 at 7:14 PM Eric Mill wrote: > On Thu, Dec 5, 2019 at 12:34 PM Ryan Sleevi via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> From looking at better security, the 'ideal' path is that modern clients >> are only trusting modern (new) roots, which

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Thu, Dec 5, 2019 at 12:34 PM Ryan Sleevi via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > From looking at better security, the 'ideal' path is that modern clients > are only trusting modern (new) roots, which never issued old crappy certs. > That is, the path "D -> A

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Thu, Dec 5, 2019 at 10:42 AM Nick Lamb wrote: > On Wed, 4 Dec 2019 17:12:50 -0500 > Ryan Sleevi via dev-security-policy > wrote: > > > Yes, I am one of the ones who actively disputes the notion that AIA > > considered harmful. > > As not infrequently happens I can't agree with Ryan here. AIA

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Wed, 4 Dec 2019 17:12:50 -0500 Ryan Sleevi via dev-security-policy wrote: > Yes, I am one of the ones who actively disputes the notion that AIA > considered harmful. As not infrequently happens I can't agree with Ryan here. AIA chasing in browsers is a non-trivial privacy leak AND doesn't

Re: [FORGED] Re: How Certificates are Verified by Firefox

to be, even among TLS >> > experts. >> > >> > I'm very appreciative of Firefox's efforts in this area. Leveraging the >> > knowledge of all the publicly disclosed ICAs to improve chain-building >> is >> > an >> > idea whose time has come.

Re: How Certificates are Verified by Firefox

5, which shows that the >> reasoning >> > > behind it is not as widely understood as it needs to be, even among >> TLS >> > > experts. >> > > >> > > I'm very appreciative of Firefox's efforts in this area. Leveraging >> the >

Re: How Certificates are Verified by Firefox

dge of all the publicly disclosed ICAs to improve chain-building > is > > > an > > > idea whose time has come. > > > > > > -Tim > > > > > > > -Original Message- > > > > From: dev-security-policy < > > dev-security-

Re: [FORGED] Re: How Certificates are Verified by Firefox

; > > -Original Message- > > > From: dev-security-policy < > dev-security-policy-boun...@lists.mozilla.org > > > > > On > > > Behalf Of Wayne Thayer via dev-security-policy > > > Sent: Monday, December 2, 2019 3:29 PM > > >

Re: [FORGED] Re: How Certificates are Verified by Firefox

sage- > > From: dev-security-policy > > On > > Behalf Of Wayne Thayer via dev-security-policy > > Sent: Monday, December 2, 2019 3:29 PM > > To: Ben Laurie > > Cc: mozilla-dev-security-policy > ; > > Peter Gutmann > > Subject: Re: [FORGED] Re: How C

RE: [FORGED] Re: How Certificates are Verified by Firefox

Laurie > Cc: mozilla-dev-security-policy ; > Peter Gutmann > Subject: Re: [FORGED] Re: How Certificates are Verified by Firefox > > Why not "AIA chasing considered harmful"? The current state of affairs is that > most browsers [other than Firefox] will go and fetch

Re: [FORGED] Re: How Certificates are Verified by Firefox

Why not "AIA chasing considered harmful"? The current state of affairs is that most browsers [other than Firefox] will go and fetch the intermediate if it's not cached. This manifests itself as sites not working in Firefox, and users switching to other browsers. You may be further dismayed to

Re: [FORGED] Re: How Certificates are Verified by Firefox

On Thu, 28 Nov 2019 at 20:22, Peter Gutmann wrote: > Ben Laurie via dev-security-policy > writes: > > >In short: caching considered harmful. > > Or "cacheing considered necessary to make things work"? If you happen to visit a bazillion sites a day. > In particular: > > >caching them and

Re: [FORGED] Re: How Certificates are Verified by Firefox

Ben Laurie via dev-security-policy writes: >In short: caching considered harmful. Or "cacheing considered necessary to make things work"? In particular: >caching them and filling in missing ones means that failure to present >correct cert chains is common behaviour. Which came first? Was

Re: How Certificates are Verified by Firefox

One of the things that was quite annoying when developing CT was browser behaviour wrt intermediates - caching them and filling in missing ones means that failure to present correct cert chains is common behaviour. Which means that anything that _doesn't_ see a lot of certs has quite a low chance

How Certificates are Verified by Firefox

If you are one of the many people who have wondered how exactly Firefox handles some aspect of certificate processing, you may be interested to know that we have recently updated the information on our wiki: https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification I hope you find