On Mon, Mar 23, 2020 at 2:43 PM Bruce via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thursday, March 19, 2020 at 2:02:39 AM UTC-4, Matt Palmer wrote:
>
> > 1. *Are* there explicit prohibitions on issuing a certificate for a
> private
> >key which has been
On Thursday, March 19, 2020 at 2:02:39 AM UTC-4, Matt Palmer wrote:
> 1. *Are* there explicit prohibitions on issuing a certificate for a private
>key which has been previously submitted *to that CA* as compromised
>(assuming, of course, that the prior submission was valid), and I'm just
On Thu, Mar 19, 2020 at 9:58 AM Wojtek Porczyk
wrote:
> On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi via
> dev-security-policy wrote:
> > [...] but given that some negligent and
> > irresponsible CAs kept agitating to reduce revocation requirements than
> > protect users, the ballot was
On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi via dev-security-policy
wrote:
> [...] but given that some negligent and
> irresponsible CAs kept agitating to reduce revocation requirements than
> protect users, the ballot was kept simple.
> [...] I worry the same set of negligent and
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Is issuing a certificate for a previously-reported compromised
private key misissuance?
On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi wrote:
> On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy <
> dev-securi
On Thu, Mar 19, 2020 at 05:30:31AM -0500, Ryan Sleevi wrote:
> On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> > 2. If there are not explicit prohibitions already in place, *should* there
> >be? If so, should it be a BR
On Thu, Mar 19, 2020 at 1:02 AM Matt Palmer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Since I started requesting revocation for certificates with
> known-compromised private keys, I've noticed a rather disturbing pattern
> emerging in a few cases:
>
> 1. I find a
On 2020-03-19 07:02, Matt Palmer wrote:
2. If there are not explicit prohibitions already in place, *should* there
be? If so, should it be a BR thing, or a Policy thing?
I think there should be. I expect them to publish a CRL that says the
reason for revocation is a key compromise. I
Since I started requesting revocation for certificates with
known-compromised private keys, I've noticed a rather disturbing pattern
emerging in a few cases:
1. I find a private key on the Internet.
2. I request revocation from the CA on the basis that the private key is
compromised, and
9 matches
Mail list logo