Re: On GitHub, Leaked Keys, and getting practical about revocation

2017-06-22 Thread Ryan Sleevi via dev-security-policy
On Thu, Jun 22, 2017 at 3:53 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 22/06/2017 15:02, Ryan Sleevi wrote: > > On Thu, Jun 22, 2017 at 1:59 PM Jakob Bohm via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > > (Snip

Re: On GitHub, Leaked Keys, and getting practical about revocation

2017-06-22 Thread Jakob Bohm via dev-security-policy
On 22/06/2017 15:02, Ryan Sleevi wrote: On Thu, Jun 22, 2017 at 1:59 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > (Snip long repeat of the same opinion) You seem to argue: - Because the recent research on efficient central CRL distribution was

Re: On GitHub, Leaked Keys, and getting practical about revocation

2017-06-22 Thread Ryan Sleevi via dev-security-policy
On Thu, Jun 22, 2017 at 1:59 PM Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Please note that Apache and NGINX are by far not the only TLS servers > that will need working OCSP stapling code before must-staple can become > default or the only method checked

Re: On GitHub, Leaked Keys, and getting practical about revocation

2017-06-22 Thread Jakob Bohm via dev-security-policy
On 21/06/2017 19:40, Matthew Hardeman wrote: Hi all, I'm sure questions of certificates leaked to the public via GitHub and other file sharing / code sharing / deployment repository hosting and sharing sites have come up before, but last night I spent a couple of hours constructing various

Re: On GitHub, Leaked Keys, and getting practical about revocation

2017-06-21 Thread Hanno Böck via dev-security-policy
On Wed, 21 Jun 2017 10:40:01 -0700 (PDT) Matthew Hardeman via dev-security-policy wrote: > Through a little Google digging, I find numerous comments and > references from well informed parties going back quite several years > lamenting the poor state of

On GitHub, Leaked Keys, and getting practical about revocation

2017-06-21 Thread Matthew Hardeman via dev-security-policy
Hi all, I'm sure questions of certificates leaked to the public via GitHub and other file sharing / code sharing / deployment repository hosting and sharing sites have come up before, but last night I spent a couple of hours constructing various search criteria which I don't think were even