On Sun, May 25, 2014 at 12:17:11PM +0200, Florian Weimer wrote:
* Kathleen Wilson:
Unless it is technically constrained as described in section 9 of the
policy.
Unfortunately, a conforming implementation of PKIX validation makes
name constraints useless as a security feature (see bug
On Sun, May 25, 2014 at 12:49:59PM +0200, Florian Weimer wrote:
* Kurt Roeckx:
On Sun, May 25, 2014 at 12:17:11PM +0200, Florian Weimer wrote:
* Kathleen Wilson:
Unless it is technically constrained as described in section 9 of the
policy.
Unfortunately, a conforming
On 5/22/14, 9:38 AM, Kurt Roeckx wrote:
On Thu, May 22, 2014 at 08:50:02AM -0700, Kathleen Wilson wrote:
But really, since the websites and code signing trust bits are not enabled,
the hierarchy is already essentially constrained -- NSS would give an
exception for path validation of an SSL or
On 5/21/14, 5:02 PM, Kathleen Wilson wrote:
On 5/21/14, 2:54 PM, Ryan Sleevi wrote:
On Wed, May 21, 2014 12:12 pm, Kathleen Wilson wrote:
On 5/20/14, 9:53 AM, Rick Andrews wrote:
Ryan, they're not, but the root is not trusted for SSL (via meta-data).
AFAIK, Firefox won't trust any SSL cert
On Thu, May 22, 2014 at 10:48:56AM -0700, Ryan Sleevi wrote:
On Thu, May 22, 2014 10:44 am, Kathleen Wilson wrote:
On 5/22/14, 9:38 AM, Kurt Roeckx wrote:
As far as
I know there is also no standard format to indicate those trust
bits together with the certificate. This currently
On Thursday, May 22, 2014 11:22:17 AM UTC-7, Kathleen Wilson wrote:
On 5/21/14, 5:02 PM, Kathleen Wilson wrote:
On 5/21/14, 2:54 PM, Ryan Sleevi wrote:
On Wed, May 21, 2014 12:12 pm, Kathleen Wilson wrote:
On 5/20/14, 9:53 AM, Rick Andrews wrote:
Ryan, they're not, but the root
Hi Rick,
Please see item #3 of
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Frequently_Asked_Questions
--
3. How do I technically constrain a subordinate CA certificate that will
only be used to issue end-user certificates intended for client
authentication?
For the subCA certificate to
On 5/21/14, 2:54 PM, Ryan Sleevi wrote:
On Wed, May 21, 2014 12:12 pm, Kathleen Wilson wrote:
On 5/20/14, 9:53 AM, Rick Andrews wrote:
Ryan, they're not, but the root is not trusted for SSL (via meta-data).
AFAIK, Firefox won't trust any SSL cert chaining to it. Will Chrome?
-Rick
On 5/19/14, 9:40 AM, Rick Andrews wrote:
Kathleen, that means we'll be disclosing a number of intermediates
used to sign certificates that are not used for SSL, Code Signing or
Mail (the three trust bits that Firefox lets me view/edit). For
example, we issue a lot of client auth certs from
On 5/20/14, 11:08 AM, Kathleen Wilson wrote:
On 5/19/14, 9:40 AM, Rick Andrews wrote:
Kathleen, that means we'll be disclosing a number of intermediates
used to sign certificates that are not used for SSL, Code Signing or
Mail (the three trust bits that Firefox lets me view/edit). For
Kathleen, that means we'll be disclosing a number of intermediates used to sign
certificates that are not used for SSL, Code Signing or Mail (the three trust
bits that Firefox lets me view/edit). For example, we issue a lot of client
auth certs from our public roots.
Based on your previous
All,
In response to the CA Communication, I have received the following question.
Question: Please clarify Action #5: Do you expect public disclosure of
all subordinate CA certificates, or just those issued to third parties?
Answer:
@lists.mozilla
.org] On Behalf Of Kurt Roeckx
Sent: Wednesday, May 14, 2014 2:37 PM
To: Kathleen Wilson
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Question about disclosing subCA certs
On Wed, May 14, 2014 at 01:08:12PM -0700, Kathleen Wilson wrote:
All,
In response to the CA
On Wed, May 14, 2014 at 02:40:12PM -0600, Jeremy Rowley wrote:
She's clarified in the discussion thread that it is all SubCAs chained to
the a CAs root certificate that must be disclosed, regardless of who
controls the private key.
Right, reading the text again it looks like any certificate
14 matches
Mail list logo