On Tuesday, October 2, 2018 at 7:02:32 AM UTC-7, Dimitris Zacharopoulos wrote:
> On 1/10/2018 8:15 μμ, Ryan Sleevi via dev-security-policy wrote:
> > On Mon, Oct 1, 2018 at 9:21 AM Dimitris Zacharopoulos
> > wrote:
>
> > [...]
> >
> >
> >> I am certainly not suggesting that CAs should put
On 2/10/2018 5:21 μμ, Ryan Sleevi via dev-security-policy wrote:
On Tue, Oct 2, 2018 at 10:02 AM Dimitris Zacharopoulos
wrote:
But this inaccurate data is not used in the validation process nor
included in the certificates. Perhaps I didn't describe my thoughts
accurately. Let me have
On Tue, Oct 2, 2018 at 10:02 AM Dimitris Zacharopoulos
wrote:
> >> But this inaccurate data is not used in the validation process nor
> >> included in the certificates. Perhaps I didn't describe my thoughts
> >> accurately. Let me have another try using my previous example. Consider
> an
> >>
On 1/10/2018 8:15 μμ, Ryan Sleevi via dev-security-policy wrote:
On Mon, Oct 1, 2018 at 9:21 AM Dimitris Zacharopoulos
wrote:
[...]
I am certainly not suggesting that CAs should put inaccurate and
misleading information in certificates :-) I merely said that if the
Subscriber introduces
On Mon, Oct 1, 2018 at 9:21 AM Dimitris Zacharopoulos
wrote:
> No, this was not about the domain name but about the information displayed
> to the Relying Party with the attributes included in the OV/EV Certificate
> (primarily the Organization). So, I'm still uncertain if Ian's "misleading
>
have to do
only one or the other.
-Tim
From: Ryan Sleevi
Sent: Friday, September 28, 2018 6:35 PM
To: Tim Hollebeek
Cc: Dimitris Zacharopoulos ; Ian Carroll ;
mozilla-dev-security-policy ;
r...@sleevi.com
Subject: Re: Concerns with Dun & Bradstreet as a QIIS
Yes, we can
On 1/10/2018 1:06 μμ, Ryan Sleevi via dev-security-policy wrote:
On Mon, Oct 1, 2018 at 2:55 AM Dimitris Zacharopoulos
wrote:
Perhaps I am confusing different past discussions. If I recall correctly,
in previous discussions we described the case where an attacker tries to
get a certificate
On Mon, Oct 1, 2018 at 2:55 AM Dimitris Zacharopoulos
wrote:
> Perhaps I am confusing different past discussions. If I recall correctly,
> in previous discussions we described the case where an attacker tries to
> get a certificate for a company "Example Inc." with domain "example.com".
> This
On 28/9/2018 9:59 μμ, Ian Carroll via dev-security-policy wrote:
On Thursday, September 27, 2018 at 10:22:05 PM UTC-7, Dimitris Zacharopoulos
wrote:
Forgive my ignorance, but could you please explain what was your
ultimate goal, as "an attacker", what were you hoping to gain and how
could you
On 28/9/2018 8:04 μμ, Ryan Sleevi via dev-security-policy wrote:
On Fri, Sep 28, 2018 at 1:22 AM Dimitris Zacharopoulos via
dev-security-policy wrote:
Forgive my ignorance, but could you please explain what was your
ultimate goal, as "an attacker", what were you hoping to gain and how
could
To: Dimitris Zacharopoulos
> > Cc: mozilla-dev-security-policy
> ;
> > Ian Carroll
> > Subject: Re: Concerns with Dun & Bradstreet as a QIIS
> >
> > On Fri, Sep 28, 2018 at 1:22 AM Dimitris Zacharopoulos via
> dev-security-policy
> > wrote:
> >
, 2018 10:04 AM
> To: Dimitris Zacharopoulos
> Cc: mozilla-dev-security-policy
;
> Ian Carroll
> Subject: Re: Concerns with Dun & Bradstreet as a QIIS
>
> On Fri, Sep 28, 2018 at 1:22 AM Dimitris Zacharopoulos via
dev-security-policy
> wrote:
>
> >
> >
On Thursday, September 27, 2018 at 10:22:05 PM UTC-7, Dimitris Zacharopoulos
wrote:
> Forgive my ignorance, but could you please explain what was your
> ultimate goal, as "an attacker", what were you hoping to gain and how
> could you use this against Relying Parties?
>
> I read your email
On Fri, Sep 28, 2018 at 1:22 AM Dimitris Zacharopoulos via
dev-security-policy wrote:
>
> Forgive my ignorance, but could you please explain what was your
> ultimate goal, as "an attacker", what were you hoping to gain and how
> could you use this against Relying Parties?
>
> I read your email
Forgive my ignorance, but could you please explain what was your
ultimate goal, as "an attacker", what were you hoping to gain and how
could you use this against Relying Parties?
I read your email several times but I could not easily find a case where
your fake address creates any serious
-Original Message-
> > From: dev-security-policy
> On
> > Behalf Of Ryan Sleevi via dev-security-policy
> > Sent: Thursday, September 27, 2018 4:18 PM
> > To: Matthew Hardeman
> > Cc: mozilla-dev-security-policy <
> mozilla-dev-security-pol...@lists.mozilla.or
-policy
> ;
> Ian Carroll
> Subject: Re: Concerns with Dun & Bradstreet as a QIIS
>
> Yes, it would be work, but would result in consistent and reliable
> information,
> and already reflective of the fact that an EV certificate needs to identify
> the
> jurisdictio
Yes, it would be work, but would result in consistent and reliable
information, and already reflective of the fact that an EV certificate
needs to identify the jurisdictionOfIncorporation and it's incorporating
documents. Or are we saying that OV doesn't need to make sure it's actually
a valid and
A whitelist of QGIS sounds fairly difficult. And how long would it take to
adopt a new one?
In some states you're going to have an authority per county. It'd be a big
list.
On Thu, Sep 27, 2018 at 5:35 PM, Ian Carroll via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
On Wednesday, September 26, 2018 at 6:12:22 PM UTC-7, Ryan Sleevi wrote:
> Thanks for raising this, Ian.
>
> The question and concern about QIIS is extremely reasonable. As discussed
> in past CA/Browser Forum activities, some CAs have extended the definition
> to treat Google Maps as a QIIS (it
> The question and concern about QIIS is extremely reasonable. As discussed in
> past CA/Browser Forum activities, some CAs have extended the definition to
> treat Google Maps as a QIIS (it is not), as well as third-party WHOIS services
> (they’re not; that’s using a DTP).
It's worth noting that
Thanks for raising this, Ian.
The question and concern about QIIS is extremely reasonable. As discussed
in past CA/Browser Forum activities, some CAs have extended the definition
to treat Google Maps as a QIIS (it is not), as well as third-party WHOIS
services (they’re not; that’s using a DTP).
There have been previous discussions about this very issue at CA/Browser
Forum Validation Working Group meetings (see also draft Ballot 225). I
think it is widely recognized that the rules around QIISs are far too weak
and in need of improvement.
I actually recently asked Kirk to add an item on
23 matches
Mail list logo