t; Cc: mozilla-dev-security-policy pol...@lists.mozilla.org>; Gervase Markham <g...@mozilla.org>
> Subject: [EXT] Re: Symantec Conclusions and Next Steps
>
> Continuing to look through the audits, I happened to notice a few other
> things that stood out, some more pressi
(I work for Mozilla, but this email doesn't necessarily reflect the views
of Mozilla).
Hi Steve,
I appreciate Symantec taking the time to put this together. There's a lot
of unpack here, so I wanted to zoom in on one portion of it.
When discussing the feedback you received from enterprise
On Friday, April 28, 2017 at 1:19:01 AM UTC-7, Richard Wang wrote:
> Hi Ryan,
>
>
>
> For your question “Do you believe that, during the discussions about how to
> respond to WoSign's issues, the scope of impact was underestimated?”, the
> answer is YES.
>
>
>
> After Oct 21 2016, WoSign
On Fri, Apr 28, 2017 at 4:16 AM, Richard Wang via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> This Google decision’s problem is some big websites used a domain that not
> listed in Alexa 1M suffered disruption, for example, Qihoo 360’s search
> site and online gaming
benefit and negotiate an acceptable solution for
> any problem that happened.
>
> Thanks.
>
>
>
> Best Regards,
>
>
>
> Richard
>
>
>
> From: Ryan Sleevi [mailto:r...@sleevi.com]
> Sent: Thursday, April 27, 2017 8:38 PM
> To: Rich
If the Nets Norway intermediate is technically constrained only to
domains that Nets Norway own or control, I have no problem with leaving
it active.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Thursday, April 27, 2017 8:38 PM
To: Richard Wang <rich...@wosign.com>
Cc: Steve Medin <steve_me...@symantec.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Symantec Conclusions and Next Steps
Hi Richard,
On
sts.mozilla.org>
Subject: Re: Symantec Conclusions and Next Steps
On Thu, Apr 27, 2017 at 3:52 PM, Jeremy Rowley via dev-security-policy
<dev-security-policy@lists.mozilla.org
<mailto:dev-security-policy@lists.mozilla.org> > wrote:
Your post made me realize that we never publicly p
cy
> [mailto:dev-security-policy-bounces+jeremy.rowley=
> digicert.com@lists.mozilla
> .org] On Behalf Of Rob Stradling via dev-security-policy
> Sent: Thursday, April 27, 2017 4:38 AM
> To: mozilla-dev-security-policy
> <mozilla-dev-security-pol...@lists.mozilla.org>
>
Stradling via dev-security-policy
Sent: Thursday, April 27, 2017 4:38 AM
To: mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: Symantec Conclusions and Next Steps
On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote:
> (Note: A few of the non
Hi Richard,
On Thu, Apr 27, 2017 at 6:13 AM, Richard Wang via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I like to share the experience we suffered from distrust, it is disastrous
> for CA and its customers to replace the certificate that exceed your
> imagination that
I don't know about others, but I am quite disappointed by Symantec's proposed
remediation plan. Intentional or not, these response seems to indicate they
don't really understand the potential consequences of many of their past
actions. Essentially, they promise to:
1) Have a third party audit
Barreira <in...@startcomca.com>; mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: Symantec Conclusions and Next Steps
On 27/04/17 11:56, Inigo Barreira wrote:
> Good to know that our new certs are there :-) Regarding StartCom,
> these are t
On 27/04/17 11:56, Inigo Barreira wrote:
Good to know that our new certs are there :-)
Regarding StartCom, these are the new certs we´ve generated and will be used
to apply for inclusion in the Mozilla root program. Nothing to disclose at
the moment I guess. We´ve not been audited yet nor
pol...@lists.mozilla.org>
Subject: Re: Symantec Conclusions and Next Steps
On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote:
> (Note: A few of the non-Symantec entries currently listed by
> https://crt.sh/mozilla-disclosures#undisclosed are false positives, I
> think. It look
On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote:
(Note: A few of the non-Symantec entries currently listed by
https://crt.sh/mozilla-disclosures#undisclosed are false positives, I
think. It looks like Kathleen has marked some roots as "Removed" on
CCADB ahead of the
...@lists.mozilla.org
Subject: RE: Symantec Conclusions and Next Steps
Feedback from our Enterprise Customers
In addition to our review of public commentary on these issues, we have also
sought input and feedback from Symantec customers on the compatibility and
interoperability impact
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Gervase Markham via dev-security-policy
> Sent: Friday, April 21, 2017 6:17 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject:
On 25/04/17 23:50, Ryan Sleevi via dev-security-policy wrote:
Continuing to look through the audits, I happened to notice a few other
things that stood out, some more pressing than others.
More pressing:
I can find no disclosure with Salesforce or crt.sh of at least two CAs that
are listed 'in
Continuing to look through the audits, I happened to notice a few other
things that stood out, some more pressing than others.
More pressing:
I can find no disclosure with Salesforce or crt.sh of at least two CAs that
are listed 'in scope' of the audit report, as part of
On Tue, Apr 25, 2017 at 12:14 AM, Ryan Sleevi wrote:
> Gerv,
>
> Is there any update on https://wiki.mozilla.org/
> CA:Symantec_Issues#STRUCK:_Issue_Y:_Unaudited_
> Unconstrained_Intermediates_.28December_2015_-_April_2017.29 ?
>
> I'm just wanting to understand how this relates
Gerv,
Is there any update on
https://wiki.mozilla.org/CA:Symantec_Issues#STRUCK:_Issue_Y:_Unaudited_Unconstrained_Intermediates_.28December_2015_-_April_2017.29
?
I'm just wanting to understand how this relates to Mozilla's PKI policy and
expectations, and better understand why you struck it.
-
On 2017-04-24 11:18, Gervase Markham wrote:
On 21/04/17 11:38, Kurt Roeckx wrote:
I'm still concerned that they don't seem to have an idea of what
software they're all (still) running, and they didn't reply to any
question about it.
I'm sorry, I don't follow. Can you expand?
I confused some
On 21/04/17 11:38, Kurt Roeckx wrote:
> I'm still concerned that they don't seem to have an idea of what
> software they're all (still) running, and they didn't reply to any
> question about it.
I'm sorry, I don't follow. Can you expand?
Gerv
___
On Fri, Apr 21, 2017 at 6:16 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I've updated the Issues list:
> https://wiki.mozilla.org/CA:Symantec_Issues
> with the latest information. 3 issues have been marked as STRUCK due to
> lack of evidence of
On Fri, Apr 21, 2017 at 11:16:56AM +0100, Gervase Markham via
dev-security-policy wrote:
> Minor:
> Issue B: Issuance of 1024-bit Certificate Expiring After Deadline
I'm still concerned that they don't seem to have an idea of what
software they're all (still) running, and they didn't reply to
26 matches
Mail list logo