On Monday, November 7, 2016 at 10:46:32 AM UTC+2, Rami Kogan wrote:
> Just came across the following Phishing site which is using a StartCom cert:
>
> serviices-intl[.]com
Did you contact them, if you did, what was their reply? It's better to contact
the CA first, and only if issues arouse then
Just came across the following Phishing site which is using a StartCom cert:
hXXps://serviices-intl.com/webapps/6fa9b/websrc
On 11/2/16, 6:32 PM, "dev-security-policy on behalf of Itzhak Daniel"
wrote:
>On Wednesday, November 2, 2016 at 5:22:30 PM UTC+2, Gervase Markham wrote:
>> Hi Dani
On Wednesday, November 2, 2016 at 5:22:30 PM UTC+2, Gervase Markham wrote:
> Hi Daniel,
>
> On 02/11/16 14:11, Itzhak Daniel wrote:
> As far as the DigiCert certs go, it is far too early to have an opinion
> on what Mozilla is or isn't doing.
I have to agree, the time span is too short (at least
Hi Daniel,
On 02/11/16 14:11, Itzhak Daniel wrote:
> Interesting that Comodo and DigiCert are getting a different
> treatment,
As far as the DigiCert certs go, it is far too early to have an opinion
on what Mozilla is or isn't doing. And let us remember, the WoSign
incident involved multiple ins
Hi dracenmarx,
On 02/11/16 12:44, dracenm...@googlemail.com wrote:
> (1) I did find any public answer from Apple, Google or Mozilla in
> regards to the Remediation plan by StartCom. I have the feeling, that
> the sanctions were applied without considering this document. (
> https://www.startssl.co
Interesting that Comodo and DigiCert are getting a different treatment, I
wonder if WoSign/StartCom had ignored Mozilla Security Community at some
degree, the same way Comodo and DigiCert are doing, would it saved them.
(I don't know if there are chatters in the back, maybe I missed something an
announced before it took place (See for example the posting by
Kathleen Wilson titled "Remediation Plan for WoSign and StartCom" on
2016-10-13), but for some dubious reason, they continued selling
certificates they knew would not work.
You, the browser vendors, are not punishi
I think that the steps against StartCom are too extreme and I would like to
tell my personal opinion. First of all, I want to say that I don't have any
benefits when I tell this opinion, since I personally already switched to a
different CA.
(1) I did find any public answer from Apple, Google o
On 24/10/16 06:55, Samuel Pinder wrote:
> There's some good questions there, actually. OEM SSL, does that mean
> another CA would be doing the validation and issuing using their own
> infrastructure and team, which you would be reselling via a
> constrained intermediate?
I suspect he means tha
On 22/10/16 20:41, Peter Bowen wrote:
> According to the wiki, Asseco Certum has cross-signed at least one of
> these roots. Is it expected that Certum will take any action, or do
> the above changes mean that Certum's cross-sign of WoSign will be
> considered to not exist for the purpose of Mozil
gt;
> From: Eric Mill [mailto:e...@konklone.com]
> Sent: Monday, October 24, 2016 12:05 PM
> To: Richard Wang
> Cc: Kathleen Wilson ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Remediation Plan for WoSign and StartCom
>
> Hi Richard,
>
> A few
: Monday, October 24, 2016 12:05 PM
To: Richard Wang
Cc: Kathleen Wilson ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Remediation Plan for WoSign and StartCom
Hi Richard,
A few questions -
1) Your post says "There will be new SSL certificates issued by a new WoSign
intermedia
024.htm (in English)
>
>
>
> Best Regards,
>
> Richard
>
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-bounces+richard=
> wosign@lists.mozilla.org] On Behalf Of Kathleen Wilson
> Sent: Friday, October 21, 2016 10:43 AM
> To: m
,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Kathleen Wilson
Sent: Friday, October 21, 2016 10:43 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Remediation Plan for WoSign and
Bonjour,
Le vendredi 21 octobre 2016 12:48:21 UTC+2, marc@gmail.com a écrit :
[...]
> Just the opinion of a user who is securing services, websites and his mails
> with certificates but is not capable of paying hundreds of Euros / Dollars
> for achieving this goal every year.
DV certificate
On Thu, Oct 20, 2016 at 1:57 PM, Kathleen Wilson wrote:
> 1) Distrust certificates with a notBefore date after October 21, 2016 which
> chain up to the following affected roots. If additional back-dating is
> discovered (by any means) to circumvent this control, then Mozilla will
> immediately
On Sat, 22 Oct 2016 16:26:51 +0200, Jakob Bohm wrote:
> Thus the need for those who obtaind OV code
> signing certificates from StartCom to start looking for alternatives,
> and my suggestion, as a public service, that someone here might chime
> in with the names of small/individual developer frie
On 22/10/2016 14:59, Ryan Sleevi wrote:
On Saturday, October 22, 2016 at 5:11:29 AM UTC-7, Jakob Bohm wrote:
Talking of codesigning, which root store does Chrome use to validate
signatures on the PPAPI plug ins it is currently forcing developers to
switch to?
I've mentioned to you repeatedly t
On Saturday, October 22, 2016 at 5:11:29 AM UTC-7, Jakob Bohm wrote:
> Talking of codesigning, which root store does Chrome use to validate
> signatures on the PPAPI plug ins it is currently forcing developers to
> switch to?
I've mentioned to you repeatedly that no one uses the code signing store
On 22/10/2016 00:57, Jernej Simončič wrote:
On Fri, 21 Oct 2016 10:03:46 -0700 (PDT), Han Yuwei wrote:
I am also a StartCom's SSL & S/MIME certificate user. The only problem for me
is that I must re-config nginx. S/MIME have a lot of alternatives for free. Code
Signing may only works on Windo
Following on from my previous posting, I have found that Startcom are
still issuing certificates past the 21st of October that should be
subject to blocking in an upcoming version of Firefox
https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 . I have
therefore obtained such a certificate via my a
On Fri, 21 Oct 2016 10:03:46 -0700 (PDT), Han Yuwei wrote:
> I am also a StartCom's SSL & S/MIME certificate user. The only problem for me
> is that I must re-config nginx. S/MIME have a lot of alternatives for free.
> Code Signing may only works on Windows but Microsoft seems like don't care
>
Samuel,
I absolutely agree with what you're saying. That's why I suggested to Mozilla
that it mandates WoSign/StartCom to disclose such information on its websites
or otherwise inform their customers. Currently, new customers have no way to
know until it's too late, i.e when Firefox releases Fi
I have been reading into this discussion for quite some time since my
initial posting, and as a Startcom customer even I wholeheartedly
agree with the measures being taken. I think I am one of the lucky
ones, as I have got my set of certificates before the cut-off deadline
and intend to look after
Isn't that something you should take up with StartCom? Bottom line you payed
them for your certificate, didn't you. Not Mozilla. Perhaps StartCom should
have been a bit more careful so they could keep serving their customers.
CU Hans
___
dev-security-p
Am Freitag, 21. Oktober 2016 17:31:17 UTC+2 schrieb Nick Lamb:
> This is the "too big to fail" argument and I think we've addressed why that's
> not acceptable previously.
I've not said that the whole certificate system depends on StartCom. Sorry if I
had not expressed myself clearly. As someone
在 2016年10月21日星期五 UTC+8下午6:48:21,marc@gmail.com写道:
> Am Freitag, 21. Oktober 2016 03:59:08 UTC+2 schrieb Percy:
> > Kathleen,
> > As most users affected by this decision are Chinese, will you be able to
> > make the blog post available in Chinese on the security blog as well? You
> > can ask t
On Friday, 21 October 2016 11:48:21 UTC+1, marc@gmail.com wrote:
> Just the opinion of a user who is securing services, websites and his mails
> with certificates but is not capable of paying hundreds of Euros / Dollars
> for achieving this goal every year.
This is the "too big to fail" arg
Am Freitag, 21. Oktober 2016 03:59:08 UTC+2 schrieb Percy:
> Kathleen,
> As most users affected by this decision are Chinese, will you be able to make
> the blog post available in Chinese on the security blog as well? You can ask
> the Chinese firefox community or me to translate.
Hi,
only the
On Thursday, October 20, 2016 at 6:59:08 PM UTC-7, Percy wrote:
> Kathleen,
> As most users affected by this decision are Chinese, will you be able to make
> the blog post available in Chinese on the security blog as well? You can ask
> the Chinese firefox community or me to translate.
>
> As I
Kathleen,
As most users affected by this decision are Chinese, will you be able to make
the blog post available in Chinese on the security blog as well? You can ask
the Chinese firefox community or me to translate.
As I stated earlier, there are almost no news of the distrust of
WoSign/StartCo
All,
I have filed the following two bugs.
WoSign Action Items:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824
StartCom Action Items:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311832
I will work on a security blog that will probably get posted early next week.
It will point to these
On 19/10/16 15:13, okaphone.elektron...@gmail.com wrote:
> Perhaps "haste" is not what you want here. How about "urgency"?
I was using it in the sense of the English phrase "more haste, less speed":
http://dictionary.cambridge.org/dictionary/english/more-haste-less-speed
But yes, urgency is fine.
On Wednesday, October 19, 2016 at 3:13:50 PM UTC-7, okaphone.e...@gmail.com
wrote:
> Perhaps "haste" is not what you want here. How about "urgency"?
>
Yep. Changed in the wiki page.
Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-p
Perhaps "haste" is not what you want here. How about "urgency"?
CU Hans
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On Wednesday, October 19, 2016 at 11:50:55 AM UTC-7, Gervase Markham wrote:
>
> Today at the CAB Forum I outlined some of Mozilla's thinking on how we
> rate the severity of incidents. It might be helpful to reproduce that
> here. This is what I said:
>
Thanks, Gerv!
I added that text to the wi
On 19/10/16 11:35, longol...@gmail.com wrote:
> Hey Kathleen, hey list,
>
> I really don't get why Mozilla is pushing so hard on the Chinese and
> at the same time let others get away. For example the Comodo case
> from today. Isn't that a much worse incident than what has happened
> here.
Today
Hey Kathleen,
hey list,
I really don't get why Mozilla is pushing so hard on the Chinese and at the
same time let others get away.
For example the Comodo case from today. Isn't that a much worse incident than
what has happened here. People were able to issue certs for other people
domains.
When
On Oct 19, 2016 11:51 AM, "Ryan Hurst" wrote:
>
> > Because we're talking about a CA which used their private keys to get
> > around baseline requirements/prohibitions by backdating, I would not
> > be comfortable trusting them with operating a log where they could do
> > the same thing. The addit
> Because we're talking about a CA which used their private keys to get
> around baseline requirements/prohibitions by backdating, I would not
> be comfortable trusting them with operating a log where they could do
> the same thing. The addition of the Google log prevents this to some
> degree. So
On Wednesday, October 19, 2016 at 12:58:49 AM UTC-7, Kurt Roeckx wrote:
> I at least have some concerns about the current gossip draft and talked
> a little to dkg about this. I should probably bring this up on the trans
> list.
>
Please do, we would like to see this brought to closure soon and
On 19 October 2016 at 02:58, Kurt Roeckx wrote:
> On 2016-10-19 01:37, Rob Stradling wrote:
>>
>> On 18/10/16 23:49, Gervase Markham wrote:
>>>
>>> On 18/10/16 15:42, Ryan Hurst wrote:
I do not understand the desire to require StartCom / WoSign to not
utilize their own logs as part
On 2016-10-19 01:37, Rob Stradling wrote:
On 18/10/16 23:49, Gervase Markham wrote:
On 18/10/16 15:42, Ryan Hurst wrote:
I do not understand the desire to require StartCom / WoSign to not
utilize their own logs as part of the associated quorum policy.
My original logic was that it could be se
It is true, that without gossip, CT is dependent on browsers monitoring the log
ecosystem, this is one reason why in the Chrome policy the one Google log is
required.
I would argue, with the monitoring Google does and the one Google log policy
that this risk is mitigated sufficiently, even with
Kurt Roeckx wrote:
> Since the previous audit wasn't one that covered a whole year, I
> expect the new audit to start where the previous one stopped and
> have it a year from that point.
this might be more of a question for cabforum but why do audits have to be
non-overlapping?
i would think
On Tue, 18 Oct 2016 15:49:26 -0700
Gervase Markham wrote:
> On 18/10/16 15:42, Ryan Hurst wrote:
> > I do not understand the desire to require StartCom / WoSign to not
> > utilize their own logs as part of the associated quorum policy.
>
> My original logic was that it could be seen that the log
On 18/10/16 23:49, Gervase Markham wrote:
> On 18/10/16 15:42, Ryan Hurst wrote:
>> I do not understand the desire to require StartCom / WoSign to not
>> utilize their own logs as part of the associated quorum policy.
>
> My original logic was that it could be seen that the log owner is
> trustwor
On 18/10/16 16:04, Han Yuwei wrote:
> For the CT support, is there any plan to implement it into effect in
> Firefox? And if implemented, what would happen if server's
> certificate don't have enough SCTs?
The mechanism is being implemented. When it's closer to being
implemented, there will be a d
在 2016年10月19日星期三 UTC+8上午6:42:18,Ryan Hurst写道:
> All,
>
> I do not understand the desire to require StartCom / WoSign to not utilize
> their own logs as part of the associated quorum policy.
>
> Certificate Transparency's idempotency is for not dependent on the practices
> of the operator. By r
On 18/10/16 15:42, Ryan Hurst wrote:
> I do not understand the desire to require StartCom / WoSign to not
> utilize their own logs as part of the associated quorum policy.
My original logic was that it could be seen that the log owner is
trustworthy. However, you are right that CT does not require
On 18/10/16 14:33, Ryan Sleevi wrote:
> I think there's some confusion there. CNNIC's audits "expire" on Feb
> "29" 2017 (I say "29" because of ambiguity on "1 year"). That is,
> within 3 months of Feb "29", 2017, CNNIC would be expected to provide
> a new audit, which covers February 29, 2016 (the
All,
I do not understand the desire to require StartCom / WoSign to not utilize
their own logs as part of the associated quorum policy.
Certificate Transparency's idempotency is for not dependent on the practices of
the operator. By requiring the use of a third-party log (in this case Google's
On Tue, Oct 18, 2016 at 01:35:59PM -0700, Gervase Markham wrote:
> On 18/10/16 12:46, Kurt Roeckx wrote:
> > Are you saying you're expecting an audit report from November 2015
> > to November 2016, and so have the period from November to March
> > covered twice?
>
> There seems to be a persistent
On Tue, Oct 18, 2016 at 2:33 PM, Ryan Sleevi wrote:
>
> I think there's some confusion there. CNNIC's audits "expire" on Feb "29"
> 2017 (I say "29" because of ambiguity on "1 year"). That is, within 3 months
> of Feb "29", 2017, CNNIC would be expected to provide a new audit, which
> covers Fe
On Tuesday, October 18, 2016 at 1:36:37 PM UTC-7, Gervase Markham wrote:
> On 18/10/16 12:46, Kurt Roeckx wrote:
> > Are you saying you're expecting an audit report from November 2015
> > to November 2016, and so have the period from November to March
> > covered twice?
>
> There seems to be a per
On 18/10/16 12:46, Kurt Roeckx wrote:
> Are you saying you're expecting an audit report from November 2015
> to November 2016, and so have the period from November to March
> covered twice?
There seems to be a persistent misunderstanding here.
https://cert.webtrust.org/SealFile?seal=2092&file=pdf
On Tue, Oct 18, 2016 at 10:02:00AM -0700, Gervase Markham wrote:
> On 18/10/16 09:03, Kurt Roeckx wrote:
> > You said the period was until February 29, 2016. I assume the next
> > period starts on March 1, 2016 and is for 1 year. I don't expect it to
> > from from March to November, it would be an
On 18/10/16 06:02, Peter Bowen wrote:
> I think making it clear which entries in certdata.txt have additional
> constraints would be very helpful.
Here's a start:
https://wiki.mozilla.org/CA:Root_Store_Trust_Mods
I believe the ANSSI root has now been removed and so CNNIC is the only
one (leaving
Measure with a micrometer, mark with chalk and cut with an axe... it's the best
you can do.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Hi Peter,
On 18/10/16 06:02, Peter Bowen wrote:
> I think making it clear which entries in certdata.txt have additional
> constraints would be very helpful. Is it maybe possible to do so by
> adding new attributes to the NSS_TRUST object instead of simply
> putting it on a webpage? That way it i
On 18/10/16 09:03, Kurt Roeckx wrote:
> You said the period was until February 29, 2016. I assume the next
> period starts on March 1, 2016 and is for 1 year. I don't expect it to
> from from March to November, it would be an 8 month period.
Surely if audits last one year, one would be auditing th
On 2016-10-18 17:26, Gervase Markham wrote:
On 18/10/16 07:17, Kurt Roeckx wrote:
On 2016-10-18 14:51, Gervase Markham wrote:
The audit report CNNIC has submitted covers the period from November 2,
2015 to February 29, 2016. Therefore, we would expect them to be
starting the process of getting
在 2016年10月18日星期二 UTC+8下午10:38:07,Inigo Barreira写道:
> Hi all,
>
>
> I´ve been reading some emails that need clarification form both sides.
>
> Firstly I´d like to remind, if I´m not wrong, that Kathleen proposed an
> action plan for distrusting StartCom, which has been taken as the final
> deci
Hi Inigo,
On 18/10/16 07:34, Inigo Barreira wrote:
> So, regarding the situation of StartCom I think that some people has
> lost what happened and it´s considering Wosign and Startcom the same.
Kathleen may also respond, but my understanding is that (based on her
consideration of the arguments pu
On Tuesday, 18 October 2016 15:38:07 UTC+1, Inigo Barreira wrote:
> Let´s focus on the 3 issues for which StartCom has been proposed to a
> sanction (hopefully we can change that), and these are:
>
> 1.- Bad coding of a new solution called startencrypt, which basically
> was barely used and not
On 18/10/16 07:17, Kurt Roeckx wrote:
> On 2016-10-18 14:51, Gervase Markham wrote:
>>
>> The audit report CNNIC has submitted covers the period from November 2,
>> 2015 to February 29, 2016. Therefore, we would expect them to be
>> starting the process of getting another yearly audit in about 2 we
Hi all,
I´ve been reading some emails that need clarification form both sides.
Firstly I´d like to remind, if I´m not wrong, that Kathleen proposed an
action plan for distrusting StartCom, which has been taken as the final
decission, but with a small option to regain the trust for StartCom in
On 2016-10-18 14:51, Gervase Markham wrote:
The audit report CNNIC has submitted covers the period from November 2,
2015 to February 29, 2016. Therefore, we would expect them to be
starting the process of getting another yearly audit in about 2 weeks
anyway, although it won't be done until next
On Tue, Oct 18, 2016 at 5:51 AM, Gervase Markham wrote:
> On 17/10/16 16:26, Kathleen Wilson wrote:
>> ones who use NSS validation. I’m not sure what we can do about other
>> consumers of the NSS root store, other than publish what we are doing
>> and hope those folks read the news and update thei
On 18/10/16 01:00, Nick Lamb wrote:
> As I understand it QiHoo 360 says they intend to co-operate in order
> to eventually get the new StartCom CA trusted. If they are unwilling
> to communicate with existing subscribers of both existing CAs
> effectively, it seems to me this is evidence of bad fai
On 17/10/16 16:26, Kathleen Wilson wrote:
> ones who use NSS validation. I’m not sure what we can do about other
> consumers of the NSS root store, other than publish what we are doing
> and hope those folks read the news and update their version of their
> root store as they see appropriate for th
Hi Ryan,
Kathleen has responded, but here are my two cents:
On 14/10/16 13:21, Ryan Sleevi wrote:
> It seems to accomplish this, you're willing to continue to trust that
> WoSign will not demonstrate any of the past behaviours it already
> demonstrated - such as backdating and misissuance, but no
On Tuesday, 18 October 2016 00:27:09 UTC+1, Kathleen Wilson wrote:
> I’m not sure what I could reasonably require (and enforce) of the CA in
> regards to communicating with their customers.
As I understand it QiHoo 360 says they intend to co-operate in order to
eventually get the new StartCom
> I’m not sure what I could reasonably require (and enforce) of the CA in
> regards to communicating with their customers.
> I recall that my security blog about CNNIC got censored in China, so I'm not
> sure what Mozilla can do about informing the CA's customers of this pending
> change/imp
All,
Here’s a summary of your input, and my thoughts.
~~
What about NSS?
We discussed this in the NSS team call last week, and the general decision was
that the rules we put in place regarding these Affected Roots for Mozilla will
also be put in place inside NSS.
That doesn’t help all consumer
Oh, I read too quickly and saw it as a list of certificates whose
expiration dates were within each month. In retrospect, that was not the
most likely way the numbers would be distributed -- apologies for causing
confusion.
On Sat, Oct 15, 2016 at 6:20 PM, Kurt Roeckx wrote:
> On Sat, Oct 15, 20
On Sat, Oct 15, 2016 at 06:07:50PM -0400, Eric Mill wrote:
> For the convenience of the thread -- assuming that a 1-year-oriented policy
> covered the certs up to and including those listed as 2017-10-01, then
> summing up Kurt's numbers:
>
> * Certs expiring by Oct 2017: 2,088,329
> * Certs expir
For the convenience of the thread -- assuming that a 1-year-oriented policy
covered the certs up to and including those listed as 2017-10-01, then
summing up Kurt's numbers:
* Certs expiring by Oct 2017: 2,088,329
* Certs expiring after Oct 2017: 1,419,593
On Sat, Oct 15, 2016 at 4:28 AM, Kurt Ro
On Fri, Oct 14, 2016 at 11:23:55PM +0200, Hanno Böck wrote:
> On Fri, 14 Oct 2016 13:21:32 -0700 (PDT)
> Ryan Sleevi wrote:
>
> > In particular, I'm hoping to expand upon the choice to allow existing
> > certs to continue to be accepted and to not remove the affected roots
> > until 2019.
>
> Hi
Bonsoir,
Le vendredi 14 octobre 2016 22:21:44 UTC+2, Ryan Sleevi a écrit :
> On Thursday, October 13, 2016 at 9:50:02 AM UTC-7, Kathleen Wilson wrote:
> > 1) Distrust certificates chaining up to Affected Roots with a notBefore
> > date after October 21, 2016. If additional back-dating is discover
On Friday, October 14, 2016 at 2:24:37 PM UTC-7, Hanno Böck wrote:
> From my understanding the problem here is that the alternative of simply
> whitelisting the existing certificates isn't feasible, because there
> are too many of them.
Well, there's a spectrum, right? That's been discussed on the
On Fri, 14 Oct 2016 13:21:32 -0700 (PDT)
Ryan Sleevi wrote:
> In particular, I'm hoping to expand upon the choice to allow existing
> certs to continue to be accepted and to not remove the affected roots
> until 2019.
Hi,
From my understanding the problem here is that the alternative of simply
On Thursday, October 13, 2016 at 9:50:02 AM UTC-7, Kathleen Wilson wrote:
> 1) Distrust certificates chaining up to Affected Roots with a notBefore date
> after October 21, 2016. If additional back-dating is discovered (by any
> means) to circumvent this control, then Mozilla will immediately and
On Wednesday, October 12, 2016 at 8:12:29 PM UTC-7, Percy wrote:
> WoSign has so far announced nothing about those incidents or immediate
> distrust (Apple and Mozilla) to its end users. On the contrary, WoSign had a
> press release dated Oct 8th
> (https://www.wosign.com/news/netcraft-ssl-oct.h
On 14/10/16 15:46, Gervase Markham wrote:
> On 14/10/16 11:37, Rob Stradling wrote:
>> Sure, but aren't we talking about specifying criteria for which log(s)
>> StartCom/WoSign _can't_ use in future?
>>
>> If Mozilla would prefer to forbid StartCom/WoSign from using their own
>> or each other's log
On 14/10/16 15:46, Gervase Markham wrote:
> I think the rule we are putting in place is that: "StartCom/WoSign
> SHOULD NOT fulfil the non-Google log requirement by using logs that they
> run themselves. For as long as they do so, they will need to demonstrate
> ongoing evidence of efforts to get o
On 14/10/16 11:37, Rob Stradling wrote:
> Sure, but aren't we talking about specifying criteria for which log(s)
> StartCom/WoSign _can't_ use in future?
>
> If Mozilla would prefer to forbid StartCom/WoSign from using their own
> or each other's logs, then ISTM that it would be best to specify
>
99% uptime sounds good but it allows being down for three and half days in a
year. It's not actually a very high availabillity. ;-)
CU Hans
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev
On 14/10/16 10:50, Gervase Markham wrote:
> On 14/10/16 10:41, Rob Stradling wrote:
>> Gerv, does Mozilla need to make a final decision on this point immediately?
>>
>> I very much hope that there will be more CT logs by the time StartCom
>> and/or WoSign are readmitted into Mozilla's trust list.
On 13/10/16 23:42, Nick Lamb wrote:
> Please can Mozilla ensure that both EY Hong Kong and the overarching
> parent organisation in the United Kingdom (in Southwark) are informed
> of this ban and get a copy of Mozilla's findings if they haven't
> already ?
This is a good idea; I will try and figu
On 14/10/16 10:41, Rob Stradling wrote:
> Gerv, does Mozilla need to make a final decision on this point immediately?
>
> I very much hope that there will be more CT logs by the time StartCom
> and/or WoSign are readmitted into Mozilla's trust list. Why not delay
> making this decision until near
On 13/10/16 20:52, Gervase Markham wrote:
> StartCom/WoSign have indicated ro me that they may have trouble
> complying with the non-Google log requirement because it's hard to find
> a non-Google log which can scale sufficiently. I suggest we allow them
> some leeway on this but they need to demo
On 14/10/16 02:20, Matt Palmer wrote:
> Will there be any requirements around the qualification status of the logs,
> or could anyone who wanted to be "nice" just stand up a log, and have these
> CAs obtain precerts from them?
Log qualification is a Chrome concept - it means "suitable for being
tr
On 2016-10-14 10:19, Nick Lamb wrote:
On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer wrote:
Will there be any requirements around the qualification status of the logs,
or could anyone who wanted to be "nice" just stand up a log, and have these
CAs obtain precerts from them?
I don't th
On 2016-10-14 03:20, Matt Palmer wrote:
On Thu, Oct 13, 2016 at 09:49:50AM -0700, Kathleen Wilson wrote:
5. 100% embedded CT for all issued certificates, with embedded SCTs from
at least one Google and one non-Google log not controlled by the CA.
Will there be any requirements around the quali
On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer wrote:
> Will there be any requirements around the qualification status of the logs,
> or could anyone who wanted to be "nice" just stand up a log, and have these
> CAs obtain precerts from them?
I don't think Mozilla has declared any specifi
On Friday, October 14, 2016 at 9:47:24 AM UTC+11, Percy wrote:
> > Others have noted the mismatch here with an October 1 date elsewhere in
> > the document. I think we should pick a single date in the future, to
> > allow the CAs concerned to wind down operations without leaving
> > customers ha
On Thu, Oct 13, 2016 at 09:49:50AM -0700, Kathleen Wilson wrote:
> 5. 100% embedded CT for all issued certificates, with embedded SCTs from
> at least one Google and one non-Google log not controlled by the CA.
Will there be any requirements around the qualification status of the logs,
or could an
> Others have noted the mismatch here with an October 1 date elsewhere in
> the document. I think we should pick a single date in the future, to
> allow the CAs concerned to wind down operations without leaving
> customers having just obtained certs which will stop working in a few
> months. So
On Thursday, 13 October 2016 20:52:54 UTC+1, Gervase Markham wrote:
> To be clear, this is a permanent ban, applicable worldwide, but only to
> the Hong Kong branch of E&Y. (If further issues are found with E&Y
> audits elsewhere, then we might consider something with wider scope.)
Please can Moz
1 - 100 of 108 matches
Mail list logo
