t; Cc: mozilla-dev-security-policy pol...@lists.mozilla.org>; Gervase Markham <g...@mozilla.org>
> Subject: [EXT] Re: Symantec Conclusions and Next Steps
>
> Continuing to look through the audits, I happened to notice a few other
> things that stood out, some more pressi
ec@lists.mozilla.org] On Behalf Of
> > Gervase Markham via dev-security-policy
> > Sent: Friday, April 21, 2017 6:17 AM
> > To: mozilla-dev-security-pol...@lists.mozilla.org
> > Subject: Symantec Conclusions and Next Steps
> >
> [snip]
> >
> > Symantec hav
On Friday, April 28, 2017 at 1:19:01 AM UTC-7, Richard Wang wrote:
> Hi Ryan,
>
>
>
> For your question “Do you believe that, during the discussions about how to
> respond to WoSign's issues, the scope of impact was underestimated?”, the
> answer is YES.
>
>
>
> After Oct 21 2016, WoSign
On Fri, Apr 28, 2017 at 4:16 AM, Richard Wang via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> This Google decision’s problem is some big websites used a domain that not
> listed in Alexa 1M suffered disruption, for example, Qihoo 360’s search
> site and online gaming
benefit and negotiate an acceptable solution for
> any problem that happened.
>
> Thanks.
>
>
>
> Best Regards,
>
>
>
> Richard
>
>
>
> From: Ryan Sleevi [mailto:r...@sleevi.com]
> Sent: Thursday, April 27, 2017 8:38 PM
> To: Rich
If the Nets Norway intermediate is technically constrained only to
domains that Nets Norway own or control, I have no problem with leaving
it active.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Thursday, April 27, 2017 8:38 PM
To: Richard Wang <rich...@wosign.com>
Cc: Steve Medin <steve_me...@symantec.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Symantec Conclusions and Next Steps
Hi Richard,
On
sts.mozilla.org>
Subject: Re: Symantec Conclusions and Next Steps
On Thu, Apr 27, 2017 at 3:52 PM, Jeremy Rowley via dev-security-policy
<dev-security-policy@lists.mozilla.org
<mailto:dev-security-policy@lists.mozilla.org> > wrote:
Your post made me realize that we never publicly p
cy
> [mailto:dev-security-policy-bounces+jeremy.rowley=
> digicert.com@lists.mozilla
> .org] On Behalf Of Rob Stradling via dev-security-policy
> Sent: Thursday, April 27, 2017 4:38 AM
> To: mozilla-dev-security-policy
> <mozilla-dev-security-pol...@lists.mozilla.org>
>
Stradling via dev-security-policy
Sent: Thursday, April 27, 2017 4:38 AM
To: mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: Symantec Conclusions and Next Steps
On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote:
> (Note: A few of the non
Hi Richard,
On Thu, Apr 27, 2017 at 6:13 AM, Richard Wang via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I like to share the experience we suffered from distrust, it is disastrous
> for CA and its customers to replace the certificate that exceed your
> imagination that
I don't know about others, but I am quite disappointed by Symantec's proposed
remediation plan. Intentional or not, these response seems to indicate they
don't really understand the potential consequences of many of their past
actions. Essentially, they promise to:
1) Have a third party audit
Barreira <in...@startcomca.com>; mozilla-dev-security-policy
<mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: Symantec Conclusions and Next Steps
On 27/04/17 11:56, Inigo Barreira wrote:
> Good to know that our new certs are there :-) Regarding StartCom,
> these are t
On 27/04/17 11:56, Inigo Barreira wrote:
Good to know that our new certs are there :-)
Regarding StartCom, these are the new certs we´ve generated and will be used
to apply for inclusion in the Mozilla root program. Nothing to disclose at
the moment I guess. We´ve not been audited yet nor
pol...@lists.mozilla.org>
Subject: Re: Symantec Conclusions and Next Steps
On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote:
> (Note: A few of the non-Symantec entries currently listed by
> https://crt.sh/mozilla-disclosures#undisclosed are false positives, I
> think. It look
On 26/04/17 21:21, Rob Stradling via dev-security-policy wrote:
(Note: A few of the non-Symantec entries currently listed by
https://crt.sh/mozilla-disclosures#undisclosed are false positives, I
think. It looks like Kathleen has marked some roots as "Removed" on
CCADB ahead of the
...@lists.mozilla.org
Subject: RE: Symantec Conclusions and Next Steps
Feedback from our Enterprise Customers
In addition to our review of public commentary on these issues, we have also
sought input and feedback from Symantec customers on the compatibility and
interoperability impact
illa.org
> Subject: Symantec Conclusions and Next Steps
>
[snip]
>
> Symantec have also written to Mozilla to say the following:
>
> "We have been working hard on a thorough and thoughtful proposal that
> responds to community questions and concerns regarding our comp
On 25/04/17 23:50, Ryan Sleevi via dev-security-policy wrote:
Continuing to look through the audits, I happened to notice a few other
things that stood out, some more pressing than others.
More pressing:
I can find no disclosure with Salesforce or crt.sh of at least two CAs that
are listed 'in
Continuing to look through the audits, I happened to notice a few other
things that stood out, some more pressing than others.
More pressing:
I can find no disclosure with Salesforce or crt.sh of at least two CAs that
are listed 'in scope' of the audit report, as part of
On Tue, Apr 25, 2017 at 12:14 AM, Ryan Sleevi wrote:
> Gerv,
>
> Is there any update on https://wiki.mozilla.org/
> CA:Symantec_Issues#STRUCK:_Issue_Y:_Unaudited_
> Unconstrained_Intermediates_.28December_2015_-_April_2017.29 ?
>
> I'm just wanting to understand how this relates
Gerv,
Is there any update on
https://wiki.mozilla.org/CA:Symantec_Issues#STRUCK:_Issue_Y:_Unaudited_Unconstrained_Intermediates_.28December_2015_-_April_2017.29
?
I'm just wanting to understand how this relates to Mozilla's PKI policy and
expectations, and better understand why you struck it.
-
On 2017-04-24 11:18, Gervase Markham wrote:
On 21/04/17 11:38, Kurt Roeckx wrote:
I'm still concerned that they don't seem to have an idea of what
software they're all (still) running, and they didn't reply to any
question about it.
I'm sorry, I don't follow. Can you expand?
I confused some
On 21/04/17 11:38, Kurt Roeckx wrote:
> I'm still concerned that they don't seem to have an idea of what
> software they're all (still) running, and they didn't reply to any
> question about it.
I'm sorry, I don't follow. Can you expand?
Gerv
___
On Fri, Apr 21, 2017 at 6:16 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I've updated the Issues list:
> https://wiki.mozilla.org/CA:Symantec_Issues
> with the latest information. 3 issues have been marked as STRUCK due to
> lack of evidence of
On Fri, Apr 21, 2017 at 11:16:56AM +0100, Gervase Markham via
dev-security-policy wrote:
> Minor:
> Issue B: Issuance of 1024-bit Certificate Expiring After Deadline
I'm still concerned that they don't seem to have an idea of what
software they're all (still) running, and they didn't reply to
The deadline for Symantec to submit comments passed yesterday; they
chose to issue a large PDF[0] of responses just before the deadline,
leaving no time for further discussion and clarification. That's their
right, of course, but it may leave some places where we have to make
assumptions.
I've
27 matches
Mail list logo