Re: Sanctions short of distrust

On 02/09/16 21:04, Patrick Figel wrote: > I believe there are two possible solutions if CT enforcement is what the > community decides on: > > 1. Enforce CT only after a certain date, after which WoSign will need > to embed qualified SCTs. This check can be bypassed if the CA >

Re: Incidents involving the CA WoSign

On 07/09/16 17:02, Gervase Markham wrote: > On 07/09/16 13:52, Rob Stradling wrote: >> Hi Thijs. I agree that this pattern is interesting (and it'd be nice to >> see an explanation), but I'm not convinced that it proves everything you >> think it proves. > > Hi Rob, > > My digest of Thijs's

Re: (Optional) list of participants

On 08/09/16 14:13, Gervase Markham wrote: > On 07/09/16 00:17, Kirk Hall wrote: >> Great idea, Gerv. Question: How will we remember how/where to find the >> list? (I never remember.) > > Sorry, I don't have a good solution to that :-) I will try and remember > to post it occasionally, and

Re: Incidents involving the CA WoSign

On 08/09/16 11:39, Rob Stradling wrote: > Consider https://crt.sh/?id=30629293, for example. Are you really > suggesting that this was issued on 2nd September 2016 but backdated to > 20th December 2015? For simplicity, I've removed this section from Issue S. I think the evidence related there

Re: (Optional) list of participants

On 07/09/16 00:17, Kirk Hall wrote: > Great idea, Gerv. Question: How will we remember how/where to find the list? > (I never remember.) Sorry, I don't have a good solution to that :-) I will try and remember to post it occasionally, and whenever a big discussion starts. Others may wish to get

Re: (Optional) list of participants

On 08/09/16 14:21, Rob Stradling wrote: > Hi Gerv. mailman adds this footer to each message: Only on the mailing list version of each message. So I, for example, who read via NNTP, don't see them. Nevertheless, this is better than nothing, so I've emailed the list moderators to ask them to make

Re: Security concern on various domain validating methods

Regarding the specific file verification method: It proves you control the web server that runs under the domain. Which is more or less all that you need to prove, since a TLS certificate is designed for web security. If you don't control DNS, but you do control the web server, you

Re: Incidents involving the CA WoSign

在 2016年9月7日星期三 UTC+8下午6:08:33，Richard Wang写道： > Hi Gerv, Kathleen and Richard, > > This discuss has been lasting two weeks, I think it is time to end it, it > doesn’t worth to waste everybody’s precious time. > I make my confession that our system and management do have some problems > which

Re: Incidents involving the CA WoSign

On Wednesday, September 7, 2016 at 7:00:54 AM UTC-4, Gervase Markham wrote: > Hi Richard, > > On 07/09/16 11:06, Richard Wang wrote: > > This discuss has been lasting two weeks, I think it is time to end > > it, it doesn’t worth to waste everybody’s precious time. > > Unfortunately, I think we

Re: Security concern on various domain validating methods

On Thursday, September 8, 2016 at 9:00:15 AM UTC-7, Stephen Schrauger wrote: > It proves you control the web server that runs under the domain. Which is > more or less all that you need to prove, since a TLS certificate is designed > for web security. > > If you don't control DNS, but you

Re: Compromised certificate that the owner didn't wish to revoke (signed by GeoTrust)

On Wed, 7 Sep 2016 03:55:02 -0700 (PDT), Nick Lamb wrote: > If you DIY, the rate limits obviously aren't a problem, and lots of DIY > devices have Let's Encrypt issued certificates today. Home "routers" built > out of a Raspberry Pi or a Mini PC are fairly popular with hobbyists. So rate >

Re: Second Discussion of LuxTrust Root Inclusion Request

On Thursday, August 4, 2016 at 10:51:58 AM UTC-7, Kathleen Wilson wrote: > > The CA has resolved the questions and concerns raised during the first > discussion, and has provided an updated root certificate with corresponding > updated documentation and audit statement. > > Please review this

Re: Incidents involving the CA WoSign

Your top 10 or top 5 is not same as my top 10 or top 5. BTW, Dangdang.com is using our certificate: https://www.ssllabs.com/ssltest/analyze.html?d=login.dangdang.com Some is also using our certificate that you don't know. Regards, Richard > On 8 Sep 2016, at 23:59, Ming

Re: Sanctions short of distrust

On Thursday, September 8, 2016 at 4:09:25 AM UTC-7, Rob Stradling wrote: > > 1. Enforce CT only after a certain date, after which WoSign will need > > to embed qualified SCTs. This check can be bypassed if the CA > > backdates certificates (which is problematic, given the history of > >

Re: Sanctions short of distrust

On Thu, Sep 08, 2016 at 09:44:04AM -0700, Ryan Sleevi wrote: > On Thursday, September 8, 2016 at 4:09:25 AM UTC-7, Rob Stradling wrote: > > > 1. Enforce CT only after a certain date, after which WoSign will need > > > to embed qualified SCTs. This check can be bypassed if the CA > > >

Re: Amazon Root Inclusion Request

On Thursday, August 25, 2016 at 2:37:43 PM UTC-7, Kathleen Wilson wrote: > Does anyone else have questions, comments, or concerns about this request? > If not, then I will proceed with recommending approval. Thanks again to those of you who participated in this discussion about Amazon Trust

Re: Incidents involving the CA WoSign

On 07/09/2016 16:01, Thijs Alkemade wrote: On 07 Sep 2016, at 14:52, Rob Stradling wrote: On 06/09/16 19:12, Thijs Alkemade wrote: Hello, We obtained 2 certificates from the StartEncrypt API which had SHA-1 signatures and which were backdated to December 20,

Re: sanctions short of distrust

It would be useful to try out some of these ideas in a Firefox add-on. But it seems that although Mozilla supports three add-on APIs (XPI, Jetpack, and a subset of Google Web Extensions), none of them allow reading the certificate of the current page. That's a lack. It prevents writing