Re: Incidents involving the CA WoSign

It is an interesting aspect that the Mozilla community has not discussed thoroughly, or at all. Cross-signing a third party intermediate cert is equivalent to sharing of trust, that any CA should only consider it with extreme care. Is it possibly know how many intermediate cert that is

Re: SHA-1 exception First Data

 Nick,First Data's customers don't use browsers so Firefox can disable SHA-1 tomorrow and not affect them. Remember, many of these "customers" are small businesses or non-profits. I think about places like a private school or church that whip out the terminal when it's time for the festival or

Re: Deficiencies in the Web PKI and Mozilla's shepherding thereof, exposed by the WoSign affair

On 4 October 2016 at 06:12, Eric Rescorla wrote: > with the exception of the end-entity > certificate which MUST be first. After testing, this part seems to be the component that stops my idea. I could build paths to arbitrary roots with extra chains contained in the list... but

SHA-1 exception First Data

We had a thread about the TSYS application but not for First Data. Unlike with TSYS I don't see anything here that leaps out as problematic in the to-be-signed certificates but I do think the moral hazard problem is larger here than with TSYS and anyway bears revisiting. First Data say they

Re: WoSign and StartCom

On 05/10/16 05:18, Anand Kumria wrote: > I think that punishing the auditor here but geographically > constraining it is the wrong message to send. > > Why not simply distrust all audits carried out by Ernst & Young? As I understand it, global branded auditors are, in fact, made up of a number

Re: SHA-1 exception First Data

Dean Coclin wrote: > First Data's customers don't use browsers so Firefox can disable SHA-1 > tomorrow > and not affect them. So why to have your CA certificate trusted in Firefox's cert DB? > First Data has asked for a reasonable extension which doesn't affect browsers. If it does not "affect

Re: SHA-1 exception First Data

On Wed, Oct 5, 2016 at 10:02 PM, Michael Ströder wrote: > Dean Coclin wrote: >> First Data's customers don't use browsers so Firefox can disable SHA-1 >> tomorrow >> and not affect them. > > So why to have your CA certificate trusted in Firefox's cert DB? > >> First Data

Re: WoSign and StartCom

Hi, Thanks for the extensive document and information, it has been a throughly interesting read. On Tuesday, 27 September 2016 00:21:13 UTC+10, Gervase Markham wrote: > > Because this document is extensive and contains embedded images, links > and formatting, I have published it on Google

Re: Incidents involving the CA WoSign

On 05/10/16 14:09, Peter Gutmann wrote: > Rob Stradling writes: > >> Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that >> we'd issued to WoSign: > > This allows us to examine the modern Internet variant of an old philosophical > question,

Re: Incidents involving the CA WoSign

Rob Stradling writes: >Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that >we'd issued to WoSign: This allows us to examine the modern Internet variant of an old philosophical question, "If a certificate is revoked in the web PKI and no one

Re: Incidents involving the CA WoSign

Rob Stradling writes: >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds >either. What I was really asking, in a tongue-in-cheek way, was whether there was any indication of how successfully the information could be propagated to browsers.

Re: Incidents involving the CA WoSign

> >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds > >either. > > What I was really asking, in a tongue-in-cheek way, was whether there was any > indication of how successfully the information could be propagated to > browsers. Good question. Regardless of the answer,

Re: WoSign and StartCom

On Tuesday, September 27, 2016 at 7:31:30 AM UTC+2, Han Yuwei wrote: > 在 2016年9月26日星期一 UTC+8下午10:21:13，Gervase Markham写道： > > Today, Mozilla is publishing an additional document containing further > > research into the back-dating of SHA-1 certificates, in violation of the > > CAB Forum Baseline

Re: WoSign and StartCom

"anyone issuing certificates for .cn, .hk or .mo domain *MUST* submit those certificate to the CT server set (with similar constraints as you require for WoSign/StartCom) " This means you're rather ill-informed about the Chinese Internet. Most Chinese sites still use .com domains. But this is

Re: Incidents involving the CA WoSign

Peter Gutmann wrote: > Rob Stradling writes: > >> Easy. It doesn't make a sound. Unrevoked certificates don't make sounds >> either. > > What I was really asking, in a tongue-in-cheek way, was whether there was any > indication of how successfully the information

Re: Incidents involving the CA WoSign

On Wed, Oct 05, 2016 at 01:30:37PM +, Peter Gutmann wrote: > Rob Stradling writes: > > >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds > >either. > > What I was really asking, in a tongue-in-cheek way, was whether there was any >

OneCRL and Common CA Database (Salesforce)

On Wednesday, October 5, 2016 at 1:19:35 PM UTC-7, Kurt Roeckx wrote: > This is why browsers have something like OneCRL, so that they > actually do know about it and why Rob added that information > to the bug tracker > (https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2). We are working on