On Thu, Nov 12, 2020 at 7:27 PM Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> I am very much in favor of increasing transparency about the
> qualifications of the auditors providing audit statements for CAs in our
> program. However, I think that we
I agree, from what I have seen online is that while Apple's OCSP responser was
indeed soft-fail, it didn't have any short-term timeout so requests were left
lingering. Due to it being soft-fail I've seen numerous posts detailing how to
block the OCSP responder address either via DNS or via the
On Thu, Nov 12, 2020 at 10:51 PM Nick Lamb via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Thu, 12 Nov 2020 15:51:55 -0500
> Ryan Sleevi via dev-security-policy
> wrote:
>
> > I would say the first goal is transparency, and I think that both
> > proposals try to
On Fri, Nov 13, 2020 at 2:55 AM Dimitris Zacharopoulos
wrote:
> There is transparency that the CA has evaluated some reporting
> mechanisms and these will be documented in the CPS. However, on an issue
> like compromised key reporting, there is no single recipe that covers
> all possible and
In as far as that part of Apple's CA hierarchy is publicly trusted and
participates in the Mozilla Root CA program and that there were apparent
performance issues with ocsp.apple.com yesterday, I'm writing to suggest that I
believe there may be cause to expect some transparency regarding recent
On 2020-11-13 7:17 μ.μ., Ryan Sleevi wrote:
On Fri, Nov 13, 2020 at 2:55 AM Dimitris Zacharopoulos
mailto:ji...@it.auth.gr>> wrote:
There is transparency that the CA has evaluated some reporting
mechanisms and these will be documented in the CPS. However, on an
issue
like
On Fri, Nov 13, 2020 at 6:11 PM Dimitris Zacharopoulos
wrote:
>
>
> On 2020-11-13 7:17 μ.μ., Ryan Sleevi wrote:
>
>
>
> On Fri, Nov 13, 2020 at 2:55 AM Dimitris Zacharopoulos
> wrote:
>
>> There is transparency that the CA has evaluated some reporting
>> mechanisms and these will be documented
On Fri, 13 Nov 2020 12:11:57 -0500
Ryan Sleevi via dev-security-policy
wrote:
> I want it to be explicit whether or not a CA is making a restrictive
> set or not. That is, it should be clear if a CA is saying "We will
> only accept these specific methods" or if the CA is saying "We will
> accept
Right, I can see by my failing to explicitly state you were
misunderstanding my position in both parts of your previous mail, you may
have believed you correctly understood it, and not picked up on all of my
reply.
To be very clear: "secret" document is not what you described, as a way for
a CA
Apple has filed a bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1677234.
Please follow this for further updates.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
10 matches
Mail list logo