Re: SSL Certs for Malicious Websites

[ Disclaimer: This message is my personal view and does not necessarily represent that of my employer. ] On Fri, May 20, 2016 at 5:41 PM, wrote: > Peter -- the reference to BR 9.6.8(8) is interesting, but is not really > relevant to discussion of the requirements of BR

Re: Disclosure of intermediates that chain to multiple roots

On Friday, May 20, 2016 at 2:39:20 AM UTC-7, Rob Stradling wrote: > On 19/05/16 21:48, Kathleen Wilson wrote: > > On Monday, May 16, 2016 at 1:33:40 PM UTC-7, Rob Stradling wrote: > >> However, ISTM that a "proposed change currently in discussion" is less > >> authoritative than the CA

Re: Japan GPKI Root Renewal Request

Does anyone have questions, concerns, or feedback on this request from the Government of Japan, Ministry of Internal Affairs and Communications, to include the GPKI 'ApplicationCA2 Root' certificate and enable the Websites trust bit? Kathleen ___

Re: SSL Certs for Malicious Websites

[ Disclaimer: This message is my personal view and does not necessarily represent that of my employer. ] On Thu, May 19, 2016 at 9:15 AM, wrote: > This has been a very surprising discussion to me. If most CAs were asked “Do > you think CAs are supposed to investigate

Re: SSL Certs for Malicious Websites

On Thu, 19 May 2016 16:52:26 -0700 (PDT) tech29...@gmail.com wrote: > Your main concern – unjustified delay in issuing a certificate to > your customer while a human looks at the domain to decide if there is > a problem - is not really related to any of Kathleen’s questions. > Your other comments

Re: SSL Certs for Malicious Websites

On 19/05/16 00:45, Matt Palmer wrote: > How so? It could be a site providing information from a third party on how > to make and receive payments via PayPal. It could also be a site operated > by a third party on behalf of PayPal. Inferring nefarious intent from a > domain name seems like a

Re: SSL Certs for Malicious Websites

On 18/05/16 17:35, Ben Wilson wrote: > Looking at the threat from a defense-in-depth/orthogonal perspective, > doesn't it make sense that everyone -- browsers, ICANN, CAs, etc. -- does > something to combat malicious websites for the public? Not necessarily, if what they do ends up damaging

Re: Request to enable EV for VeriSign Class 3 G4 ECC root

On 19/05/16 20:26, Peter Kurrasch wrote: > My recommendation is for Mozilla to reject this request from Symantec > on the grounds that it is unnecessary. As others have pointed out > recently, the chief function of a CA is to certify identity. That > certification should be ably met with the

Re: SSL Certs for Malicious Websites

On Friday, May 20, 2016 at 2:09:42 AM UTC-7, Ben Laurie wrote: > > 4.9.3. Procedure for Revocation Request > > > >"*** The CA SHALL provide Subscribers, Relying Parties, Application > > Software Suppliers, and other third parties with clear instructions for > > reporting suspected Private

Re: Disclosure of intermediates that chain to multiple roots

On 19/05/16 21:48, Kathleen Wilson wrote: On Monday, May 16, 2016 at 1:33:40 PM UTC-7, Rob Stradling wrote: However, ISTM that a "proposed change currently in discussion" is less authoritative than the CA Communication (which, as I've said, seems to explicitly require multiple disclosures of