I agree that it probably is not worth dwelling on the "Andy Ligg question" in
particular but I think there is a broader issue at play which is worth
addressing: deception.
I think there is ample evidence that WoSign engaged in a deliberate,
persistent, and extensive campaign of deception
On 11/10/16 15:08, Nick Lamb wrote:
> Mozilla could choose to do that too, and agree that when a new CA is
> added to NSS it will use the Mozilla CA (trusted but never used to
> issue end entity certificates) to cross sign the new CA. The
> resulting certificate could be included in chains for the
Don't sell your namesake domain short! Sure, the Google domains are subject to
different types of attacks than most others but any domain with a cert has
value. For example, I'd be happy to use gerv.net as a landing page for my spam
campaign or as a phishing site or, even better, as a host for
On Tue, Oct 11, 2016 at 7:08 AM, Nick Lamb wrote:
>
> Some of the major root trust stores (e.g. Microsoft, Apple) also operate
> their own root CA, which they include in that store, for internal purposes at
> least. I believe none of them is trusted by another root trust
On Tuesday, 11 October 2016 09:47:20 UTC+1, Gervase Markham wrote:
> I guess you could ask a trusted competitor to generate them on new
> hardware and hold the HSMs securely, then you include the roots in
> Firefox straight away, and then only tell the competitor to release the
> HSMs to CA Foo
Process to apply a SSL certificate of StartCom:
Step 1. StartCom customer sign-in his/her account on official website of
StartCom;
Step 2. Customer do the domain validation via “Validations Wizard”;
Step 3. PKI validation system send the verification code to domain name whois
admin email, the
Hi Eddy,
While I have sympathy with what you say, your analysis is incomplete in
one respect.
On 11/10/16 09:41, Eddy Nigg wrote:
> The problematic issue in relation to StartCom is obviously the _two
> backdated SHA1 certificates_
There is also the case of StartEncrypt. While no known
On 11/10/16 02:55, Ryan Sleevi wrote:
> CAs would and could address that continuinity by signing their new
> root with their old (distrusted) root, and only issuing certificates
> with the new root, while the old root fades into obsolecence.
>
> This offers continuity because the certs issued by
On 11/10/16 01:04, Kathleen Wilson wrote:
> I think what you are saying is that the CA needs to re-apply for
> inclusion with new root certificates (not their old root certs).
> Correct? If yes, I am inclined towards that idea too. I've heard that
> it would cause continuity issues, but I don't
Hi Kathleen,
On 10/10/2016 09:39 PM, Kathleen Wilson wrote:
I would like to remind everyone that when making decisions about what to do
about CA mis-issuance, it is expressly *not* a goal for me to mete out
punishment. Rather, my primary goal is to help keep end-users safe, based on
the
On Tuesday, 11 October 2016 01:04:14 UTC+1, Kathleen Wilson wrote:
> Why do we need a minimum of 1 year?
> What purpose does that serve?
> If they meet all our requirements earlier, why couldn't we discuss it earlier
> than 1 year?
The exact period of one year is of course arbitrary. However I
On 10/10/16 23:00, Ryan Hurst wrote:
> I also believe there are a few core questions that are relevant to
> “what it depends on”, these include: Is it reasonable for the
> operational and technical failures StartCom made prior to the
> acquisition to be handled as a separate incident?
I presume
12 matches
Mail list logo