Ryan Sleevi writes:
>I similarly suspect you’re unaware of https://wicg.github.io/cors-rfc1918/ in
>which browsers seek to limit or restrict communication to such devices?
A... blog post? Not sure what that is, it's labelled "A Collection of
Interesting Ideas", stashed on
On Wed, Jan 10, 2018 at 3:33 AM Peter Gutmann
wrote:
> Ryan Sleevi writes:
>
> >I hope you can see how I responded to precisely the problem provided.
>
> You responded to that one specific limited instance.
I responded to the topic of this thread,
Ryan Sleevi writes:
>I hope you can see how I responded to precisely the problem provided.
You responded to that one specific limited instance. That doesn't work for
anything else where you've got a service that you want to make available over
HTTPS. Native messaging is a
We've received a credible report of a problem with ACME TLS-SNI-01 validation
which could allow people to get certificates they should not be able to get.
While we investigate further we have disabled tls-sni-01 validation.
We'll post more information soon.
On Wed, Jan 10, 2018 at 12:42 AM Peter Gutmann
wrote:
> Ryan Sleevi writes:
>
> >Of course, if that doesn’t tickle your fancy, there are other ways that
> are
> >supported that you may not have heard about - for example:
> >
>
> On Jan 9, 2018, at 19:31, Peter Gutmann via dev-security-policy
> wrote:
>
> Jonathan Rudenberg writes:
>
>> For communicating with other machines, the correct thing to do is to issue a
>> unique certificate for each device from
Jonathan Rudenberg writes:
>For communicating with other machines, the correct thing to do is to issue a
>unique certificate for each device from a publicly trusted CA. The way Plex
>does this is a good example:
All,
I would like to thank Aaron Wu for all of his help on our CA Program,
and am sorry to say that his last day at Mozilla will be January 12. I
have appreciated all of Aaron’s work, and it has been a pleasure to work
with him.
I will be re-assigning all of the root inclusion/update
> On Jan 9, 2018, at 18:42, Peter Gutmann via dev-security-policy
> wrote:
>
> Ryan Sleevi writes:
>
>> Of course, if that doesn’t tickle your fancy, there are other ways that are
>> supported that you may not have heard about - for
Ryan Sleevi writes:
>Of course, if that doesn’t tickle your fancy, there are other ways that are
>supported that you may not have heard about - for example:
>https://docs.microsoft.com/en-us/microsoft-edge/extensions/guides/native-messaging
>
On Wed, Jan 10, 2018 at 12:08 AM Peter Gutmann
wrote:
> Ryan Sleevi writes:
>
> >Or is your viewpoint that because this happened in the past, one should
> >assume that it will forever happen, no matter how much the ecosystem
> changes -
> >including
Ryan Sleevi writes:
>Or is your viewpoint that because this happened in the past, one should
>assume that it will forever happen, no matter how much the ecosystem changes -
>including explicitly prohibiting it for years?
Pretty much. See the followup message, which shows it
On Tue, Jan 9, 2018 at 11:12 PM Peter Gutmann
wrote:
> Ryan Sleevi writes:
>
> >First, there are non-commercial CAs that are trusted.
>
> By "commercial CAs" I meant external business entities, not an in-house CA
> that the key or cert owner controls.
Ryan Sleevi writes:
>First, there are non-commercial CAs that are trusted.
By "commercial CAs" I meant external business entities, not an in-house CA
that the key or cert owner controls. Doesn't matter if they charge money or
not, you still need to go to an external
On Tue, Jan 9, 2018 at 4:40 PM, Peter Gutmann via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Nicholas Humfrey via dev-security-policy mozilla.org> writes:
>
> >What is the correct way for them to achieve what they are trying to do?
>
> I'm
Hi,
On Tue, 09 Jan 2018 21:04:34 +
Nicholas Humfrey via dev-security-policy
wrote:
> What is the correct way for them to achieve what they are trying to
> do?
>
> Would it be better to use a self-signed localhost certificate (same
> subject and
>
Nicholas Humfrey via dev-security-policy
writes:
>What is the correct way for them to achieve what they are trying to do?
I'm not sure if there is a correct way, just a least awful way. The problem
is that the browser vendors have decreed that you can
Hello,
Apologies if this is off-topic but I am not sure where else to query
this.
While going through the list of Root Certificate Authorities on my
computer, I
was alarmed to discover one I wasn't expecting there, called "DYMO Root
CA (for
localhost)". This certificate was installed by the
Hi,
On 29/12/17 06:24, Jakob Bohm wrote:
> 1. Do all recently issued certificates have to contain at least 64 bits
> of randomness in their serial numbers?
Yes. (References given by others.)
> 2. Is it acceptable for a CA to satisfy this requirement by generating
> random 64 bit serial
Hi Quirin,
On 15/12/17 15:09, Quirin Scheitle wrote:
> The results, paper, and a dashboard tracking CAA adoption are available under
>
> https://caastudy.github.io/
Belatedly, thank you and your colleagues for doing this excellent work.
It is interesting that you have received no iodef
Dear all,
In response to Mr. Gaynor email reporting a mis-issued certificate, the owner
of the certificate has been contacted and request its revocation. Our
compromise is to have it revoked by this afternoon at most.
After reviewing the problem, we believe that given the issuance date
21 matches
Mail list logo