Forgive my ignorance, but could you please explain what was your
ultimate goal, as "an attacker", what were you hoping to gain and how
could you use this against Relying Parties?
I read your email several times but I could not easily find a case where
your fake address creates any serious
On Thu, Sep 27, 2018 at 10:39 PM Tim Hollebeek
wrote:
> I'm glad you added the smiley, because in my experience CAs have rarely,
> if ever, have had any discretion in such matters.
That does not match reports from multiple former employees of various CAs.
Nor do we (DigiCert) particularly
I'm glad you added the smiley, because in my experience CAs have rarely, if
ever, have had any discretion in such matters. Nor do we (DigiCert)
particularly want to, to be honest. I prefer clear, open, and transparent
validation rules that other CAs can't play games with.
Whitelisting and
> On Thu, 27 Sep 2018 14:52:27 +
> Tim Hollebeek via dev-security-policy
> wrote:
>
> > My personal impression is that by the time they are brought up here,
> > far too many issues have easily predicted and pre-determined outcomes.
>
> It is probably true that many issues have predictable
Yes, it would be work, but would result in consistent and reliable
information, and already reflective of the fact that an EV certificate
needs to identify the jurisdictionOfIncorporation and it's incorporating
documents. Or are we saying that OV doesn't need to make sure it's actually
a valid and
A whitelist of QGIS sounds fairly difficult. And how long would it take to
adopt a new one?
In some states you're going to have an authority per county. It'd be a big
list.
On Thu, Sep 27, 2018 at 5:35 PM, Ian Carroll via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
On Wednesday, September 26, 2018 at 6:12:22 PM UTC-7, Ryan Sleevi wrote:
> Thanks for raising this, Ian.
>
> The question and concern about QIIS is extremely reasonable. As discussed
> in past CA/Browser Forum activities, some CAs have extended the definition
> to treat Google Maps as a QIIS (it
On Thu, 27 Sep 2018 14:52:27 +
Tim Hollebeek via dev-security-policy
wrote:
> My personal impression is that by the time they are brought up here,
> far too many issues have easily predicted and pre-determined outcomes.
It is probably true that many issues have predictable outcomes but I
Visa has filed a bug [1] requesting removal of the eCommerce root from the
Mozilla root store. Visa has also responded to the information requested in
the qualified audits bug [2], but it's unclear if or when they will respond
to the issues list presented in this thread. Two weeks have passed
A few additional points:
First off, thank you Rob and James for calling out unacceptable list
behavior. Personal attacks will not be tolerated from anyone on this list.
On Thu, Sep 27, 2018 at 10:26 AM Ryan Sleevi wrote:
>
> On Thu, Sep 27, 2018 at 11:17 AM Jeremy Rowley
> wrote:
>
>> Oh – I
On Thu, Sep 27, 2018 at 11:17 AM Jeremy Rowley
wrote:
> Oh – I totally agree with you on the Google inclusion issue. Google meets
> the requirements for inclusion in Mozilla’s root policy so there’s no
> reason to exclude them. They have an audited CPS, support a community
> broader with certs
Maybe Jake’s opinion is not being discarded as readily as I supposed. However,
Jake’s last message left me disturbed that he didn’t feel listened to.
Apologies if I’m overblowing the issue, which are definitely hypothetical at
this point. I did want Jake to feel like his input is an important
Oh – I totally agree with you on the Google inclusion issue. Google meets the
requirements for inclusion in Mozilla’s root policy so there’s no reason to
exclude them. They have an audited CPS, support a community broader with certs
than just Google, and have operated a CA without problems in
> The question and concern about QIIS is extremely reasonable. As discussed in
> past CA/Browser Forum activities, some CAs have extended the definition to
> treat Google Maps as a QIIS (it is not), as well as third-party WHOIS services
> (they’re not; that’s using a DTP).
It's worth noting that
Speaking for myself ...
My personal impression is that by the time they are brought up here, far too
many issues have easily predicted and pre-determined outcomes.
I know most of the security and key management people for the payment
industry very well [1], and they're good people. The
Richard,
Unfortunately Gerv is no longer with us, so he cannot respond to this
accusation. Having been involved in many discussions on m.d.s.p and with
Gerv directly, I am very sure Gerv deeply owned the decisions on StartCom
and WoSign. It was by no means Ryan telling Gerv or Mozilla what to
It is unfair that somebody attacked me in the WoSign sanction discussion, but
no body say any word for this! Why? Due to Ryan is famous person and I am
nobody?
Best Regards,
Richard Wang
On Sep 27, 2018, at 18:24, James Burton mailto:j...@0.me.uk>>
wrote:
Richard,
Your conduct is totally
On Wed, 26 Sep 2018 23:02:45 +0100
Nick Lamb via dev-security-policy
wrote:
> Thinking back to, for example, TSYS, my impression was that my post on
> the Moral Hazard from granting this exception had at least as much
> impact as you could expect for any participant. Mozilla declined to
>
Richard,
Your conduct is totally unacceptable and won’t be tolerated. You must read
the forum rules regarding etiquette.
Also I suggest you apologise to Ryan.
James
On Thu, 27 Sep 2018 at 10:33, Rob Stradling via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Richard,
Richard,
You might like to familiarize yourself with the Mozilla Forum Etiquette
Ground Rules:
https://www.mozilla.org/en-US/about/forums/etiquette/
Note this in particular:
"Be civil.
No personal attacks. Do not feel compelled to defend your honor in
public. Posts containing personal attacks
Hi Wayne
All problems have already been resolved from our side and we wait for the
PIT audit planned for the next week.
We will be able to provide the PIT before October 31th.
Best regards
Ramiro Muñoz Muñoz
AC Camerfirma SA.
CTO, Exploitation Manager, CISA.
+34 619 746 291 ·
Sorry, I don't agree with this point. Ryan Sleevi is the Mozilla Module Peer
that gave too many pressures to the M.D.S.P community to misleading the
Community and to let Mozilla make the decision that Google want.
There are two facts to support my opinion:
(1) For StartCom sanction, Mozilla
Hi Ryan,
Thanks for your point out the link "https://wiki.mozilla.org/CA:WoSign_Issues'.
I think I need to say more words about "misleading" and "lie".
I like to expose some FACTs to show the public, to let public know who is
misleading and lie.
For the initiate WoSign issues email in
23 matches
Mail list logo
