On Tue, Mar 17, 2020 at 03:51:13PM +, Tim Hollebeek wrote:
> For what it's worth, while we generally try to accept any reasonable proof
> of key compromise, we have seen quite a large variety of things sent to
> us. This includes people actually sending us private keys in various
> forms,
This is an abusive practice that tends to injure the operation of the
internet, particularly by encouraging victims to operate sites without
authentication and encryption in the interregnum between revocation and
the acquisition of a new cert. It also needlessly raises the cost to
operate a
Yeah - I've wanted to do this for a long time. If the domain is only good for
30 days, why would we issue even a 1-year cert? If it's good for 13 months, why
not tie the cert validity to that? I guess because they could have transferred
the domain (which just means you need additional caps)?
Yes - please share the details with me as I am very surprised to hear that. I
know the DigiCert agreements I've seen don't permit revocation because of
termination so whoever (if anyone) is saying that is contradicting the actual
agreement. Threatening revocation because of termination or
Forwarded Message
Subject: Summary of March 2020 Audit Reminder Emails
Date: Tue, 17 Mar 2020 19:00:22 + (GMT)
Mozilla: Audit Reminder
CA Owner: Government of The Netherlands, PKIoverheid (Logius)
Root Certificates:
Staat der Nederlanden EV Root CA
Staat der
Thanks to all of you who have participated in this discussion. We plan
to begin work on a minor update (version 2.7.1) to Mozilla's Root Store
Policy soon. In response to this discussion, the following two issues
have been created and labelled for 2.7.1.
Wayne filed
On Monday, March 16, 2020 at 9:06:33 PM UTC, Tim Hollebeek wrote:
> Hello,
>
>
>
> I'd like to start a discussion about some practices among other commercial
> CAs that have recently come to my attention, which I personally find
> disturbing. While it's perfectly appropriate to have Terms and
> On 3/11/20 3:51 PM, Paul Walsh wrote:
> > Can you provide some insight to why you think a shorter frequency in
> domain validation would be beneficial?
>
> To start with, it is common for a domain name to be purchased for one year.
> A certificate owner that was able to prove ownership/control
I agree with Corey on this. I was disappointed that the LAMPS discussion two
years ago was not as helpful as it could have been.
For what it's worth, while we generally try to accept any reasonable proof of
key
compromise, we have seen quite a large variety of things sent to us. This
includes
On Wed, 11 Mar 2020 15:39:34 -0700
Kathleen Wilson via dev-security-policy
wrote:
> What do you all think about also limiting the re-use of domain
> validation?
I'm strongly in favor of this change, and think domain validation reuse
should eventually be limited to a period much shorter than one
10 matches
Mail list logo
