On 03/12/2015 11:25, Gervase Markham wrote:
On 30/11/15 22:37, Jakob Bohm wrote:
1.1. Certificates that are used on servers that don't implement
OCSP stapling.
No-one is suggesting dropping support for non-stapling web servers. But
the revocation options will not be as good.
Good.
1.2
_
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31
e future.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Pho
Applicant is the Domain Name Registrant or has
control over the FQDN to at least the same level of assurance as those
methods previously described.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
le 4: A CA company may run all its CAs as
subordinates under a single root, but only some of those subCAs meet
Mozilla criteria. Example 5: Some historic roots, such a Equifax,
have been subsequently used as the root CA signing the new CAs as
subCAs.
Enjoy
Jakob
--
Jakob Bohm, CI
exposing themselves to wiretapping by parties other than
the government in question.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors
On 08/01/2016 23:31, Florian Weimer wrote:
* Jakob Bohm:
Could they, hypothetically, simply claim to use the real certificate on
the connection from their MiTM machines to the real server to do
practical control validation? They would have to claim, also, that
they are holding the private key
elf-signed (historically) using SHA-1, but which no longer
issue certificates signed with SHA-1 (this is possible for non-DSA
roots only).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussi
trivially easy and reliable.
...
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for P
On 18/01/2016 22:18, Richard Barnes wrote:
On Mon, Jan 18, 2016 at 11:07 AM, Jakob Bohm <jb-mozi...@wisemo.com> wrote:
On 18/01/2016 16:19, Richard Barnes wrote:
"Failed" might be a bit strong :) We had a temporary setback.
Like the blog post says, we're working o
CP/CPS documents etc.
For example a CA may have a special permission and procedure to
directly check certain government records of applicants, even though
the published procedures say the applicant must provide a certified
copy. This would catch a fraudulent application accompanied by a
perfectly fo
-security-policy
[mailto:dev-security-policy-bounces+steve.medin=verizonbusiness@lists.mozilla.org]
On Behalf Of Jakob Bohm
Sent: Sunday, February 14, 2016 5:08 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: [E] Re: New requirement: certlint testing
On 14/02/2016 21:58, Steve
(and
associated m of n methods), post-audit, and delivery whether a subordinate
CA or a responder certificate.
Good for you (and all your relying parties), doesn't extend to all the
other CAs unless backed by requirements.
Kind regards,
Steve Medin
On Tue, Feb 16, 2016 at 10:03 AM Jakob Bohm <
.
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+steve.medin=verizonbusiness@lists.mo
zilla.org] On Behalf Of Jakob Bohm
Sent: Thursday, February 11, 2016 1:23 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: New requirement: certlint testing
joy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones an
ly chain to your root
certificate(s) included in Mozilla's CA Certificate Program",
shouldn't those phrases exclude technically constrained subCAs,
such as subCAs used exclusively for codesigning (which has a near
indefinite need for SHA-1 certs due to Microsoft actions).
Enjoy
Jak
ting those is not viable, and not every CA has an old root
they can "throw away", like Symantec did with some of the branded roots
they had accumulated.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31
single certificate query, as
the random value only needs to change when the rest of the response
changes, so a pre-computed response would contain a pre-computed
random value.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark
On 10/03/2016 00:22, Peter Gutmann wrote:
Jakob Bohm <jb-mozi...@wisemo.com> writes:
2. Find a way to add OCSP responder chosen random data in each OCSP
response.
Responder or requester? You've got the OCSP nonce, although since every
(public) CA has disabled it that probably won'
On 11/03/2016 09:55, Kurt Roeckx wrote:
On 2016-03-11 01:14, Jakob Bohm wrote:
- Non-PrintableString/UTF8String in DNs. Workaround to be removed in
Bug #[TBD].
Does this also apply to "pure ASCII" fields such as country ("C=US")
etc.? Some of those were historicall
ate
SHA-1 collisions. The major CAs probably did that before the 1/1/2016
deadline, but some of the smaller CAs may have not gotten that done yet.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
Th
v-security-policy
[mailto:dev-security-policy-bounces+jeremy.rowley=digicert@lists.mozilla.org]
On Behalf Of Jakob Bohm
Sent: Wednesday, March 30, 2016 12:06 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: SHA-1 S/MIME certificates
On 30/03/2016 18:49, Kathleen Wi
majority of 3rd party e-mail clients
and the OS level root CA list of most operating systems releases,
such as Microsoft Windows and the various Linux distributions.
9. All procedures performed to comply with the above rules must be
documented in the relevant CPS and verified by the annual au
or meaningful change to the CP/CPS. Of
> course ComSign is obligated and WILL notify Mozilla of any meaningful
> change in its CP/CPS, but this is not relevant to this section.
...
Eli Spitzer, Information security & System Management, Comsign
Enjoy
Jakob
--
Jakob Bohm, CIO,
tu) use the Mozilla CA list as the
basis for their system-wide general purpose certificate stores.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain er
v-security-policy
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones an
, the CA
must publish a list of the exact IssuerDN encodings used in such
certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain
On 03/02/2017 05:22, Ryan Sleevi wrote:
On Thu, Feb 2, 2017 at 3:59 PM, Jakob Bohm <jb-mozi...@wisemo.com> wrote:
On 02/02/2017 00:46, Kathleen Wilson wrote:
All,
I've added another Potentially Problematic Practice, as follows.
https://wiki.mozilla.org/CA:Problematic_Pra
On 07/02/2017 20:49, David E. Ross wrote:
On 2/7/2017 11:15 AM, Jakob Bohm wrote:
Root certificates previously withdrawn for this purpose are encouraged
to report this fact to Mozilla by and to maintain valid entries in
the CCADB for such roots, all for the benefit of organizations
is purpose are encouraged
to report this fact to Mozilla by and to maintain valid entries in
the CCADB for such roots, all for the benefit of organizations that
maintain or service software that are or interoperate with such older
software.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A
On 03/02/2017 14:30, Ryan Sleevi wrote:
On Thu, Feb 2, 2017 at 9:37 PM Jakob Bohm <jb-mozi...@wisemo.com> wrote:
On 03/02/2017 05:22, Ryan Sleevi wrote:
On Thu, Feb 2, 2017 at 3:59 PM, Jakob Bohm <jb-mozi...@wisemo.com>
wrote:
On 02/02/2017 00:46, Kathleen Wilson wrote:
All,
On 25/01/2017 09:40, okaphone.elektron...@gmail.com wrote:
On Wednesday, 25 January 2017 08:25:41 UTC+1, Jakob Bohm wrote:
Tiny nit: What if the original language of the CP/CPS is English. Then
there can't be a "translation" etc.
Mmmm... indeed.
It actually says "The
org/sid/ca-certificates
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones an
On 28/01/2017 07:51, Peter Gutmann wrote:
Jakob Bohm <jb-mozi...@wisemo.com> writes:
DSA and ECDSA signatures are only secure if the hash algorithm is specified
in the certificate, presumably as part of the AlgorithmIdentifier in the
SubjectPublicKeyInfo.
It's in the (badly-named) sig
o/dev-security-policy
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Managem
r. We revoked all reported certificates
which were still valid that had not previously been revoked within the 24
hour CA/B Forum guideline - these certificates each had "O=test". Our
investigation is continuing.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tra
On 27/01/2017 10:06, Gervase Markham wrote:
On 26/01/17 14:12, Jakob Bohm wrote:
Given that Mozilla has been reducing the scope and generality of their
root store over the past few years, I would suggest reaching out to
those organizations that base their public root stores on the Mozilla
store
of their
issuance infrastructure, both testing that certificates are issued for domains
they should be, and that they are not issued for domains that they should
not be, under an adversarial threat model.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
On 18/01/2017 01:12, Nick Lamb wrote:
On Tuesday, 17 January 2017 23:34:20 UTC, Jakob Bohm wrote:
How about "_and versions and strong (>= 256 bits) hashes_",
Frankly any _cryptographic_ hash should be adequate for this purpose. Even for
the most creaky crypto hashes I can think
audit criteria for e-mail certificates as
trusted by Mozilla Thunderbird.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo
e no problem
generating such hashes for the documents audited, and a future update
of the Mozilla "CA community portal" might include a script that checks
these hashes while archiving the CP/CPS documents.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transf
On 18/01/2017 16:20, Gervase Markham wrote:
On 17/01/17 23:27, Jakob Bohm wrote:
Notes on the text in that branched section (other than the actual
change discussed here):
This paranthesis indicates none of these are in scope for this
particular issue, just something that might be their own
.
...somebody has to lead by example and soon!
Hopefully not you.
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management
On 20/01/2017 00:35, Nick Lamb wrote:
On Thursday, 19 January 2017 20:20:24 UTC, Jakob Bohm wrote:
Google's CT initiative in its current form has serious privacy problems
for genuine certificate holders. I applaud any well-run CA that stands
up to this attack on the Internet at large.
I
ists because those signed
e-mails need to remain checkable at a later time, regardless if the
original signer cooperates or tries to repudiate his own signature.
Once the last TLS certificate is gone from the list, the expiry
period of the .jar files is increased significantly, as there woul
SCTs in the certs, I thought the
plan was to have the problematic CA *not* issue more certs...
Indeed, I have found that a number of common web server implementations
simply lack the ability to do OCSP stapling at all.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Tr
front end: No OCSP
stapling support in the standard version.
IIS for Windows Server 2008 (latest IIS supporting pure 32 bit
configurations): No obvious (if any) OCSP stapling support.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søbor
Peter.
HØHØHØ *
*=The standard way of writing a derisive laughter in response to a bad
unfunny joke.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contai
On 06/09/2016 15:37, Kurt Roeckx wrote:
On 2016-09-06 14:16, Jakob Bohm wrote:
On 06/09/2016 10:25, Kurt Roeckx wrote:
If you think there is something we can do in OpenSSL to improve this,
please let us know.
Here are a list of software where I have personally observed bad OCSP
stapling
On 06/09/2016 16:43, Martin Rublik wrote:
On Tue, Sep 6, 2016 at 2:16 PM, Jakob Bohm <jb-mozi...@wisemo.com> wrote:
Here are a list of software where I have personally observed bad OCSP
stapling support:
IIS for Windows Server 2008 (latest IIS supporting pure 32 bit
configur
ion to your well-published PKI criticism, it is noted that some
of the many new CAs found in root stores are governments who (unlike
commercial CAs) are the actual authority on the identity of their
citizens.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej
On 06/09/2016 18:15, Ryan Hurst wrote:
On Tuesday, September 6, 2016 at 7:54:14 AM UTC-7, Jakob Bohm wrote:
On 06/09/2016 16:43, Martin Rublik wrote:
On Tue, Sep 6, 2016 at 2:16 PM, Jakob Bohm <jb-mozi...@wisemo.com> wrote:
Here are a list of software where I have personally observ
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
est
script that scans issued certificates for the problem and raises an
alarm so such certificates would be reissued (with distinct serial
numbers) and revoked within a few days of each failure.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søbor
larly, as a public audit, someone could routinely set up throw-away
domains with CAA records, then request banned certificates to name and
shame bad issuance if actually issued (A "Mystery shopper" test
strategy). Of cause this should involve some checks against bad faith
testing (such
d SMTP servers.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Em
On 13/09/2016 16:47, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 8:30:07 PM UTC-7, Jakob Bohm wrote:
A variation of this, would be to create (compacted) whitelists for
specific old intermediary certs,
It sounds like you haven't been following this conversation, but the entire
point
On 14/09/2016 16:11, Kyle Hamilton wrote:
On 9/12/2016 20:20, Jakob Bohm wrote:
On 13/09/2016 03:03, Kyle Hamilton wrote:
I would prefer not to see a securelogin-.arubanetworks.com
name, because such makes it look like Aruba Networks is operating the
captive portal
e date? If so, that would be
cryptographic evidence that the certificates were signed after those
SCT entries were generated.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is n
On 10/09/2016 14:45, Gervase Markham wrote:
On 09/09/16 11:53, Jakob Bohm wrote:
As I read the Wiki description of WoSign issue L: Arbitrary High port
validation, the description notes a case of port 8080 validation as an
instance of this.
If the BR and or CP/CPS indeed classify port 8080
. For example, I don't think
there would be specific BRs covering if they remember to lock the door
to the server room.
This would be very similar to how financial auditors does do some
checking if the day to day accounting practices are sound in terms of
avoiding fraud.
Enjoy
Jakob
--
Jakob Bohm
On 10/09/2016 14:39, Gervase Markham wrote:
On 09/09/16 11:59, Jakob Bohm wrote:
Since a major root compromise is generally considered the worst
possible security event for a trusted CA, this wording could easily be
(mis?)understood not to require reporting of lesser security failures
not. If cloudflare itself starts to play fast
and loose with the identity of the proxied domains, that becomes a
security concern in itself, unrelated to CA inclusion policy.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmar
On 12/09/2016 21:57, Rob Stradling wrote:
On 12/09/16 18:57, Jakob Bohm wrote:
On 11/09/2016 07:49, Peter Bowen wrote:
On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <hanyuwe...@gmail.com> wrote:
So when I delegated the DNS service to Cloudflare, Cloudflare have
the privilege to
rivate key.
-Kyle H
On 9/7/2016 00:41, Jakob Bohm wrote:
Given the specific name in those certificates, and the place where the
private key was seen, I would guess the actual use case is this:
...
Just to clarify, I never said that the use was for a "captive portal"
or other such 3rd pa
certs for which no trust restrictions exist.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Pho
On 13/09/2016 01:28, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 3:51:56 PM UTC-7, Jakob Bohm wrote:
Note that this is *entirely* outside CA/B and CA inclusion related
guidelines, since CloudFlare is (presumably) not a CA and thus not
subject to such guidelines.
Then isn't it also
On 13/09/2016 11:50, Gervase Markham wrote:
On 12/09/16 19:02, Jakob Bohm wrote:
Wouldn't this fall under the general auditable requirement of being
careful in their practices and procedures.
Ask an auditor, and they will tell you that "be careful" is not an
auditable requirement.
On 12/09/2016 23:48, Ryan Sleevi wrote:
On Monday, September 12, 2016 at 2:33:47 PM UTC-7, Jakob Bohm wrote:
I find fault in CloudFlare (presuming the story is actually as
reported).
Why? Apologies, but I fail to see what you believe is "wrong", given how
multiple people have poin
,
such as issuing millions (or just hundreds) of certificates without
proper validation etc.
Am I reading something wrong, or is their an unintended loophole in the
Mozilla Policy, as written, in this regard?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860
t received with a
mime-type, like ftp: and file: URLs) and many other software systems.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain erro
. On a trust policy/BR level, the
key detail here is that the issuing root cert is a SHA-1 cert itself
and would thus be distrusted by SHA-1-distrusting systems anyway.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45
On 30/09/2016 13:21, Gervase Markham wrote:
On 30/09/16 07:50, Jakob Bohm wrote:
SHA-1 certs until the hardware dies. On a trust policy/BR level, the
key detail here is that the issuing root cert is a SHA-1 cert itself
and would thus be distrusted by SHA-1-distrusting systems anyway.
That's
On 06/10/2016 15:58, Gervase Markham wrote:
On 06/10/16 12:38, Jakob Bohm wrote:
Which is why I have repeatedly suggested that maybe the rules should be
changed to promote/demote some of the historic SHA-1 root certs into
"SHA-1 forever" roots that can service older devices and brow
rtificates and FS keys for
new clients.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote S
of income while keeping up significant
operational costs just for the hope of maybe getting readmitted.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding
that might be distrusted, disclosure of e-mail only cross signatures
and e-mail only subCAs still need to be disclosed in order to maintain
root program integrity.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
T
: If StartCom has not yet decided
on a technical separation plan, could one acceptable option for such a
plan be to reactivate the old (pre-acquisition) infrastructure and
software and take it from there?
An answer to that might help StartCom choose an acceptable plan.
Enjoy
Jakob
--
Jakob Bohm, CIO
certificate requests will come from DNSSEC signed domains. After all,
if they did, DANE would soon be a substitute for DV certs.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion
orums",
and you appear to be using that Google web app, but not everyone does.
If the Google web app is blocked in China, then the Chinese
participants (I have read messages from at least 2 people from China in
the past week here), are presumably not using the Google web app.
Enjoy
Jako
fee and passes a full BR audit by Ernst, Young or
Deloite".
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remot
"permitted"
algorithms are all broken before replacements become "permitted".
having a specific BR rule banning any curve except 3 curves from a
single government project in a single country certainly looks like a
very bad idea.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseM
On 23/09/2016 12:51, Peter Gutmann wrote:
Jakob Bohm <jb-mozi...@wisemo.com> writes:
While you are at it:
1. How many WoSign/StartCom certificates did you find with domains not
on that IANA list?
2. How many WoSign/StartCom certificates did you find for other uses
than
On 23/09/2016 17:18, Rob Stradling wrote:
On 22/09/16 18:48, Jakob Bohm wrote:
While you are at it:
1. How many WoSign/StartCom certificates did you find with domains not
on that IANA list?
Hi Jakob. I wasn't looking for this sort of thing, because Gerv was
only interested in "u
Mechanisms such as OneCRL tend to be horribly incomplete. Just in the
past few months there has been repeated mention on this list of revoked
certificates that were not on OneCRL, only on the CA CRLs.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29,
for "odd" subdomains such as "extranet.example.com"
2.2 Certificates for e-mail
2.3 Code signing certificates
2.4 Others?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public d
for
reporting this bug to the OpenSSL team, thus helping to protect us all.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote
notifications? They are supposed to have one, according
to the BRs. I'm not sure posting here would count.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding
On 23/09/2016 18:46, Ryan Sleevi wrote:
On Friday, September 23, 2016 at 9:15:48 AM UTC-7, Jakob Bohm wrote:
they are nowhere as bad as proponents of
extreme centralization schemes claim.
Citation needed. It would seem that you're not familiar with the somewhat
well-accepted industry state
On 27/09/2016 09:31, Kurt Roeckx wrote:
On 2016-09-27 01:18, Jakob Bohm wrote:
It would perhaps be useful if you could dispute, using Firefox as an
example, and considering the real deployment (not the theorhetical
abstract of ways in which someone 'might' configure about:flags, but
no one can
time, e.g. 12:00 noon
UTC.
P.S.
I am aware of the current zero-difference between UK local time and
UTC, but this was not so just 10 days ago.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
T
ckhanded tactics to subvert a log operator that is entirely outside
its direct jurisdiction.
History has taught us that such things do happen from time to time.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 1
On 08/11/2016 20:51, Ryan Sleevi wrote:
On Tue, Nov 8, 2016 at 11:24 AM, Jakob Bohm <jb-mozi...@wisemo.com> wrote:
Diversity requirements are about reducing the likelihood of
simultaneous coercion, as it can never be ruled out that some powerful
organization already engaged in such things
On 08/11/2016 20:37, Gervase Markham wrote:
On 08/11/16 19:11, Jakob Bohm wrote:
However because all the sources are from a single entity (the UK
government), that entity could manipulate the results, thus falsifying
the provable randomness of the process.
I think you are bikeshedding
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
claiming that.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
of the transition away from SHA-1, those roots were
usually cross signed by their already trusted SHA-1 roots).
Perhaps a better text would be
"1 and a half) The CA private key must not be used for any other CA or
entity, but a CA may have more than one CA Certificate for that private
key&
On 22/10/2016 14:59, Ryan Sleevi wrote:
On Saturday, October 22, 2016 at 5:11:29 AM UTC-7, Jakob Bohm wrote:
Talking of codesigning, which root store does Chrome use to validate
signatures on the PPAPI plug ins it is currently forcing developers to
switch to?
I've mentioned to you repeatedly
date
signatures on the PPAPI plug ins it is currently forcing developers to
switch to?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
Wi
On 18/10/2016 20:50, douglas.beat...@gmail.com wrote:
On Monday, October 17, 2016 at 4:19:34 PM UTC-7, Jakob Bohm wrote:
On 16/10/2016 09:59, Adrian R. wrote:
Hello
i read in the news (but not here on m.d.s.p) that a few days ago Globalsign
revoked one of their intermediary roots and then un
1 - 100 of 570 matches
Mail list logo