Bonsoir,
Le lundi 7 octobre 2019 20:53:11 UTC+2, Ryan Sleevi a écrit :
[...]
> # Intermediates that do not comply with the EKU requirements
>
> In September 2018 [1], Mozilla sent a CA Communications reminding CAs about
> the changes in Policy 2.6.1. One specific change, called to attention in
>
Bonjour,
Le vendredi 20 septembre 2019 22:20:02 UTC+2, Curt Spann a écrit :
[...]
> My interpretation is a “revoked” OCSP response should be used in the
> following conditions:
[...]
> 2. When the OCSP request contains an issuerNameHash and issuerKeyHash for
> which the OCSP responder IS
Le mardi 30 octobre 2018 22:23:10 UTC+1, Ryan Sleevi a écrit :
> On Tue, Oct 30, 2018 at 4:37 PM Erwann Abalea via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > > On what basis do you believe this claim is to be made? By virtue of
>
Not seeing this on Google Groups :/
Le mar. 30 oct. 2018 à 18:28, Ryan Sleevi a écrit :
>
>
> On Tue, Oct 30, 2018 at 1:20 PM Erwann Abalea via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Le mardi 30 octobre 2018 17:29:14
Le mardi 30 octobre 2018 18:30:11 UTC+1, Moudrick M. Dadashov a écrit :
> Thanks for good overview.
> I'd like to add some more.
> Actually the most questionalble part of the chain is so called Supervisory
> bodies.
> Of course, root programs do not rely on SB assessment, but under eIDAS they
>
Le mardi 30 octobre 2018 18:28:50 UTC+1, Ryan Sleevi a écrit :
> On Tue, Oct 30, 2018 at 1:10 PM Erwann Abalea via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > In fact, for the Relying Party, these certificates are definitely
> > considere
Le mardi 30 octobre 2018 17:29:14 UTC+1, Ryan Sleevi a écrit :
[...]
> Note that if either the TSP is suspended of their certification or
> withdrawn, no notification will be made to relying parties. The closest
> that it comes is that if they're accredited according to EN 319 411-2
> (Qualified
Bonjour,
Le mardi 30 octobre 2018 16:20:31 UTC+1, Ryan Sleevi a écrit :
> (Writing with an individual hat)
>
> I would like to suggest that consideration be given to rejecting future
> audits from TUVIT and from that of Matthias Wiedenhorst and Dr. Anja
> Widermann, for some period of time. I
Bonjour,
Le lundi 9 janvier 2017 18:02:57 UTC+1, Jeremy Rowley a écrit :
> Not many websites, but all of the Belgium ID cards would end up being
> revoked.
Not exactly. The "Belgium Root CAx" CA certificates issued by Cybertrust would
be revoked, but since these CAs also have self-signed
Bonsoir,
Le mardi 13 décembre 2016 23:36:15 UTC+1, Kathleen Wilson a écrit :
[...]
> Question: Do I need to update
> https://wiki.mozilla.org/CA:How_to_apply#Root_certificates_with_the_same_subject_and_different_keys
> ?
There could be something trying to enforce that root certificates sharing
Bonsoir,
Le mardi 6 décembre 2016 09:31:48 UTC+1, Wen-Cheng Wang a écrit :
> Hi Jacob,
>
> I think you get confused by My colleague Li-Chun's email because he mentioned
> a lot about using self-issued certificates for key-rollover, AIA certificate
> chaining support, and the bug of Microsoft
Le jeudi 27 octobre 2016 09:55:09 UTC+2, Percy a écrit :
> So this is it? Qihoo can continue to get away with this MITM browser?
I'm afraid that can't be solved by Mozilla. Qihoo is free to sell or freely
distribute their browser.
___
Bonjour,
Le vendredi 21 octobre 2016 12:48:21 UTC+2, marc@gmail.com a écrit :
[...]
> Just the opinion of a user who is securing services, websites and his mails
> with certificates but is not capable of paying hundreds of Euros / Dollars
> for achieving this goal every year.
DV
Bonjour,
Le samedi 1 octobre 2016 11:02:21 UTC+2, Stefan Paletta a écrit :
[...]
> I have one question about the proposal: what is the rationale and
> justification for the one-year minimum distrust? While this seems quite
> reasonable at first glance, my thinking is this: clearly, the proposed
Bonjour,
Le jeudi 29 septembre 2016 11:45:39 UTC+2, Varga Viktor a écrit :
> Dear Peter,
>
> I am deeply in ETSI process, so I can give info some info:
>
> Formerly the ETSIs are based on
>
> *102042 for CAs
> *101456 for CAs issuing qualified certificates (refernces frequently
Bonsoir,
Le mardi 27 septembre 2016 18:43:29 UTC+2, Han Yuwei a écrit :
> 在 2016年9月27日星期二 UTC+8下午11:21:26,Hector Martin "marcan"写道:
> > On 2016-09-27 23:21, Han Yuwei wrote:
> > > 在 2016年9月27日星期二 UTC+8下午8:33:28,Gervase Markham写道:
> > >> On 27/09/16 13:13, adroidm...@gmail.com wrote:
> > >>> We
Bonjour,
Qihoo 360 is already a CABForum member in the "Internet Browser Software
Vendors" category.
Le mardi 20 septembre 2016 17:55:03 UTC+2, 谭晓生 a écrit :
> Yes, you are correct, we also invested in Opera, but just a smaller share
> holders, not a majority one.
>
> Thanks,
> Xiaosheng Tan
Bonsoir Richard,
This info should probably be added to the thread "WoSign's ownership of
StartCom", and then Peter's complementary questions are legitimate ones, being
in line with Mozilla's concerns.
___
dev-security-policy mailing list
Le lundi 12 septembre 2016 15:59:14 UTC+2, Ben Laurie a écrit :
> On 10 September 2016 at 15:43, Erwann Abalea <eaba...@gmail.com> wrote:
> > Ironically, since you're not the Subscriber, you cannot request for the
> > revocation of this certificate, at least not direc
Bonjour,
Le lundi 12 septembre 2016 14:30:56 UTC+2, Peter Kurrasch a écrit :
> I noticed there a several other domains listed on that cert besides Han's
> (and wildcard versions for each). Unless Han is the registrar or has some
> other affiliation with those domains it seems to me there is a
Bonjour,
Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit :
> I am using Cloudflare's DNS service and I found that Cloudflare has issued a
> certficate to their server including my domain. But I didn't use any SSL
> service of theirs. Is that ok to Mozilla's policy?
>
> Issued
Le vendredi 2 septembre 2016 19:45:37 UTC+2, Percy a écrit :
> Some facts for Mozilla to consider. WoSign Root is never trusted by Apple
> https://support.apple.com/en-ca/HT205205
> https://support.apple.com/en-ca/HT205204
>
> However, all WoSign leaf certs are trusted on Apple devices
Bonjour,
Le jeudi 1 septembre 2016 09:27:11 UTC+2, Ryan Sleevi a écrit :
> On Wednesday, August 31, 2016 at 11:03:11 PM UTC-7, Percy wrote:
[...]
> > Or we can use an offline whitelist. How about include SHA-2 of existing
> > WoSign certificates in the binary? So the browser would first check
Le mardi 19 juillet 2016 22:05:13 UTC+2, Andrew Whalley a écrit :
> Greetings,
>
> I have run the tool provided by dr.ir. Marc Stevens [1] on the
> tbsCertificates provided by Symantec [2]
>
> And see no evidence of collisions:
>
> $ ./sha1dcsum_partialcoll *.tbs
>
Bonjour,
Le samedi 25 juin 2016 01:45:49 UTC+2, Kathleen Wilson a écrit :
> It seems that ETSI has not yet officially retired ETSI TS 102 042, although
> they published ETSI EN 319 411-1 which "is derived from the requirements
> specified in ETSI TS 102 042".
>
> Can CAs continue to use the
Bonjour,
Le mardi 10 mai 2016 10:10:49 UTC+2, Kurt Roeckx a écrit :
> On 2016-05-10 02:07, Kathleen Wilson wrote:
> > Thanks to all of you who have reviewed and commented on this request from
> > DocuSign to include the following root certificates, turn on the Websites
> > and Email trust bits
Bonsoir,
Le mercredi 17 février 2016 02:11:58 UTC+1, Charles Reiss a écrit :
> On 02/09/16 20:07, Kathleen Wilson wrote:
> > This request by DocuSign (OpenTrust/Keynectis/Certplus) is to include
> > the following root certificates, turn on the Websites and Email trust
> > bits for all of them,
Bonsoir,
Le mercredi 10 février 2016 00:15:11 UTC+1, Charles Reiss a écrit :
> On 02/09/16 20:07, Kathleen Wilson wrote:
> > This request by DocuSign (OpenTrust/Keynectis/Certplus) is to include
> > the following root certificates, turn on the Websites and Email trust
> > bits for all of them,
Bonjour,
Le mardi 9 février 2016 22:41:37 UTC+1, David E. Ross a écrit :
> On 2/9/2016 12:07 PM, Kathleen Wilson wrote:
>
> [snipped]
>
> > * Audit: Annual audits are performed by LSTI according to the ETSI TS
> > 102 042 criteria.
> >
Le lundi 8 février 2016 21:43:19 UTC+1, Kathleen Wilson a écrit :
> On 2/8/16 12:22 PM, Kathleen Wilson wrote:
> > On 2/8/16 12:18 PM, Kathleen Wilson wrote:
> >> All,
> >>
> >> We recently added two tests that CAs must perform and resolve errors for
> >> when they are requesting to enable the
Bonjour,
Le mardi 9 février 2016 10:47:16 UTC+1, Jesus F a écrit :
> Dear all,
>
> As A-Trust request EV treatment, I checked the EV issued certificates from
> a-sign-SSL-EV-05 subordinate in ctr.sh
> (https://crt.sh/?Identity=%25=6096)
>
> ALL of them states in businessCategory the
Le dimanche 31 janvier 2016 18:47:53 UTC+1, Peter Bowen a écrit :
> Sub-CA under SHECA (which has applied to be in the Mozilla program)
> https://crt.sh/?id=12367776=cablint
Wow. Each certificate has its own CRL. And this CRL is not properly partitioned
(missing IDP extension).
Bonsoir,
Le mercredi 28 octobre 2015 14:53:39 UTC+1, raf...@gmail.com a écrit :
> > However, https://crt.sh/?id=8983568 shows a TLS server certificate valid
> > for 4 years and delivered in 2015.
> As already it has been commented, this subCA was developed for a private and
> restricted
Le mercredi 21 octobre 2015 21:18:26 UTC+2, Kathleen Wilson a écrit :
> FNMT has applied to include the "AC RAIZ FNMT-RCM" root certificate and
> enable the Websites trust bit.
[...]
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=435736
[...]
>
Le lundi 5 octobre 2015 19:36:03 UTC+2, Peter Kurrasch a écrit :
> TL;DR... [...Peter and Ryan more than disagree...]
Please, stay cool, kiss each other.
> Let's consider a (hypothetical) situation where I'm a manufacturer of
> anti-lock braking systems that go into cars made by 5 different
Bonjour Peter,
Le dimanche 12 avril 2015 09:32:40 UTC+2, Peter Gutmann a écrit :
Erwann Abalea eaba...@gmail.com writes:
That's really an OID, in the Microsoft arc. I don't know what triggered the
Error: OID contains random garbage message,
Uhh, the fact that it contains random garbage
Le lundi 6 avril 2015 17:29:00 UTC+2, Anonymous a écrit :
It would be very helpful if you could provide some evidence of this.
Qihoo 360 is a browser member of the CABForum, the product treats
certificate validation errors differently than other browsers, in a non
secure way.
But having
Le vendredi 3 avril 2015 21:34:46 UTC+2, Anonymous a écrit :
quoteMicrosoft has very little market share in terms of systems that they
can
push out updates to. Is it even the case that up-to-date instances of IE
outnumber Firefox + Chrome? /quote
I think there is a lot of confusion as to
Le mercredi 25 mars 2015 07:02:06 UTC+1, Daniel Micay a écrit :
* Browser people detected this misissuance
This one, but not at least several others issued by this CA.
Are you still talking about facts? Then please provide other mississued
certificates.
* CAs don't want to go out of
Le mardi 24 mars 2015 09:59:47 UTC+1, Gervase Markham a écrit :
On 24/03/15 00:00, Peter Bowen wrote:
[...]
- What response has their been from CNNIC on this issue? How do they
explain issuing a subordinate CA certificate with a private key not
being on a HSM meeting the Baseline
Le mardi 24 mars 2015 15:32:10 UTC+1, Florian Weimer a écrit :
* Kurt Roeckx:
We know that not everybody does add the SANs. But I think that if
there is a name constraint and there is no SAN we should just either
reject the certificate for being invalid or for not matching.
This has to
Le dimanche 15 mars 2015 01:59:10 UTC+1, Peter Bowen a écrit :
I've been trying to figure out what is required, forbidden, and
optional for X.509 certificates that conform to the Mozilla
requirements. It isn't all that easy given the indirection in the
requirements (you need at least the
Le lundi 16 mars 2015 21:47:07 UTC+1, Peter Bowen a écrit :
On Mon, Mar 16, 2015 at 1:04 PM, Erwann Abalea eaba...@gmail.com wrote:
Le lundi 16 mars 2015 19:30:47 UTC+1, Peter Bowen a écrit :
On Mon, Mar 16, 2015 at 10:52 AM, Erwann Abalea eaba...@gmail.com wrote:
Le dimanche 15 mars 2015
Le lundi 16 mars 2015 19:30:47 UTC+1, Peter Bowen a écrit :
On Mon, Mar 16, 2015 at 10:52 AM, Erwann Abalea eaba...@gmail.com wrote:
Le dimanche 15 mars 2015 01:59:10 UTC+1, Peter Bowen a écrit :
I've been trying to figure out what is required, forbidden, and
optional for X.509 certificates
Bonjour,
Le vendredi 6 février 2015 00:34:25 UTC+1, s...@gmx.ch a écrit :
A few weeks ago, I got some mails about a broken iframe. The secure
connection to the remote server failed (OCSP error). The site was signed
by Swiss Government SSL CA 01. I contacted the technical support and
they told
Bonsoir,
Le mercredi 19 novembre 2014 01:03:29 UTC+1, Renne Rodriguez a écrit :
[...]
Comment 3:
The OCSP responders both include too many certificates, this has a
performance impact for your users; no need to include intermediate and root
certificates in the response. Not a blocker.
Le jeudi 20 novembre 2014 21:23:41 UTC+1, Brian Smith a écrit :
Renne Rodriguez r...r...@ide...st.com wrote:
Comment 3:
The OCSP responders both include too many certificates, this has a
performance impact for your users; no need to include intermediate and root
certificates in the
Le jeudi 30 octobre 2014 19:17:41 UTC+1, Kathleen Wilson a écrit :
IdenTrust has applied to include the IdenTrust Commercial Root CA 1
and IdenTrust Public Sector Root CA 1 root certificates, and turn on
the Websites and Email trust bits for both. The IdenTrust Commercial
Root CA 1 root
Le jeudi 23 octobre 2014 20:51:40 UTC+2, Kathleen Wilson a écrit :
Staat der Nederlanden has applied to include the Staat der Nederlanden
Root CA - G3 and Staat der Nederlanden EV Root CA root certificates;
turn on the Websites and Email trust bits for the Staat der Nederlanden
Root CA - G3
Le vendredi 3 octobre 2014 10:22:06 UTC+2, Kurt Roeckx a écrit :
On 2014-10-02 18:53, Erwann Abalea wrote:
Yet, 2 different and incompatible CRLs from the same issuer exist:
[...]
The CRLNumber numbering has been restarted from 1, and the revoked
certificates list is different
Sorry, left hand kicked the tab key, don't remember what the right hand did but
it sent the mail... Continuing it.
Le vendredi 3 octobre 2014 19:27:06 UTC+2, Erwann Abalea a écrit :
Le vendredi 3 octobre 2014 10:22:06 UTC+2, Kurt Roeckx a écrit :
On 2014-10-02 18:53, Erwann Abalea wrote
Le jeudi 25 septembre 2014 22:54:07 UTC+2, Hubert Kario a écrit :
- Original Message -
From: Chris Palmer p@google.com
[...]
SHA-1 signature algorithms are not per se bad right now; what's bad is
certificate chains using SHA-1 that will/would be valid too far in the
future.
Le vendredi 26 septembre 2014 11:50:32 UTC+2, Ryan Sleevi a écrit :
On Fri, September 26, 2014 2:39 am, Erwann Abalea wrote:
Le jeudi 25 septembre 2014 14:29:04 UTC+2, Gervase Markham a écrit :
A question which occurred to me, and I thought I'd put before an
audience of the wise
Bonjour,
Le jeudi 11 septembre 2014 11:08:42 UTC+2, ad...@dnbcons.com a écrit :
Dear Mozilla Community,
This is an unofficial statement from the Auditor (DNBCONS) in order to
clarify certain points discussed on this thread:
1)Is important to read promptly the *Scope* of our Audits, as
Le lundi 4 août 2014 18:34:50 UTC+2, Patrick McManus a écrit :
Firefox 31 data:
on desktop the median successful OCSP validation took 261ms, and the 95th
percentile (looking at just the universe of successful ones) was over
1300ms. 9% of all OCSP requests on desktop timed out completely and
Le mardi 22 juillet 2014 20:29:40 UTC+2, Kathleen Wilson a écrit :
[...]
If your intranet site is still working with Firefox 30 and not with
Nightly, it might be a side effect of our switch to mozilla::pkix as
described on this wiki page:
Le vendredi 20 juin 2014 01:20:56 UTC+2, Kathleen Wilson a écrit :
China Financial Certification Authority (CFCA) has applied to include
the CFCA GT CA and CFCA EV ROOT root certificates, turn on all three
trust bits for the CFCA GT CA root certificate, turn on the websites
trust bit for
Bonjour Moises,
Le lundi 23 juin 2014 11:53:05 UTC+2, anf.ac...@gmail.com a écrit :
El viernes, 20 de junio de 2014 17:07:05 UTC+2, Erwann Abalea escribió:
Under ANF Global Root CA:
https://kerberosns.com/cloud
EV certificate is not compliant with EV Guidelines:
[...]
Hello
Le jeudi 10 avril 2014 16:28:38 UTC+2, Rob Stradling a écrit :
The Mozilla CA Certificate Maintenance Policy (Version 2.2) [1] says
(emphasis mine):
CAs _must revoke_ Certificates that they have issued upon the
occurrence of any of the following events:
...
- the CA obtains _reasonable
Bonjour,
Le jeudi 13 mars 2014 11:23:34 UTC+1, Adriano Santoni - Actalis S.p.A. a écrit :
Il 13/03/2014 01:09, Erwann Abalea ha scritto:
[...]
The authorized OCSP responders certificates don't contain the mandatory
OCSPNoCheck extension (BR 1.1, section 13.2.5).
We forgot that extension
Le jeudi 6 mars 2014 22:43:12 UTC+1, Kathleen Wilson a écrit :
Actalis has applied to enable EV treatment for the Actalis
Authentication Root CA root certificate that was included in NSS via
bug #520557.
[...]
* EV Policy OID: 1.3.159.1.17.1
* Test Website:
Bonjour Samuel,
Le jeudi 6 mars 2014 10:37:30 UTC+1, spar...@gmail.com a écrit :
Let me start with the Webtrust audit the Crosscert got.
The Webtrust audit Crosscert received is for the Verisign service they are
offering.
For your information, Crosscert is also a sub-CA of Verisign.
Le mercredi 29 janvier 2014 01:25:28 UTC+1, Kathleen Wilson a écrit :
DigiCert has applied to include 5 new root certificates that will
eventually replace the 3 DigiCert root certificates that were included
in NSS via bug #364568. The request is to turn on all 3 trust bits and
enable EV for
Le lundi 17 février 2014 13:09:49 UTC+1, Rob Stradling a écrit :
On 17/02/14 11:49, Erwann Abalea wrote:
snip
- the ECC certificates have a keyUsage set to digitalSignature and
keyAgreement;
keyAgreement is correct wrt the public key (id-ecPublicKey covers both
ECDSA and
ECDH keys
Le vendredi 1 novembre 2013 23:58:59 UTC+1, Kathleen Wilson a écrit :
WoSign has applied to include the “Certification Authority of WoSign”
and “CA WoSign” root certificates, turn on all three trust bits for both
root certs, and enable EV treatment for both root certs.
[...]
The request is
65 matches
Mail list logo