Re: Transforming a trade name into ASCII in the O field of an OV cert

On Tue, Apr 24, 2018 at 11:03 PM, cbonnell--- via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On Tuesday, April 24, 2018 at 4:33:24 PM UTC-4, Henri Sivonen wrote: >> On Tue, Apr 24, 2018 at 10:18 PM, Jeremy Rowley via >> dev-security-policy

Re: Transforming a trade name into ASCII in the O field of an OV cert

On Tue, Apr 24, 2018 at 10:32 PM, Henri Sivonen <hsivo...@hsivonen.fi> wrote: > On Tue, Apr 24, 2018 at 10:18 PM, Jeremy Rowley via > dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: >> That is correct. We use transliteration of non-latin names throug

Re: Transforming a trade name into ASCII in the O field of an OV cert

On Sun, Apr 15, 2018 at 6:47 PM, Ryan Sleevi <r...@sleevi.com> wrote: > > On Sun, Apr 15, 2018 at 9:13 AM Henri Sivonen via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: >> >> (Mozilla hat off.) >> >> After reading about the C

Transforming a trade name into ASCII in the O field of an OV cert

field of the cert for https://www.alandsbanken.fi/ . [1] https://www.saastopankki.fi/ is the primary address to which http://säästöpankki.fi/ (but not https!) redirects. Web site operators in Finland generally prefer interoperability with non-IDN-cabable usage over correct spelling. -- Henr

Estonia e-residency instructing users not to update Firefox (on Mac)

to belong to. However, I hear that a link to this post was distributed to e-residents in a manner that suggests that this blog actually belongs to whom it claims to belong. -- Henri Sivonen hsivo...@hsivonen.fi https://hsivonen.fi/ ___ dev-security-policy

Re: StartCom continues to sell untrusted certificates

e have been a number of Firefox ESR security patch releases that post-date the SeaMonkey release. Is SeaMonkey still active, despite appearing not to ship Gecko security updates, and does SeaMonkey implement the same trust special-casing as Firefox? It seems to produce nightlies still.)

Re: Removing "Wildcard DV Certs" from Potentially Problematic Practices list

ts. A wildcard cert solves this, and the solution should be broadly available (not just to those who pay for OV). -- Henri Sivonen hsivo...@hsivonen.fi https://hsivonen.fi/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https:/

Re: Incidents involving the CA WoSign

have any questions, > thanks. In the table on page 13, line 6 looks different from the others. Should that line be in the table on page 14 instead? -- Henri Sivonen hsivo...@hsivonen.fi https://hsivonen.fi/ ___ dev-security-policy mailing lis

Re: Sanctions short of distrust

cord said otherwise, could they issue then? I'd expect issuance not to be allowed in that case (at least if the CAA record is still there after clearing DNS caches). Surely a legitimate CTO should have the means to have the CAA record adjusted (even if a CTO couldn't change a mistakenly long previousl

Re: Client certs

and all hell will break lose). Is there anything that can be done to help avoid all hell breaking loose here? -- Henri Sivonen hsivo...@hsivonen.fi https://hsivonen.fi/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https

Re: Indicators for high-security features

have the new indicator to fix their act to get the new indicator. -- Henri Sivonen hsivo...@hsivonen.fi https://hsivonen.fi/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Question about BR audit

to run a globally-trusted CA but has not found out about the Baseline Requirements before applying seems pretty scary. -- Henri Sivonen hsivo...@hsivonen.fi https://hsivonen.fi/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org