m.
However this solution seems to not rely on PKI clients having fail-hard
CRL/OCSP handling, but on them having a way to enforce SubCA
revocations. This includes Mozilla OneCRL, the static CRL support
in OpenSSL and the "Untrusted Certificates" feature in MS CryptoAPI.
...
Enjoy
Jakob
laining. Unfortunately, as your post highlights, CAs have largely
optimized for reducing "financial strain", and thus, haven't really tried
to be the best or have the best. And I think, for users, that's unfortunate.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wi
ions on how we can make this language even
more
clear.
How would that phrasing cover doppelgangers of intermediary SubCAs under
an included root CA?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
T
t audits from.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones
or even required by the root
programs.
Thus the hypothetical scenario could land the CAO in an impossible
situation, if root program requirements or common CA protocols change,
and those changes would require even one additional signature by the
root CA Key Pair.
Enjoy
Jakob
--
Jakob Bohm
On 2020-10-30 18:45, Ryan Sleevi wrote:
On Fri, Oct 30, 2020 at 12:38 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 2020-10-30 16:29, Rob Stradling wrote:
Perhaps add: "And also include any other certificates sharing the same
private/publi
"as CA certificates".
____
From: Jakob Bohm via dev-security-policy
Sent: 29 October 2020 14:57
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Policy 2.7.1: MRSP Issue #186: Requirement to Disclose Self-signed
Certificates
On 2020-10-29 01:25, Ben Wilson wrote
cates with a unique EKU other than the generic
"Server Authentication" traditionally associated with TLS.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion mess
te in
the above system without violating the relevant requirements?
Thanks,
Jacob
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - R
aps add: "And also include any other certificates sharing the same
private/public key pairs as certificates already included in the
requirements." (this covers the situation you mentioned where a
self-signed certificate shares the key pair of a certificate that chains
to an included roo
On 2020-10-28 20:54, Ryan Sleevi wrote:
On Wed, Oct 28, 2020 at 10:50 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
This aspect of RFC5280 section 4.1.2.5 is quite unusual in computing,
where the ends of intervals are typically e
seems another detail where the old IETF working group made
things unnecessarily complicated for everybody.
From a policy perspective, if enough code out there has the same
interpretation as old EJBCA versions, maybe it would make more sense
for the policy bodies to override RFC5280.
Enjoy
Jako
On 2020-10-17 01:38, Ryan Sleevi wrote:
On Fri, Oct 16, 2020 at 5:27 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
RFC4180 section 3 explicitly warns that there are other variants and
specifications of the CSV format, and thus the full generaliz
On 2020-10-16 14:11, Ryan Sleevi wrote:
On Thu, Oct 15, 2020 at 7:44 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 2020-10-15 11:57, Ryan Sleevi wrote:
On Thu, Oct 15, 2020 at 1:14 AM Jakob Bohm via dev-security-policy <
dev-securi
rification started with:
> In addition to the questions posted by Wayne, I think it'd be useful
> to confirm:
> ...
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion mes
s intended.
From: dev-security-policy on behalf
of Jakob Bohm via dev-security-policy
Sent: 12 October 2020 22:41
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Sectigo to Be Acquired by GI Partners
Hi Rob,
The e-mail you quote below seems to be ina
On 2020-10-15 11:57, Ryan Sleevi wrote:
On Thu, Oct 15, 2020 at 1:14 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
For example, embedded new lines are discussed in 2.6 and the ABNF
therein.
The one difference from RFC4180 is that CR
On 2020-10-15 04:52, Ryan Sleevi wrote:
On Wed, Oct 14, 2020 at 7:31 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Only the CSV form now contains CSV artifacts. And it isn't really CSV
either (even if Microsoft Excel handles it).
Hi Jakob,
Cou
published directly via the CCADB. I think that providing the data
in an easily consumable format is better than having folks extract the
data from certdata.txt.
Thanks,
Kathleen
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmar
vX7gUMQSibMjmhAxhduub+84Mxh2EQIDAQABo4
IBbDCCAWgwEgYDVR0TAQH/BAgwBgEB/wIBDDAdBgNVHQ4EFgQU+SSsD7K1+HnA+mCIG
8TZTQKeFxkwgeMGA1UdIwSB2zCB2IAU+SSsD7K1+HnA+mCIG8TZTQKeFxmhgbSkgbEw
ga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJ
lc3MgYXQgd3d3LmNhbWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3ND
MyODcxGzAZBgNVBAoT
On 2020-10-12 20:50, Kathleen Wilson wrote:
On 10/7/20 1:09 PM, Jakob Bohm wrote:
Please note that at least the first CSV download is not really a CSV
file, as there are line feeds within each "PEM" value, and only one
column. It would probably be more useful as a simple concat
_
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://
certificates and labels them as simply
"mozilla/cert-public-name", even though more useful naming can be
extracted from the last (most complete) report, after finding a non-gui
tool that can actually parse CSV files with embedded newlines in string
values.
Enjoy
Jakob
--
Jakob
oid transporting
the virus between redundant backup CA offices that have been kept
separate to ensure CA operations continue even if every person at one
office become critically ill.
Thanks,
Ben Wilson
Mozilla Root Store Manager
<https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay>
ilified server brand actually does use AIA to build
the server chain.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may
on
3.2.2.1.
I'm pretty sure this isn't what the BRs intended, but this appears to forbid
issuance with a meaningful subject:organizationalUnitName unless all of the
above attributes are populated. EVG §9.2.9 forbids including those attributes
in the first place. Am I reading this wrong, or was
.
It was moved entirely off screen, and replaced with very subtle
differences in the contents of a pop-up.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding
ore Vrowser Policy made BR compliance mandatory. In other
words, BR non-compliance may not have been actual non-compliance at
that time.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public di
On 07/10/2019 17:35, Ryan Sleevi wrote:
> On Mon, Oct 7, 2019 at 11:26 AM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> On 07/10/2019 16:52, Ryan Sleevi wrote:
>>> I'm curious how folks feel about the following practi
-cut violation of the Baseline Requirements,
and "Foo" could have pursued an alternative hierarchy to avoid needing to
cross-sign. However, I thought it interesting to solicit others' feedback
on this situation, before opening the CA incident for Foo.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partne
unhelpful and should
>> be revised to have a much smaller scope. Surely only the serial number
>> uniqueness requirement (RFC5280 section 4.1.2.2) needs to be relaxed,
>> not the entirety of RFC5280?
>> - I would also like to see BR 4.9.10 revised to say something roughly
le
component (such as a COTS disk system or COTS server) fails.
- A system failure during actual certificate signing needs to be
detected and handled within the 24 hour deadline. But such failures
are typically detected within the hour, thus during any business hours
signing ceremony. Also qu
hat contain the EKU for Microsoft compatibility.
This is especially bad if the SubCA is controlled by an entity other
than its direct parent CA.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This pub
On 03/09/2019 00:54, Ryan Sleevi wrote:
> On Mon, Sep 2, 2019 at 2:14 PM Alex Cohn via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> On Mon, Sep 2, 2019 at 12:42 PM Jakob Bohm via dev-security-policy <
>> dev-security-policy@lists.mozilla
On 02/09/2019 20:13, Alex Cohn wrote:
On Mon, Sep 2, 2019 at 12:42 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
If an OCSP server supports returning (or always returns) properties of
the actual cert, such as the CT proofs, then it really cannot
Responder Returned “Unauthorized”
> for Some Precertificates
>
> I dont recall the cab forum ever contemplating or discussing ocsp for
> precertificates. The requirement to provide responses is pretty clear, but
> what that response should be is a little confusing imo.
> ...
Enjoy
riber to use the validity before the cert
actually exists, while in other cases it is not possible, except for the
difficulty in proving that the cert doesn't exist.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +4
On 29/08/2019 19:47, Nick Lamb wrote:
> On Thu, 29 Aug 2019 17:05:43 +0200
> Jakob Bohm via dev-security-policy
> wrote:
>
>> The example given a few messages above was a different jurisdiction
>> than those two easily duped company registries.
>
> I see. Perha
timate.
>
> Remember, the British government doesn't care that Authorised Web Site
> is a stupid name for a company, that its named officers are the
> characters in Toy Story, that its claimed offices are a building site,
> nor even that it has never filed (and never will file) an
On 27/08/2019 08:03, Peter Gutmann wrote:
> Jakob Bohm via dev-security-policy
> writes:
>
>> <https://www.typewritten.net/writer/ev-phishing/> and
>> <https://stripe.ian.sh/> both took advantage of weaknesses in two
>> government registries
>
On 26/08/2019 21:49, Jonathan Rudenberg wrote:
> On Mon, Aug 26, 2019, at 15:01, Jakob Bohm via dev-security-policy wrote:
>> <https://www.typewritten.net/writer/ev-phishing/> and
>> <https://stripe.ian.sh/> both took advantage of weaknesses in two
>> government
df
An undated(!) study involving highly outdated browsers. No indication
this was ever in a peer reviewed journal.
DV is sufficient. Why pay for something you don't need?
Unproven claim, especially by studies from before free DV without
traceable credit card payments became the norm.
ding of
company bylaws, would assume all companies are registered and incorporated
at the county level, because the bylaws will usually not even mention the
country (or the registration number, as the initial bylaws must be
submitted to get a number).
Enjo
search this further to set up proper
templates and scripts for validating EV/OV/IV applicants claiming C=DK.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding a
is one of
claiming a subscriber violates a subjective rule, such as malicious cert
use or name ownership conflicts.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding
indicator bar is still better than just nothing. AntiPhishing filters
are not a good alternative because they only protect when the harm is
already done to some users.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct
,
while ignoring any and all improvements since you original write ups.
You really should look at the long term agendas at work here and
reconsider what you may be inadvertently supporting.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg
On 14/08/2019 18:18, Peter Bowen wrote:
On Tue, Aug 13, 2019 at 4:24 AM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
A policy of switching from positive to negative indicators of security
differences is no justification to switch to NO indi
vilpie for
working on it!). We're planning to flip this pref to false in bug 1572936
<https://bugzilla.mozilla.org/show_bug.cgi?id=1572936>.
Please let us know if you have any questions or concerns,
Wayne & Johann
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo
e ISRG root.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Managemen
embarrassing
incidents like this happen to you.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management
, no matter the source.
I believe this is either done, or easy to add.
On Friday, July 19, 2019 at 1:27:17 PM UTC-7, Jakob Bohm wrote:
On 19/07/2019 21:13, andrey...@gmail.com wrote:
I am confused. Since when Mozilla is under obligation to provide customized
solutions for corporate MITM? IMHO
crecy from
even the authorities.
A large home to consider could be 4 generations living together, with
8 to 10 children and 4 spouses for each in each generation, but in
relative poverty.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søbor
malicious and user-helping systems.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
including Public CA
certificates. So an expired certificate means that the key cannot be used
anymore.
I'm still not expressing this message as an issue, but an suggestion to
update/remove those expired Public Keys from your certdata.txt.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/
On 14/06/2019 18:54, Ryan Sleevi wrote:
> On Fri, Jun 14, 2019 at 4:12 PM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> In such a case, there are two obvious solutions:
>>
>> A. Trademark owner (prompted by applic
r the applicant, such as keeping their
online webshop legally separate from their core IP assets).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and
On 17/05/2019 07:21, Jakob Bohm wrote:
> On 17/05/2019 01:39, Wayne Thayer wrote:
>> On Thu, May 16, 2019 at 4:23 PM Wayne Thayer wrote:
>>
>> I will soon file a bug requesting removal of the “Certinomis - Root CA”
>>> from NSS.
>>>
>>
>> T
certificates that expire on or before 2019-08-31, as those
will be unaffected by a September distrust.
- Exclude certificates issued after 2019-05-17 (today), as Certinomis
should be aware of the likely distrust by tonight.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https
X9Wz_AQAJ
[3] https://crt.sh/?opt=cablint=160150786
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Managem
On 10/05/2019 05:25, Ryan Sleevi wrote:
On Thu, May 9, 2019 at 10:44 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 09/05/2019 16:35, Ryan Sleevi wrote:
Given that the remark is that such a desire is common, perhaps you can
provide some ex
On 09/05/2019 16:35, Ryan Sleevi wrote:
> On Wed, May 8, 2019 at 10:36 PM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> [ Note, I am arguing a neutral position on the specific proposal ]
>>
>> The common purpose of havi
depend on the abilities of corporate
software packages.
>> Does this clarify why having a single "Org CA" would help in deployment
>> in some enterprise environments?
>>
>
> Yes. Hopefully my response demonstrates why, based on the preconditions,
> there is no nec
a CA. Linking
directly to the document would help a lot.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service
ference into EN 319 401 (the above quote is a
statement of intent to include the BR requirements that existed when
EN 319 401 was written).
That said, Mozilla policy at the time may have explicitly stated that an
EN 319 401 audit is/was sufficient for Mozilla inclusion purposes.
Enjoy
Jakob
--
Jako
system)
a different assigned OID such as 9.88.999. thus not overlapping.
Thus no risk of conflicting uses unless someone breaks the basic OID
rules. The actual risk (as illustrated by EV) is getting too many
different OIDs for the same thing.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner
19 6:57 PM, Jakob Bohm via dev-security-policy wrote:
Thanks for the explanation.
Is it possible that a significant percentage of less-skilled users
simply pasted in the wrong certificates by mistake, then wondered why
their new certificates newer worked?
Pasting in the wrong certificate from an
since disabled that system, although we didn't file any incident report (for
the reasons discussed so far).
-Original Message-
From: dev-security-policy On
Behalf Of Wayne Thayer via dev-security-policy
Sent: Friday, April 12, 2019 10:39 AM
To: Jakob Bohm
Cc: mozilla-dev-security
for the
Digicert root.
Why still no response from Digicert? Has this been reported to them
directly?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may
b.com/mozilla/pkipolicy/commit/3e38142acd28b152eca263e7528fac940efb20e2
[3] https://github.com/mozilla/pkipolicy/issues/5
[4] https://github.com/mozilla/pkipolicy/issues/170
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This pu
after their last actual use.
2h. Servers managed by teams that are busy with unrelated tasks at
this time.
2o. Obscure servers that are rarely touched, causing practical problems
locating the teams responsible.
2p. Anything else.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. htt
cal kind of wildcard
EE cert).
This of cause remains applicable to all the kinds of identities
recognized and regulated by the Mozilla root program, which currently
happens to be server domain, EV organization, and e-mail address
identities.
I realize that the BR meaning may be intended to be
On 25/03/2019 23:42, Wayne Thayer wrote:
> My general sense is that we should be doing more to discourage the use of
> SHA-1 rather than less. I've just filed an issue [1] to consider a ban on
> SHA-1 S/MIME certificates in the future.
>
> On Mon, Mar 25, 2019 at 10:54 AM Jak
y fixed/upgraded to remove the problem.
If there is no such problematic tool in the target environment, GRCA
could (like other CAs in the Mozilla root program) make a list of needed
specific EKU oids and include them all in their certificate template.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, Wi
ntially named new issuing CAs for these purposes at regular
intervals (perhaps annually), however this is against current Mozilla
Policy if the root is still in the Mozilla program (as an anchor for
SHA2 WebPKI or e-mail certs).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.
have proven control of
that domain.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs,
of the issued serial numbers, extract the bit positions that are random
according the the CPS, then run statistical tests to check if they do
indeed form a plausible output from a CSRNG.
Note 4: In addition to external statistical tests, the auditor of the
CA shall inspect the actual i
The
discussion certainly has been raised by a lot of people.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remo
such that there
will be a useful basis for discussion of whatever should or should not
be done long term, once the specific single case has been handled.
I did not wake this sleeping dog, it was barking and yanking its chain
all week.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https
countries in which
Telia-Sonera is the incumbent Telco (Finland, Sweden and Åland).
This overall issue was touched repeatedly in the thread, especially
point 3 above, but the earliest I could find was in Message ID
posted on Fri, 22 Feb 2019 23:45:39 UTC by "cooperq"
On 07/03/20
Kushner from EJBCA and a discovery that Google Trust Services was
also hit with this issue to the tune of 100K non-compliant certificates.
On 07/03/2019 18:59, Jakob Bohm wrote:
> This thread is intended to be a catalog of general issues that come/came
> up at various points in the Dark
.
Once again, no further mentions of Darkmatter in this thread are
allowed, keep those in the actual Darkmatter threads.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non
etely different such text than my private e-mail
communication. As a lawyer you should be able to draft such a text
much better than my own feeble attempt.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 3
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
their face, be rejected - a
>> CA should not have to join the Forum in order to be a CA.
>>
>> I do agree, however, that the use of WHOIS data continues to show
>> problematic incidents - whether it's with OCR issues or manual entry - and
>> suspect a more meaningful
,zlint
Are duplicate SANs forbidden by any standard? (it's obviously
wasteful, but RFC3280 seems to implicitly allow it).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message
lly don't want to publish a hit list of whom criminal gangs
(etc.) should target with violence, kidnapping, blackmail etc.
when they want to get malicious certificates for use against high
value targets.
4. If a CA still practices the "off-site split key secret trustees"
way
e. It's also not clear if
in-addr.arpa should even be issuable.
I would like to take a moment to thank Ben Cartwright-Cox and igloo5
in pointing out this violation.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
upstream stapling support.
3. Don't forget Thunderbird (technically no longer a primary Mozilla
product, but still a major use of Mozilla certificate infrastructure).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31
On 19/02/2019 04:04, Ryan Sleevi wrote:
> On Mon, Feb 18, 2019 at 4:59 PM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> On 14/02/2019 23:31, Wayne Thayer wrote:
>>> This may be of interest:
>>>
>>>
>
,
replacing the Mozilla root store by relying on the OS root store would
cut off its own feet.
- Some participants in the community actively refuse to support use of
the Mozilla root store in other open source initiatives.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https
On 15/02/2019 19:33, Ryan Sleevi wrote:
> On Fri, Feb 15, 2019 at 12:01 PM Jakob Bohm via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Indeed, the report states that the bug was in the pre-issuance checking
>> software.
>>
&g
address, and so that the community at large can be aware of systemic risks
or patterns and ensure that, regardless of what PKI software they use, so
that the ecosystem can itself improve.
Please continue to provide more details regarding this incident
Enjoy
Jakob
--
Jakob Bohm, CIO,
the same P-384 ECDSA key pair with both SHA-384 and
SHA-3-384 might be within some readings of the FIPS, but would
still be vulnerable to the issue above (imagine a pre-image
weakness being found in either hash algorithm, all signatures
with such a key would then become suspect).
Enjoy
Ja
procedural
delay.
As pointed out in other recent cases, CA software must allow
revoking a certificate without making it publicly valid first, in
case Scenario B happens.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +4
On 25/01/2019 19:23, Buschart, Rufus wrote:
Hello Jakob!
-Ursprüngliche Nachricht-
Von: dev-security-policy Im
Auftrag von Jakob Bohm via dev-security-policy
Gesendet: Freitag, 25. Januar 2019 18:47
Example, if the subscriber fills out the human readable order form like
See above.
>
>>> What users type and see are issues that are best left to Application
>>> Software Suppliers (browsers).
>>
>> So you're saying all the other software that deals with certificates
> should
>> instead add complexity?
>
> What they a
On 18/01/2019 19:21, piotr.grabow...@kir.pl wrote:
W dniu piątek, 18 stycznia 2019 18:44:23 UTC+1 użytkownik Jakob Bohm napisał:
On 17/01/2019 21:12, Wayne Thayer wrote:
Hello Piotr,
On Thu, Jan 17, 2019 at 6:23 AM Grabowski Piotr
wrote:
Hello Wayne,
I am very sorry for the delay
1 - 100 of 570 matches
Mail list logo
