This blog post is very vague, one can understood from it that Microsoft will
not trust any new certificates from these two CAs:
"Microsoft will begin the natural deprecation of WoSign and StartCom
certificates by setting a “NotBefore” date ... Windows 10 will not trust any
new certifi
@lists.mozilla.org] On
Behalf Of Percy via dev-security-policy
Sent: Wednesday, August 9, 2017 2:03 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Microsoft to remove WoSign and StartCom certificates in Windows 10
https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft
https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/
Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign
and StartCom have failed to maintain the standards required by our Trusted Root
Program. Observed
Hello M.D.S.P.,
We've posted the following update regarding Chrome's treatment of WoSign and
StartCom certificates to Chromium's Security-dev and net-dev groups. I've
included both links below in case you'd like to follow the discussion there.
https://groups.google.com/a/chromium.org/forum
WoSign and StartCom has been included as root CA in official Android builds.
(https://code.google.com/p/android/issues/detail?id=71363
https://code.google.com/p/android/issues/detail?id=21632)
Apple has restrict/remove WoSign and StartCom from iOS 10.2. "Google has
determined that tw
On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote:
> The security blog about Distrusting New WoSign and StartCom Certificates has
> been published:
>
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
>
> Ch
Just came across the following Phishing site which is using a StartCom cert:
hXXps://serviices-intl.com/webapps/6fa9b/websrc
On 11/2/16, 6:32 PM, "dev-security-policy on behalf of Itzhak Daniel"
On Wednesday, November 2, 2016 at 5:22:30 PM UTC+2, Gervase Markham wrote:
> Hi Daniel,
>
> On 02/11/16 14:11, Itzhak Daniel wrote:
> As far as the DigiCert certs go, it is far too early to have an opinion
> on what Mozilla is or isn't doing.
I have to agree, the time span is too short (at least
ltiple instances of flat-out lying to Mozilla. I
would expect non-lying CAs to get a different treatment from lying ones.
> I wonder if WoSign/StartCom had ignored Mozilla Security
> Community at some degree, the same way Comodo and DigiCert are doing,
> would it saved them.
I'm not sur
igned on 22
> October or later will be not verified by their future browser
> versions.
Both StartCom and WoSign were aware in advance that this was the
deadline we were proposing. How they communicated that to their
customers (or not) is up to them. If you are unhappy with them for
selling you a cert w
Interesting that Comodo and DigiCert are getting a different treatment, I
wonder if WoSign/StartCom had ignored Mozilla Security Community at some
degree, the same way Comodo and DigiCert are doing, would it saved them.
(I don't know if there are chatters in the back, maybe I missed something
I think that the steps against StartCom are too extreme and I would like to
tell my personal opinion. First of all, I want to say that I don't have any
benefits when I tell this opinion, since I personally already switched to a
different CA.
(1) I did find any public answer from Apple, Google
On Monday, October 31, 2016 at 4:40:49 PM UTC-7, Percy wrote:
> Ryan,
> It's great Chrome will distrust WoSign and StartCom. Google's blog post
> stated that "Due to a number of technical limitations and concerns, Google
> Chrome is unable to trust all pre-existing certificates w
On Monday, October 31, 2016 at 5:07:06 PM UTC-7, nessun...@gmail.com wrote:
> I see that Google's response (and Apple's) is harsher than Mozilla, by
> caterogically distrusts WoSign and StartCom without granting the option, as
> Mozilla does, to resubmit a new CA application after a s
I see that Google's response (and Apple's) is harsher than Mozilla, by
caterogically distrusts WoSign and StartCom without granting the option, as
Mozilla does, to resubmit a new CA application after a set period of time
through which they work to correct their flawed procedures
Ryan,
It's great Chrome will distrust WoSign and StartCom. Google's blog post
stated that "Due to a number of technical limitations and concerns, Google
Chrome is unable to trust all pre-existing certificates while ensuring our
users are sufficiently protected from further misissuance.".
On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote:
> The security blog about Distrusting New WoSign and StartCom Certificates has
> been published:
>
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
>
> Ch
Kathleen,
This coverage is very encouraging! Among the sites you included, huanqiu, which
is a newspaper operated by the central government is notable. So far, no
censorship has been observed, contrary to the blanket censorship of the
previous CNNIC case.
Kathleen,
This coverage is very encouraging! Among the sites you included, huanqiu, which
is a newspaper operated by the central government is notable. So far, no
censorship has been observed, contrary to the blanket censorship of the
previous CNNIC case.
response:
https://linux.cn/article-7898-1.html
https://www.sslchina.com/news20161025-mozilla-distrusted-new-wosign-and-startcom-certificates/
http://www.pcpop.com/doc/3/3522/3522780.shtml
http://www.solidot.org/story?sid=50116
http://www.cnbeta.com/articles/551603.htm
http://digi.163.com/16/1025/13
On Tuesday, 25 October 2016 4:30:39 PM UTC Percy wrote:
> StartCom on the other hand, issued no announcement
> (https://startssl.com/News) even under multiple explicit inquires from
> multiple users
> (https://forum.startcomca.com/viewforum.php?f=16=549011a08d3a081898f1e1
> 542d3ecc10).
There is
That you have to ask WoSign.
The exact wording is
"将增加一个产品选项,用户可以选购从新的沃通(WoSign)中级根证书下签发的支持所有浏览器(包括火狐浏览器)的SSL证书,在过渡期八折优惠。此中级根证书将由全球信任的其他CA根证书签发,支持所有浏览器和所有新老终端设备。此项产品升级计划一个月内完成并为广大用户提供证书服务;"
My translation: [WoSign] will add a new product selection. Users can choose SSL
certs signed by the new
On 26/10/16 01:27, Percy wrote:
> WoSign will roll out a globally trusted intermediate cert to sign new
> certs with the existing WoSign system that had so many control
> failures.
>
> Does Mozilla and this community accept such a work-around for WoSign?
> If we do, then what's the point of
StartCom on the other hand, issued no announcement (https://startssl.com/News)
even under multiple explicit inquires from multiple users
(https://forum.startcomca.com/viewforum.php?f=16=549011a08d3a081898f1e1542d3ecc10).
___
dev-security-policy
WoSign has posted an announcement regarding Mozilla's decision. In the
announcement, WoSign stated
WoSign actively cooperated with the investigation and has always fix all the
issues immediately after the discovery and called Mozilla's decision
"exceptionally severe".
Certs issued by
On 24/10/16 06:55, Samuel Pinder wrote:
> There's some good questions there, actually. OEM SSL, does that mean
> another CA would be doing the validation and issuing using their own
> infrastructure and team, which you would be reselling via a
> constrained intermediate?
I suspect he means
ard
>
> From: Eric Mill [mailto:e...@konklone.com]
> Sent: Monday, October 24, 2016 12:05 PM
> To: Richard Wang <rich...@wosign.com>
> Cc: Kathleen Wilson <kwil...@mozilla.com>;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Remediation Plan for WoSign a
: Monday, October 24, 2016 12:05 PM
To: Richard Wang <rich...@wosign.com>
Cc: Kathleen Wilson <kwil...@mozilla.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Remediation Plan for WoSign and StartCom
Hi Richard,
A few questions -
1) Your post says "Ther
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Remediation Plan for WoSign and StartCom
>
> On Thursday, October 20, 2016 at 6:59:08 PM UTC-7, Percy wrote:
> > Kathleen,
> > As most users affected by this decision are Chinese, will you be able to
> make th
to translate.
>
> As I stated earlier, there are almost no news of the distrust of
> WoSign/StartCom on the Chinese Internet and WoSign/StartCom has not posted
> anything related to this. I believe it's paramount to prepare Chinese website
> owners for the phasing out of th
Bonjour,
Le vendredi 21 octobre 2016 12:48:21 UTC+2, marc@gmail.com a écrit :
[...]
> Just the opinion of a user who is securing services, websites and his mails
> with certificates but is not capable of paying hundreds of Euros / Dollars
> for achieving this goal every year.
DV
On Thu, Oct 20, 2016 at 1:57 PM, Kathleen Wilson wrote:
> 1) Distrust certificates with a notBefore date after October 21, 2016 which
> chain up to the following affected roots. If additional back-dating is
> discovered (by any means) to circumvent this control, then
On Sat, 22 Oct 2016 16:26:51 +0200, Jakob Bohm wrote:
> Thus the need for those who obtaind OV code
> signing certificates from StartCom to start looking for alternatives,
> and my suggestion, as a public service, that someone here might chime
> in with the names of small/individual developer
g distrust of
WoSign and StartCom. Thus the need for those who obtaind OV code
signing certificates from StartCom to start looking for alternatives,
and my suggestion, as a public service, that someone here might chime
in with the names of small/individual developer friendly issuers of
code signing ce
On Saturday, October 22, 2016 at 5:11:29 AM UTC-7, Jakob Bohm wrote:
> Talking of codesigning, which root store does Chrome use to validate
> signatures on the PPAPI plug ins it is currently forcing developers to
> switch to?
I've mentioned to you repeatedly that no one uses the code signing
On 22/10/2016 00:57, Jernej Simončič wrote:
On Fri, 21 Oct 2016 10:03:46 -0700 (PDT), Han Yuwei wrote:
I am also a StartCom's SSL & S/MIME certificate user. The only problem for me
is that I must re-config nginx. S/MIME have a lot of alternatives for free. Code
Signing may only works on
Following on from my previous posting, I have found that Startcom are
still issuing certificates past the 21st of October that should be
subject to blocking in an upcoming version of Firefox
https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 . I have
therefore obtained such a certificate via my
Samuel,
I absolutely agree with what you're saying. That's why I suggested to Mozilla
that it mandates WoSign/StartCom to disclose such information on its websites
or otherwise inform their customers. Currently, new customers have no way to
know until it's too late, i.e when Firefox releases
Startcom nor WoSign
are publicly announcing these measures on their websites, I have even
contacted Startcom about this via live chat. Their only responses seem
to be that they are waiting for 'upper management' to make an
announcement, despite me directly sending links to the filed bug
reports clearly
Isn't that something you should take up with StartCom? Bottom line you payed
them for your certificate, didn't you. Not Mozilla. Perhaps StartCom should
have been a bit more careful so they could keep serving their customers.
CU Hans
___
在 2016年10月21日星期五 UTC+8下午6:48:21,marc@gmail.com写道:
> Am Freitag, 21. Oktober 2016 03:59:08 UTC+2 schrieb Percy:
> > Kathleen,
> > As most users affected by this decision are Chinese, will you be able to
> > make the blog post available in Chinese on the security blog as well? You
> > can ask
On Friday, 21 October 2016 11:48:21 UTC+1, marc@gmail.com wrote:
> Just the opinion of a user who is securing services, websites and his mails
> with certificates but is not capable of paying hundreds of Euros / Dollars
> for achieving this goal every year.
This is the "too big to fail"
Am Freitag, 21. Oktober 2016 03:59:08 UTC+2 schrieb Percy:
> Kathleen,
> As most users affected by this decision are Chinese, will you be able to make
> the blog post available in Chinese on the security blog as well? You can ask
> the Chinese firefox community or me to translate.
Hi,
only the
to translate.
>
> As I stated earlier, there are almost no news of the distrust of
> WoSign/StartCom on the Chinese Internet and WoSign/StartCom has not posted
> anything related to this. I believe it's paramount to prepare Chinese website
> owners for the phasing out of the affected
/StartCom on the Chinese Internet and WoSign/StartCom has not posted
anything related to this. I believe it's paramount to prepare Chinese website
owners for the phasing out of the affected roots.
___
dev-security-policy mailing list
dev-security-policy
All,
I have filed the following two bugs.
WoSign Action Items:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824
StartCom Action Items:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311832
I will work on a security blog that will probably get posted early next week.
It will point to these
On 19/10/16 15:13, okaphone.elektron...@gmail.com wrote:
> Perhaps "haste" is not what you want here. How about "urgency"?
I was using it in the sense of the English phrase "more haste, less speed":
http://dictionary.cambridge.org/dictionary/english/more-haste-less-speed
But yes, urgency is
On Wednesday, October 19, 2016 at 3:13:50 PM UTC-7, okaphone.e...@gmail.com
wrote:
> Perhaps "haste" is not what you want here. How about "urgency"?
>
Yep. Changed in the wiki page.
Thanks,
Kathleen
___
dev-security-policy mailing list
Perhaps "haste" is not what you want here. How about "urgency"?
CU Hans
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On Wednesday, October 19, 2016 at 11:50:55 AM UTC-7, Gervase Markham wrote:
>
> Today at the CAB Forum I outlined some of Mozilla's thinking on how we
> rate the severity of incidents. It might be helpful to reproduce that
> here. This is what I said:
>
Thanks, Gerv!
I added that text to the
On 19/10/16 11:35, longol...@gmail.com wrote:
> Hey Kathleen, hey list,
>
> I really don't get why Mozilla is pushing so hard on the Chinese and
> at the same time let others get away. For example the Comodo case
> from today. Isn't that a much worse incident than what has happened
> here.
On Wednesday, October 19, 2016 at 12:58:49 AM UTC-7, Kurt Roeckx wrote:
> I at least have some concerns about the current gossip draft and talked
> a little to dkg about this. I should probably bring this up on the trans
> list.
>
Please do, we would like to see this brought to closure soon
On 19 October 2016 at 02:58, Kurt Roeckx <k...@roeckx.be> wrote:
> On 2016-10-19 01:37, Rob Stradling wrote:
>>
>> On 18/10/16 23:49, Gervase Markham wrote:
>>>
>>> On 18/10/16 15:42, Ryan Hurst wrote:
>>>>
>>>> I do not underst
On 2016-10-19 01:37, Rob Stradling wrote:
On 18/10/16 23:49, Gervase Markham wrote:
On 18/10/16 15:42, Ryan Hurst wrote:
I do not understand the desire to require StartCom / WoSign to not
utilize their own logs as part of the associated quorum policy.
My original logic was that it could
It is true, that without gossip, CT is dependent on browsers monitoring the log
ecosystem, this is one reason why in the Chrome policy the one Google log is
required.
I would argue, with the monitoring Google does and the one Google log policy
that this risk is mitigated sufficiently, even
Kurt Roeckx wrote:
> Since the previous audit wasn't one that covered a whole year, I
> expect the new audit to start where the previous one stopped and
> have it a year from that point.
this might be more of a question for cabforum but why do audits have to be
non-overlapping?
i would think
On Tue, 18 Oct 2016 15:49:26 -0700
Gervase Markham <g...@mozilla.org> wrote:
> On 18/10/16 15:42, Ryan Hurst wrote:
> > I do not understand the desire to require StartCom / WoSign to not
> > utilize their own logs as part of the associated quorum policy.
>
> My origi
On 18/10/16 23:49, Gervase Markham wrote:
> On 18/10/16 15:42, Ryan Hurst wrote:
>> I do not understand the desire to require StartCom / WoSign to not
>> utilize their own logs as part of the associated quorum policy.
>
> My original logic was that it could be se
On 18/10/16 16:04, Han Yuwei wrote:
> For the CT support, is there any plan to implement it into effect in
> Firefox? And if implemented, what would happen if server's
> certificate don't have enough SCTs?
The mechanism is being implemented. When it's closer to being
implemented, there will be a
在 2016年10月19日星期三 UTC+8上午6:42:18,Ryan Hurst写道:
> All,
>
> I do not understand the desire to require StartCom / WoSign to not utilize
> their own logs as part of the associated quorum policy.
>
> Certificate Transparency's idempotency is for not dependent on the practices
On 18/10/16 15:42, Ryan Hurst wrote:
> I do not understand the desire to require StartCom / WoSign to not
> utilize their own logs as part of the associated quorum policy.
My original logic was that it could be seen that the log owner is
trustworthy. However, you are right that C
On 18/10/16 14:33, Ryan Sleevi wrote:
> I think there's some confusion there. CNNIC's audits "expire" on Feb
> "29" 2017 (I say "29" because of ambiguity on "1 year"). That is,
> within 3 months of Feb "29", 2017, CNNIC would be expected to provide
> a new audit, which covers February 29, 2016
All,
I do not understand the desire to require StartCom / WoSign to not utilize
their own logs as part of the associated quorum policy.
Certificate Transparency's idempotency is for not dependent on the practices of
the operator. By requiring the use of a third-party log (in this case
On Tue, Oct 18, 2016 at 01:35:59PM -0700, Gervase Markham wrote:
> On 18/10/16 12:46, Kurt Roeckx wrote:
> > Are you saying you're expecting an audit report from November 2015
> > to November 2016, and so have the period from November to March
> > covered twice?
>
> There seems to be a persistent
On Tue, Oct 18, 2016 at 2:33 PM, Ryan Sleevi wrote:
>
> I think there's some confusion there. CNNIC's audits "expire" on Feb "29"
> 2017 (I say "29" because of ambiguity on "1 year"). That is, within 3 months
> of Feb "29", 2017, CNNIC would be expected to provide a new audit,
On Tuesday, October 18, 2016 at 1:36:37 PM UTC-7, Gervase Markham wrote:
> On 18/10/16 12:46, Kurt Roeckx wrote:
> > Are you saying you're expecting an audit report from November 2015
> > to November 2016, and so have the period from November to March
> > covered twice?
>
> There seems to be a
On 18/10/16 12:46, Kurt Roeckx wrote:
> Are you saying you're expecting an audit report from November 2015
> to November 2016, and so have the period from November to March
> covered twice?
There seems to be a persistent misunderstanding here.
https://cert.webtrust.org/SealFile?seal=2092=pdf
On Tue, Oct 18, 2016 at 10:02:00AM -0700, Gervase Markham wrote:
> On 18/10/16 09:03, Kurt Roeckx wrote:
> > You said the period was until February 29, 2016. I assume the next
> > period starts on March 1, 2016 and is for 1 year. I don't expect it to
> > from from March to November, it would be an
ly
one (leaving aside WoSign/StartCom) which should appear on the list. Am
I right?
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Measure with a micrometer, mark with chalk and cut with an axe... it's the best
you can do.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Hi Peter,
On 18/10/16 06:02, Peter Bowen wrote:
> I think making it clear which entries in certdata.txt have additional
> constraints would be very helpful. Is it maybe possible to do so by
> adding new attributes to the NSS_TRUST object instead of simply
> putting it on a webpage? That way it
On 18/10/16 09:03, Kurt Roeckx wrote:
> You said the period was until February 29, 2016. I assume the next
> period starts on March 1, 2016 and is for 1 year. I don't expect it to
> from from March to November, it would be an 8 month period.
Surely if audits last one year, one would be auditing
On 2016-10-18 17:26, Gervase Markham wrote:
On 18/10/16 07:17, Kurt Roeckx wrote:
On 2016-10-18 14:51, Gervase Markham wrote:
The audit report CNNIC has submitted covers the period from November 2,
2015 to February 29, 2016. Therefore, we would expect them to be
starting the process of
is more detailed information
> on the next steps to be done.
>
> Here´s the link again:
> https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf
>
> So, regarding the situation of StartCom I think that some people has
> lost what happened and it´s considering Wosi
Hi Inigo,
On 18/10/16 07:34, Inigo Barreira wrote:
> So, regarding the situation of StartCom I think that some people has
> lost what happened and it´s considering Wosign and Startcom the same.
Kathleen may also respond, but my understanding is that (based on her
consideration of the arg
On 18/10/16 07:17, Kurt Roeckx wrote:
> On 2016-10-18 14:51, Gervase Markham wrote:
>>
>> The audit report CNNIC has submitted covers the period from November 2,
>> 2015 to February 29, 2016. Therefore, we would expect them to be
>> starting the process of getting another yearly audit in about 2
.pdf
So, regarding the situation of StartCom I think that some people has
lost what happened and it´s considering Wosign and Startcom the same.
Let´s focus on the 3 issues for which StartCom has been proposed to a
sanction (hopefully we can change that), and these are:
1.- Bad coding of a new
On 2016-10-18 14:51, Gervase Markham wrote:
The audit report CNNIC has submitted covers the period from November 2,
2015 to February 29, 2016. Therefore, we would expect them to be
starting the process of getting another yearly audit in about 2 weeks
anyway, although it won't be done until next
On 17/10/16 16:26, Kathleen Wilson wrote:
> ones who use NSS validation. I’m not sure what we can do about other
> consumers of the NSS root store, other than publish what we are doing
> and hope those folks read the news and update their version of their
> root store as they see appropriate for
eed to be CT-less, although both CAs have
committed to full CT from now on, and both have loaded "every" cert
since a certain date into CT. If loads of CT-less older WoSign or
StartCom certs with long lifetimes started turning up on their customers
sites, it would be fairly obviou
won't be trusted) and that QiHoo 360/ WoSign/ StartCom accept this
as legitimate.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
ng
> change/impact.
Because 360 safe browser is the most dominant browser in China. Qihoo, the
parent company of WoSign/StartCom produced this browser. I assume Qihoo's
browser will not take any action against its own CAs.
So If Mozilla or other parties is not mandating WoSign/St
Oh, I read too quickly and saw it as a list of certificates whose
expiration dates were within each month. In retrospect, that was not the
most likely way the numbers would be distributed -- apologies for causing
confusion.
On Sat, Oct 15, 2016 at 6:20 PM, Kurt Roeckx wrote:
>
On Sat, Oct 15, 2016 at 06:07:50PM -0400, Eric Mill wrote:
> For the convenience of the thread -- assuming that a 1-year-oriented policy
> covered the certs up to and including those listed as 2017-10-01, then
> summing up Kurt's numbers:
>
> * Certs expiring by Oct 2017: 2,088,329
> * Certs
because there
> > are too many of them.
> >
> > *however* from what I remember almost all the time the free options of
> > startcom/wosign were limited to one year. (I think there was a short
> > period of time when it was possible to get 3-year-certs from wosign for
>
t remove the affected roots
> > until 2019.
>
> Hi,
>
> From my understanding the problem here is that the alternative of simply
> whitelisting the existing certificates isn't feasible, because there
> are too many of them.
>
> *however* from what I remember almost all th
t I remember almost all the time the free options of
> startcom/wosign were limited to one year. (I think there was a short
> period of time when it was possible to get 3-year-certs from wosign for
> free, but they removed that shortly afterwards.)
It was quite some time, and outside o
he problem here is that the alternative of simply
whitelisting the existing certificates isn't feasible, because there
are too many of them.
*however* from what I remember almost all the time the free options of
startcom/wosign were limited to one year. (I think there was a short
period of time when it was possibl
mass-deployed
versions, lack more extensive capabilities). As a consequence of this - which,
to be fair, is not a problem of Mozilla's creation - there exists the ecosystem
risk that in order to minimize any incompatibilities, these applications will
need to continue to trust WoSign and StartCom for
m%2Freport%2FWoSign_Incident_Report_Update_07102016.pdf=D=1=AFQjCNGRzAxwYrEEiA_SN5gfcsftSst0nA)
> and that the CEO Richard Wang to be relieved of its duties.
>
> I'm calling WoSign out on this two-faced behavior towards Chinese end users
> and foreign security researchers.
WoSig
On 14/10/16 15:46, Gervase Markham wrote:
> On 14/10/16 11:37, Rob Stradling wrote:
>> Sure, but aren't we talking about specifying criteria for which log(s)
>> StartCom/WoSign _can't_ use in future?
>>
>> If Mozilla would prefer to forbid StartCom/WoSign from using t
On 14/10/16 11:37, Rob Stradling wrote:
> Sure, but aren't we talking about specifying criteria for which log(s)
> StartCom/WoSign _can't_ use in future?
>
> If Mozilla would prefer to forbid StartCom/WoSign from using their own
> or each other's logs, then ISTM that it would be
99% uptime sounds good but it allows being down for three and half days in a
year. It's not actually a very high availabillity. ;-)
CU Hans
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
On 14/10/16 10:50, Gervase Markham wrote:
> On 14/10/16 10:41, Rob Stradling wrote:
>> Gerv, does Mozilla need to make a final decision on this point immediately?
>>
>> I very much hope that there will be more CT logs by the time StartCom
>> and/or WoSign are readmitte
On 13/10/16 23:42, Nick Lamb wrote:
> Please can Mozilla ensure that both EY Hong Kong and the overarching
> parent organisation in the United Kingdom (in Southwark) are informed
> of this ban and get a copy of Mozilla's findings if they haven't
> already ?
This is a good idea; I will try and
On 14/10/16 10:41, Rob Stradling wrote:
> Gerv, does Mozilla need to make a final decision on this point immediately?
>
> I very much hope that there will be more CT logs by the time StartCom
> and/or WoSign are readmitted into Mozilla's trust list. Why not delay
> making this
On 13/10/16 20:52, Gervase Markham wrote:
> StartCom/WoSign have indicated ro me that they may have trouble
> complying with the non-Google log requirement because it's hard to find
> a non-Google log which can scale sufficiently. I suggest we allow them
> some leeway on this b
On 2016-10-14 10:19, Nick Lamb wrote:
On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer wrote:
Will there be any requirements around the qualification status of the logs,
or could anyone who wanted to be "nice" just stand up a log, and have these
CAs obtain precerts from them?
I don't
On 2016-10-14 03:20, Matt Palmer wrote:
On Thu, Oct 13, 2016 at 09:49:50AM -0700, Kathleen Wilson wrote:
5. 100% embedded CT for all issued certificates, with embedded SCTs from
at least one Google and one non-Google log not controlled by the CA.
Will there be any requirements around the
On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer wrote:
> Will there be any requirements around the qualification status of the logs,
> or could anyone who wanted to be "nice" just stand up a log, and have these
> CAs obtain precerts from them?
I don't think Mozilla has declared any
1 - 100 of 169 matches
Mail list logo