Hi Ben,
My name is Henry Birge-Lee. I am a researcher at Princeton University. I
began studying the use of BGP attacks to obtain bogus TLS certificates in
2017 and worked to design a countermeasure known as multiple vantage point
domain validation which can be implemented by CAs. It involves a
All,
Are there any additional comments on Jeremy's proposal for S/MIME
certificates? If we do go this route, then I am thinking that we may need
to make this even more clear than what is proposed in the italicized
language. Modifying the table might also help make things more clear. Any
thoughts o
On Fri, Oct 14, 2022 at 8:40 PM Ben Wilson wrote:
> All,
> I'm wordsmithing item 7 under MRSP section 3.3. Draft language is: "7.
> Effective December 31, 2022, CA operators SHALL maintain links in their
> online repositories to all reasonably available historic versions of CPs and
> CPSes (o
Interested parties can follow the discussion regarding the errata here:
https://mailarchive.ietf.org/arch/msg/pkix/-Z00K5As5WN37pnyoIRvm7mNPRY/
On Fri, Oct 14, 2022 at 1:08 PM Tim Hollebeek
wrote:
> More information about the process:
> https://www.ietf.org/about/groups/iesg/statements/processin
More information about the process:
https://www.ietf.org/about/groups/iesg/statements/processing-errata-ietf-stream/
Thanks for filing it. I’m actually curious to see where the discussion goes,
and what the people who were around at the time (including the author) have to
say about the history
On Fri, Oct 14, 2022 at 11:19 AM Corey Bonnell
wrote:
> Are you also considering filing an erratum against 5280 so this particular
> PKI footgun can be addressed at the IETF?
>
Thank you for the reminder! I have done so just now. I'm not sure how long
that process will take to work through thing
All,
I'm wordsmithing item 7 under MRSP section 3.3. Draft language is: "7.
Effective December 31, 2022, CA operators SHALL maintain links in their
online repositories to all reasonably available historic versions of CPs
and CPSes (or CP/CPSes) from the creation of included CAs, regardless of
chan
Hi Aaron,
I had a draft reply written up to better explain my interpretation but deleted
it since I think the CABF ballot is a more constructive path forward on this
issue.
Are you also considering filing an erratum against 5280 so this particular PKI
footgun can be addressed at the IETF?
We largely don’t care as we consider this to be an existing requirement, so the
date doesn’t really matter for us, but I’m totally ok with enhancing the BRs to
make the requirement more explicit, and putting an agreed upon future
compliance date in there for anyone who might have missed this sub
Yep, and I just got sidetracked by a meeting in between sending the message
to this list and sending the corresponding one to the servercert-wg list!
It's been sent now, and can be viewed in the public archive here:
https://lists.cabforum.org/pipermail/servercert-wg/2022-October/003347.html
You're
Shouldn’t CABF ballot discussions and endorsement conversations happen on the
relevant CABF lists? This is somewhat important both to make sure the relevant
conversations are properly documented and archived in the right place, as well
as for compliance with the CABF IPR rules. It doesn’t horr
Thanks Aaron, I’ll endorse.
> On Oct 14, 2022, at 9:30 AM, 'Aaron Gable' via
> dev-security-policy@mozilla.org wrote:
>
> To ensure that future parties don't have to have this same discussion again,
> I have put together a CA/BF ballot to update the BRs to explicitly require
> the distributio
To ensure that future parties don't have to have this same discussion
again, I have put together a CA/BF ballot to update the BRs to explicitly
require the distributionPoint field in sharded CRLs:
https://github.com/cabforum/servercert/pull/396
I'm seeking endorsers so it can be given a ballot num
Jeff,
Here is some alternative language: "This schedule is subject to change if
underlying algorithms become more susceptible to cryptanalytic attack or if
other circumstances arise that make this schedule obsolete."
Ben
On Sun, Sep 25, 2022 at 12:58 PM Jeffrey Walton wrote:
>
>
> On Mon, Sep 1
Hi Li-Chun,
At this time, even considering the problem with Android fragmentation, we
are not willing to extend the transition deadline for older roots to April
2026. As you suggest, one option may be to cross-sign your HiPKI G1 root
with your ePKI Root CA, acquire a cross-sign from some other root
15 matches
Mail list logo
