Re: SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert

On Wednesday, July 8, 2020 at 6:02:56 AM UTC+3, Ryan Sleevi wrote: > The question is simply whether or not user agents will accept the risk of > needing to remove the root suddenly, and with significant (e.g. active) > attack, or whether they would, as I suggest, take steps to remove the root >

Re: SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert

On Wednesday, 8 July 2020 05:02:56 UTC+2, Ryan Sleevi wrote: > On Tue, Jul 7, 2020 at 10:36 PM Matt Palmer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Mon, Jul 06, 2020 at 10:53:50AM -0700, zxzxzx9--- via > > dev-security-policy wrote: > > > Can't the

Re: SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert

Mr. zxzxzx9, The "real" risk, which is illustrated through an adversary, vulnerability, impact probability, risk mitigation strategy and the residual risk doesn't matter. Hence is not discussed. I've yet to see a comprehensive risk assessment on this matter. The primary reason there is

Re: SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert

On Fri, Jul 10, 2020 at 12:01 PM ccampetto--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Wouldn't be enough to check that OCSP responses are signed with a > certificate which presents the (mandatory, by BR) id-pkix-ocsp-nocheck? > I've not checked, but I don't think

Re: New Blog Post on 398-Day Certificate Lifetimes

Yes, that's right. On Fri, Jul 10, 2020 at 12:11 PM Doug Beattie wrote: > Ben, > > For the avoidance of doubt, I assume this means Sept 1, 00:00 UTC. > > > -Original Message- > From: dev-security-policy > On > Behalf Of Ben Wilson via dev-security-policy > Sent: Friday, July 10, 2020

Re: New Blog Post on 398-Day Certificate Lifetimes

Some people have asked whether two-year certificates existing on August 31 would remain valid. The answer is yes. Those certificates will remain valid until they expire. The change only applies to certificates issued on or after Sept. 1, 2020. ___

RE: New Blog Post on 398-Day Certificate Lifetimes

Ben, For the avoidance of doubt, I assume this means Sept 1, 00:00 UTC. -Original Message- From: dev-security-policy On Behalf Of Ben Wilson via dev-security-policy Sent: Friday, July 10, 2020 12:49 PM To: mozilla-dev-security-policy Subject: Re: New Blog Post on 398-Day Certificate

Re: New Blog Post on 398-Day Certificate Lifetimes

On Fri, Jul 10, 2020 at 10:48:39AM -0600, Ben Wilson via dev-security-policy wrote: > Some people have asked whether two-year certificates existing on August 31 > would remain valid. The answer is yes. Those certificates will remain > valid until they expire. The change only applies to

EV-enablement Request of Identrust

This is a request to EV-enable the IdenTrust Commercial Root CA 1, as documented here: https://bugzilla.mozilla.org/show_bug.cgi?id=1551703 * Summary of Information Gathered and Verified: https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=0417 * SHA2 hash for Root