Kyle Hamilton wrote, On 2008-02-09 07:32:
> (If you don't believe my assertion that there is no means to remove
> root certificate trust as a matter of policy, I am still waiting for
> action on Thawte's issuing of SSL123 certificates by a root which had
> a CSP which stated that no SSL serv
On 2/7/08, Robert Relyea <[EMAIL PROTECTED]> wrote:
>
> D3|\||\|!$ wrote:
>
> The issue isn't with certificates; it is with private keys.
>
>
> I disagree with you...What if somebody deleted the private key fromkey3.db
> and its associated certificate entry in cert8.db??? Then added
> his own thin
On Feb 9, 2008 8:50 AM, Frank Hecker <[EMAIL PROTECTED]> wrote:
> We also have the problem that the cure (removal of root certs) is often
> seen as worse than the disease (problems with particular CAs), in the
> sense that the actual security threat to users is perceived as not
> justifying provoki
Frank Hecker wrote:
> The present Mozila policy and its application in practice essentially are
> attempts
> to find a middle way; like all compromises, these attempts by nature
> will annoy almost everyone and satisfy almost no one. (And I count myelf
> among those annoyed and not satisfied.)
Gervase Markham wrote:
> Eddy Nigg (StartCom Ltd.) wrote:
>
>> So it would be fine with you, if you've received a signed document or
>> email (even encrypted) and you are going to trust your VISA and other
>> personal data to a spoofed email or web site, issued by such a Blackbox
>> CA?
>>
On 1/18/2008 11:44 AM, Frank Hecker wrote:
> WISeKey has applied to add its (one) root CA certificate to the Mozilla
> root store, as documented in the following bug:
>
>https://bugzilla.mozilla.org/show_bug.cgi?id=371362
>
> and in the pending certificates list here:
>
>http://www.mozi
Kyle Hamilton wrote:
> You all seem to be frighteningly disconnected from the realities of the
> situation if you're still arguing the minutae of trust models allowed by
> CSPs. I lost my faith in the process you're trying to follow long ago.
We're all aware that the traditional SSL/PKI/CA mech
Hi Kyle,
Kyle Hamilton wrote:
> I'm just going to point out something that a couple of friends
> recently pointed out to me. The business models of commercial CAs
> involves what is essentially "selling trust".
>
> If you look at the fact that they have no real accountability, no
> procedur
Hello,
I'm stuck trying to export a private key generated by Firefox in the
process of obtaining a certificate. I received the corresponding
certificate in PEM format by email, but it has not yet been imported.
Indeed, the problem seems to be that I can't import it because Firefox
wants it in the
I'm just going to point out something that a couple of friends
recently pointed out to me. The business models of commercial CAs
involves what is essentially "selling trust".
If you look at the fact that they have no real accountability, no
procedure in place in any of the browsers to revok
Eddy Nigg (StartCom Ltd.) wrote:
> So it would be fine with you, if you've received a signed document or
> email (even encrypted) and you are going to trust your VISA and other
> personal data to a spoofed email or web site, issued by such a Blackbox
> CA?
It wouldn't be fine with me; my point
Gervase Markham wrote:
> Eddy Nigg (StartCom Ltd.) wrote:
>
>> But back to our issue, if a compromised server issues a certificate from
>> within the name constraint and uses it to attack another user (by
>> claiming to send mail from [EMAIL PROTECTED] or setting up a fake
>> site for https:/
Go Daddy has applied to upgrade its existing root CA certificates for EV
use, as documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=403437
and in the pending certificates list:
http://www.mozilla.org/projects/security/certs/pending/#Go%20Daddy
I have evaluated
Eddy Nigg (StartCom Ltd.) wrote:
> But back to our issue, if a compromised server issues a certificate from
> within the name constraint and uses it to attack another user (by
> claiming to send mail from [EMAIL PROTECTED] or setting up a fake
> site for https://really.allowed-domain.com), this
Nelson Bolyard wrote:
> This suggests to me that Mozilla should NOT approve for inclusion any
> certs for root CAs that rely on any constraining cert extensions
> (name constraints aren't the only ones) that are not implemented in NSS.
This seems wise to me.
I take Frank's point about CRL revocat
Frank Hecker wrote:
> This sounds reasonable at first glance, but I admit to being a bit leary
> about adopting such a policy. If we generalized this to something like
> "Mozilla should NOT approve for inclusion any certs for root CAs that
> rely on features not implemented in NSS", then, for ex
16 matches
Mail list logo
