On 2/1/09 03:44, Kyle Hamilton wrote:
If he's a security and user interface expert, why is the security UI
so appallingly *bad*?
Not answering for gerv, but I would say: he is the human shield,
against all influences, inside and outside!
He's only one guy, and he has the entire battle field
On 1/1/09 6:44 PM, Kyle Hamilton wrote:
If he's a security and user interface expert, why is the security UI
so appallingly *bad*?
*plonk*
Justin
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/de
On 01/02/2009 04:38 AM, Kyle Hamilton:
From what I can see, the general overall idea that Eddy is suggesting
seems to be:
Type 1: the person requesting the certificate has shown that they have
some means of accessing things either in their mailbox or in the
URI-space of the domain. (DV)
Type 2
On Thu, Jan 1, 2009 at 7:57 AM, Ben Bucksch wrote:
>
> FWIW:
>
> On 31.12.2008 15:47, Eddy Nigg wrote:
>>
>> EV is clearly maximum
>
> No. EV is what I always expected all certs to be. It's really the minimum.
> The whole security hangs of a phone call. It has lots of loopholes.
The EV guidelines
Industry standards bodies are bad, when they shut out input the people
who they're supposed to be benefitting. (Who are, really, the
ultimate stakeholders.)
A perfect example (outside of the current debate) is the Bluetooth
consortium. I, as an individual developer and researcher, can't get
acce
If he's a security and user interface expert, why is the security UI
so appallingly *bad*?
-Kyle H
On Thu, Jan 1, 2009 at 1:29 PM, Gervase Markham wrote:
> Ian G wrote:
>> My personal view of Mozilla is this: the ecosystem is developer-led.
>
> But "the ecosystem" isn't our representative on th
>From what I can see, the general overall idea that Eddy is suggesting
seems to be:
Type 1: the person requesting the certificate has shown that they have
some means of accessing things either in their mailbox or in the
URI-space of the domain. (DV)
Type 2: (currently nonexistent) non-EV-eligible
On 01/01/2009 11:36 PM, Gervase Markham:
Eddy Nigg wrote:
Yes, basically we need a class or type in between DV and EV, preferable
defining DV clearly as well. EV is clearly maximum, whereas DV is
clearly minimum.
EV is definitely not maximum. There's a load more stuff that could be
done (some
On 1/1/09 22:37, Gervase Markham wrote:
Ian G wrote:
Hmmm, odd that Frank views EV as ecommerce and here we see another view
of EV as technical delivery of updates.
I think that's a misrepresentation of both Frank's and my position. I
don't think Frank said that EV was _only_ for ecommerce, an
Ian G wrote:
> Hmmm, odd that Frank views EV as ecommerce and here we see another view
> of EV as technical delivery of updates.
I think that's a misrepresentation of both Frank's and my position. I
don't think Frank said that EV was _only_ for ecommerce, and I certainly
didn't say that it was _on
Eddy Nigg wrote:
> Yes, basically we need a class or type in between DV and EV, preferable
> defining DV clearly as well. EV is clearly maximum, whereas DV is
> clearly minimum.
EV is definitely not maximum. There's a load more stuff that could be
done (some of which I wanted, like site visits) w
Ian G wrote:
> 2. In general, such a group will reject any proposal that appears to
> favour one member against another; but they will accept any proposal
> that requires the same amount of additional work, and increases the
> power of the group. In other words, rejection of internal competition
Ian G wrote:
> My personal view of Mozilla is this: the ecosystem is developer-led.
But "the ecosystem" isn't our representative on the CAB Forum. Our
current representative is Johnathan Nightingale, our "Human Shield" and
security and user experience expert.
Gerv
___
On 30/12/08 23:25, Gervase Markham wrote:
Ian G wrote:
... nor to
resist the trap of increasing work loads and complexity, and reducing
availability and delivered security.
I am having trouble extracting meaning from that last sentence.
In mostly general terms:
1. When any industry gro
On 30/12/08 23:25, Gervase Markham wrote:
Ian G wrote:
A tightly closed membership, oriented to CAs in their chosen segment. As
CAs, they incline towards including two other groups, being the upstream
audit organisations who provide the WebTrust, and the downstream
browsers who consume the WebTr
First: A succcessful, healthy and happy new Year !
1. Is there a dev-tech-crypto / Firefox developer/programmer who wants to
confirm Kaspar Band's idea that "running Firefox in "Safe
Mode" when generating the key as well as requesting the Certificate with
Thawte does securely prevent unnotified pr
Eddy Nigg wrote:
perhaps Mozilla should start to use EV
certs for the update mechanism of Firefox and *enforce* it? There might
be many other sites which potentially could wreak havoc not measurable
in terms of money only.
Very good point.
Indeed, I don't want to trust the security
On 01/01/2009 05:57 PM, Ben Bucksch:
FWIW:
On 31.12.2008 15:47, Eddy Nigg wrote:
EV is clearly maximum
No. EV is what I always expected all certs to be. It's really the
minimum.
Ohooommm, whatever the minimum validation requirements for EV are, is
now the industry's maximum requirements.
On 31.12.2008 03:26, Nelson B Bolyard wrote:
Dan, I believe Paul was suggesting that he did not want to see
signatures on email messages themselves be invalidated just because
they use MD5. The email messages themselves have different
vulnerability characteristics than the signatures on the cer
FWIW:
On 31.12.2008 15:47, Eddy Nigg wrote:
EV is clearly maximum
No. EV is what I always expected all certs to be. It's really the
minimum. The whole security hangs of a phone call. It has lots of loopholes.
For me, anything less is rather pointless. DV: verify via http or
plaintext mail -
20 matches
Mail list logo
