At 5:29 PM -0800 1/13/09, Julien R Pierre - Sun Microsystems wrote:
>Just because root CAs have stopped using MD5 doesn't mean every intermediate
>CA in the world has stopped yet. It would be a fairly arduous task to
>determine that. If a sub CA hasn't stopped using MD5 yet, they may be subject
Gervase,
Gervase Markham wrote:
Ben Bucksch wrote:
I propose to announce that we'll stop supporting MD5 in 3 months, and
ask website owners to get new certs.
On the basis of any known risk?
The current attack requires the attacker to be able to get a cert signed
for a key they control. If al
Hello,
I just started looking at JSS.
Can some one point me to the API provided by JSS for running Power Up
and Conditional Self Tests for various cryptographic modules/algorithms?
Thanks,
Sreedhar
___
dev-tech-crypto mailing list
dev-tech-
Ben Bucksch wrote:
> I propose to announce that we'll stop supporting MD5 in 3 months, and
> ask website owners to get new certs.
On the basis of any known risk?
The current attack requires the attacker to be able to get a cert signed
for a key they control. If all CAs stop using MD5 (which they
Florian,
Thank you for bringing this to my attention.
Florian Weimer wrote:
> But the EV certificate was issued to "SEB AG", a different legal
> entity. (SEB AG, in turn, is part of Skandinaviska Enskilda Banken
> AB.)
Are you able to outline the exact corporate relationship between these
three
On 01/13/2009 09:56 PM, Paul Hoffman:
We disagree here. I think it would be more problematic for Mozilla to be
accused of having hard-to-find policy changes than to simply change the policy
itself when needed.
I did not suggest that there should be "hard-to-find policy changes" at
all. Bes
At 9:00 PM +0200 1/13/09, Eddy Nigg wrote:
>On 01/13/2009 05:23 PM, Paul Hoffman:
>>>Useful yes, up to certain extend. If there is too much information in the
>>>policy, it will start to be problematic.
>>
>>For whom?
>
>For Mozilla mostly.
We disagree here. I think it would be more problematic f
On 01/13/2009 05:23 PM, Paul Hoffman:
Useful yes, up to certain extend. If there is too much information in the
policy, it will start to be problematic.
For whom?
For Mozilla mostly.
Most CAs run businesses where written policies are the norm.
Mozilla is not a CA.
Where did Frank say,
alex.agra...@gmail.com wrote:
FYI - I submitted a patch that fixes the problem.
See https://bugzilla.mozilla.org/show_bug.cgi?id=470982 for details.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/de
At 3:31 PM + 1/13/09, Rob Stradling wrote:
>Why "almost every piece of PKIX validating software" ?
>
>I think it would be worth it if, at a minimum...
> - the majority of CAs added the extension to the certificates they issue,
>and...
> - Mozilla implemented support for the extension in NSS.
Why "almost every piece of PKIX validating software" ?
I think it would be worth it if, at a minimum...
- the majority of CAs added the extension to the certificates they issue,
and...
- Mozilla implemented support for the extension in NSS.
This would allow Mozilla to disable a weak algorith
At 11:16 AM +0200 1/13/09, Eddy Nigg wrote:
>On 01/13/2009 10:15 AM, Rob Stradling:
>>Eddy, I do think that the Mozilla CA Certificate Policy should cover
>>*all* "actual" problematic practices. In this particular case, I think that
>>a blacklist of unsupported/non-allowed/not-recommended algorith
At 9:55 AM + 1/13/09, Rob Stradling wrote:
>Thanks Ben. Perhaps it's time to have another go at canvassing support for
>the idea. In 2006, the PKIX WG didn't seem interested in tackling the
>problem I was trying to solve.
>
>Paul, do you think it's worth re-raising this idea with the PKIX WG
On 01/13/2009 02:09 PM, Ian G:
Let's work from Mozo's documentation. Where is it? Otherwise we are
liable to get distracted...
If this is not a documented situation, Rob already explained it. Or,
have a look at my comments on "dropping the root is useless".
This is not documented, this is how
On 13/1/09 11:57, Eddy Nigg wrote:
On 01/13/2009 12:50 PM, Ian G:
Sorry, where is this documented? It looks unfamiliar and unworkable to
me.
In which respect unworkable? Please explain.
Let's work from Mozo's documentation. Where is it? Otherwise we are
liable to get distracted...
If
On 01/13/2009 12:50 PM, Ian G:
Sorry, where is this documented? It looks unfamiliar and unworkable to me.
In which respect unworkable? Please explain.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
On 13/1/09 10:16, Eddy Nigg wrote:
Before Mozilla yanks any root (which isn't something Mozilla does for
fun really), Mozilla will confront the CA with the concern and assumed
risk concerning the practice of the CA.
- Mozilla will give the CA reasonable time to address the concern -
where "reason
Thanks Ben. Perhaps it's time to have another go at canvassing support for
the idea. In 2006, the PKIX WG didn't seem interested in tackling the
problem I was trying to solve.
Paul, do you think it's worth re-raising this idea with the PKIX WG ?
On Tuesday 13 January 2009 09:39:06 Ben Bucksch
FYI - I submitted a patch that fixes the problem.
See https://bugzilla.mozilla.org/show_bug.cgi?id=470982 for details.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
On 13.01.2009 09:48, Rob Stradling wrote:
I made a similar suggestion to ietf.pkix in October 2006. See...
http://www.imc.org/ietf-pkix/mail-archive/msg01964.html
...and the rest of that thread, including...
http://www.imc.org/ietf-pkix/mail-archive/msg01984.html
...
Ben, I agree that having m
On 01/13/2009 10:15 AM, Rob Stradling:
Eddy, I do think that the Mozilla CA Certificate Policy should cover
*all* "actual" problematic practices. In this particular case, I think that
a blacklist of unsupported/non-allowed/not-recommended algorithms and/or a
whitelist of supported/allowed/recomm
On Friday 09 January 2009 02:04:59 Julien R Pierre - Sun Microsystems wrote:
> On Friday 09 January 2009 04:32:41 Ben Bucksch wrote:
> >
> > Can we create another extension? The signature itself is a shell around
> > the certified bits. Add the second signature around that first signature.
> >
> >
On Monday 12 January 2009 20:28:25 Eddy Nigg wrote:
> On 01/12/2009 09:20 PM, Paul Hoffman:
> > No, because it is not true. What is true is that signing with MD5 is now
> > considered to be insecure, and what Mozilla will do about it.
> >
> >> Should every possible algorithm be listed there too?
>
23 matches
Mail list logo
