On Tue, Feb 24, 2009 at 4:53 PM, wrote:
> It is possible that at some point in the future certificates chaining
> up to this root will no longer work with Firefox and other Mozilla-
> based products. Since Mozilla has no commitment at this time to
> support partitioned CRLs, it would be the respo
To summarize this discussion, only one concern has been raised in
regards to this request. In particular, Hongkong Post issues both a
full CRL and a partitioned CRL. Currently Firefox handles full CRLs,
but not partitioned CRLs. The end-entity certs chaining up to this
root include a cRLDistributio
Kathleen Wilson wrote:
As per the CA Schedule at https://wiki.mozilla.org/CA:Schedule ComSign
is the next request in the queue for public discussion.
Thanks for preparing this for public discussion!
* CRL issue: Current CRLs result in the e009 error code when
downloading into Firefox. Com
As per the CA Schedule at https://wiki.mozilla.org/CA:Schedule ComSign
is the next request in the queue for public discussion.
ComSign (a private company owned by Comda, Ltd. in Israel) has applied
to add two new root CA certificates to the Mozilla root store, as
documented in the following bug:
Kaspar Brand wrote re RFC 5280:
Note that it refers to the DistributionPoint*Name*, not the
DistributionPoint itself - i.e. the CDP extension of a certificate can
certainly include multiple HTTP URIs (all pointing to the same CRL).
FWIW, here's the definition from RFC 5280, which might help in
Frank Hecker wrote:
> I understand your concern. Both RFC 3280 and RFC 5280 clearly allow for
> multiple names to be listed with the CRL DP extension; however they also
> say that
>
>If the DistributionPointName contains multiple values, each name
>describes a different mechanism to obta
At 7:09 AM +0100 2/24/09, Kaspar Brand wrote:
>Kyle Hamilton wrote:
>> Removal of support for wildcards can't be done without PKIX action, if
>> one wants to claim conformance to RFC 3280/5280.
>
>Huh? Both these RFCs completely step out of the way when it comes to
>wildcard certificates - just rea
I am trying to make a certificate request using a multi valued attribute
relative distinguished name using the certutil tool. However I keep getting
an error message saying that the DN is invalid. Is this not supported in
certutil? Here's the command I used:
certutil -R -s "UID=12345+CN=John
On 02/24/2009 01:54 PM, Frank Hecker:
If the DistributionPointName contains multiple values, each name
describes a different mechanism to obtain *the same CRL*.
...or use the same mechanism in order to balance and/or have a backup CRLDP.
It would be the responsibility of Hongkong Post
to chan
On 02/24/2009 01:47 PM, Ian G:
Right. This can also be seen as evidence that secure browsing has not
protected the users, because it was so easily bypassed.
Orthe price to stage an attack using SSL is still considered too
high. It's rather a point for SSL than against IMO.
If the securi
On 02/24/2009 01:22 PM, Reed Loden:
This change has been reverted. We (the Mozilla SysAdmins) are working on several
ways to combat the spam, but disabling the news->mail gateway isn't the right
solution to this problem
Thank you!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start..
ma...@e-mice.net wrote:
Hongkong Post is seriously looking into this suggestion right now.
However, I can imagine that the decision will be very tough because,
you know, traditionally revocation checking is done by the application
developer or none. I have doubt whether most of application develo
On 24/2/09 02:11, Eddy Nigg wrote:
On 02/24/2009 02:35 AM, Ian G:
The point that is made is that the "positive response" is so weak that
it doesn't support the overall effect; the attacker just prefers to
trick the user using HTTP and some favicons or other simple symbols. And
(so the author cla
On Tue, 24 Feb 2009 05:22:35 -0600
Reed Loden wrote:
> I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=479949 to track this
> issue, ...
Apparently, I didn't notice https://bugzilla.mozilla.org/show_bug.cgi?id=425122
when filing, so I've duped the above bug to bug 425122. Oh well.
~re
On Mon, 23 Feb 2009 20:31:09 -0800
Nelson B Bolyard wrote:
> Sorry. I hate having to do this, but with all the spam that has gone
> to the mailing list today, because it came through google groups, I must
> disable the news->mail gateway for a time to stop the spam.
This change has been reverte
Kyle Hamilton wrote:
How did the language in 5280 change the behavior of critical CRL
extensions?
Briefly, RFC 5280 allows (and implicitly endorses) a scenario where the
implementation might not fully support a critical CIDP extension and all
that it entailed (i.e., handling partitioned CRLs
On Feb 24, 7:57 am, Frank Hecker wrote:
> Nelson B Bolyard wrote:
> > 1. As you may know, the EV spec says that a client should not give a
> > cert the full EV treatment unless/until it has done some successful
> > revocation check (CRL or OCSP, this year) at least on the EE cert.
> > Beginning wi
Kyle Hamilton wrote:
So. If I understand correctly:
1) HKP issued certs currently do not cause problems.
2) HKP has been notified how their system may cause problems in the future.
3) HKP is not requesting EV status, so any EV-specific discussion is
irrelevant at this time.
4) HKP meets all o
18 matches
Mail list logo
