On 02/09/2012 02:20 AM, From Brian Smith:
Effectively, we would be making the most popular servers on the
internet faster, and giving them a significant competitive advantage
over less popular servers. I am not sure this is compatible with
Mozilla's positions on net neutrality and related issue
On 9/02/12 09:18 AM, Nelson B Bolyard wrote:
On 2012/02/08 12:57 PDT, Kai Engert wrote:
My criticism:
[snip]
Won't the set of CRLs be too big for download?
[snip]
This is my question as well.
Will they really include the CRLs from all of mozilla's trusted CAs?
Won't the union of all those C
On 02/08/2012 04:20 PM, Brian Smith wrote:
However, I don't think we should reject Google's improvement here because it
isn't perfect. OCSP fetching is frankly a stupid idea, and AFAICT, we're all
doing it mostly because everybody else is doing it and we don't want to look
less secure. In the
On 9/02/12 06:58 AM, Jean-Marc Desperrier wrote:
In conclusion I'm 100% in favor of Mozilla adopting this solution,
+1
I haven't looked closely but I'm confident they will do the right thing
in this area.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.
Eddy Nigg wrote:
> On 02/09/2012 12:18 AM, From Nelson B Bolyard:
> BTW, this proposal wouldn't be a problem if it would cover, lets say
> the top 500 sites and leave the rest to the CAs. There would be
> probably also the highest gains.
Effectively, we would be making the most popular servers on
On 02/09/2012 12:18 AM, From Nelson B Bolyard:
Will they really include the CRLs from all of mozilla's trusted CAs?
Won't the union of all those CRLs be huge, even if they strip off
certain reason codes?
BTW, this proposal wouldn't be a problem if it would cover, lets say the
top 500 sites a
Without expressing my opinions on the wisdom of whatever Google is
proposing...
What Jean-Marc has described (and what the Google post also describes)
is already covered by RFC 5280 in the concept of "indirect CRL", which
you can see in Section 5.
It is also worth pointing out that "indirect
On 2012/02/08 12:57 PDT, Kai Engert wrote:
>
> My criticism:
[snip]
> Won't the set of CRLs be too big for download?
[snip]
This is my question as well.
Will they really include the CRLs from all of mozilla's trusted CAs?
Won't the union of all those CRLs be huge, even if they strip off certain
r
On 02/08/2012 09:58 PM, From Jean-Marc Desperrier:
Whereas the optimal solution would be to download each day a delta
CRL, with only the difference with the previous day, and containing
only the revocation reasons you *really* care about (key compromise).
A certificate can be either valid, e
My criticism:
(a)
I don't like it that the amount of CRLs will be a subset of all CRLs.
What about all the revoked certificates that aren't included in the list?
With a dynamic mechanism like OCSP (and in the future OCSP stapling) you
don't have to make a selection.
(b)
I don't like it that
Hi,
Google just published the changes they are about to do in the revocation
checking in Chrome :
http://www.imperialviolet.org/2012/02/05/crlsets.html
In my opinion, maybe somewhat opposite to the way they describe it,
fundamentally they are not *at* *all* changing the standard PKI method
o
On 02/07/2012 06:04 PM, Kai Engert wrote:
> The CA will remember the assocation {IP, certificate}. In future
> requests, as long as this requesting IP requests a voucher for the same
> certificate, the described bidirectional authentication and verification
> will be sufficient.
Just a technicalit
On 08/02/12 12:43, Ondrej Mikle wrote:
On 02/07/2012 09:58 PM, Kai Engert wrote:
That's a reason why I propose vouchers to be IP specific.
In my understanding, each IP will have only a single certificate,
regardless from where in the world you connect to it.
It's not true in general. There
On 02/07/2012 09:58 PM, Kai Engert wrote:
> On 07.02.2012 17:54, Ondrej Mikle wrote:
>>> The phone calls would ensure that each registered person will be aware
>>> of the certificate issuance.
>>
>> This is getting very close to EV validation (Sovereign Keys have the
>> same issue).
>
> I'd say ma
14 matches
Mail list logo
