On 2/18/12 11:30 PM, Jan Schejbal wrote:
Am 2012-02-19 02:46, schrieb Stephen Schultze:
Brian, any thoughts on this? Is this something we should be holding out
for, or should we look to other approaches?
A different interesting approach for a punishment could be removal of
the ability to
(please send follow-ups to mozilla.dev.tech.crypto)
Brian has in the past discussed proposed updates to NSS that would allow
us to penalize bad CA behavior by removing trust of all certs from a
given CA that were issued after a given date (or even for X amount of
time after a given date). The
On 2/12/11 7:03 AM, Eddy Nigg wrote:
If anybody else on this list would like to present a more compelling
argument than you have
as if your arguments are more convincing and the only ones that
count :-)
Not at all. I was inviting others to voice their support of your
position as well, b
On 2/11/11 3:11 PM, Eddy Nigg wrote:
improves reduces the spectrum of exploits... does this make any sense?
Thanks typo cop. I'm sure it's clear what I meant.
. It also places revocation power directly in the hands of the
subscriber.
That's the same as self-assertion. Most subscribers
On 2/11/11 5:57 AM, Eddy Nigg wrote:
On 02/11/2011 07:08 AM, From Steve Schultze:
Can you give an example?
Who the subscriber is (not higher level validation, sanity check)
I still can't decipher this.
what the requested host name is
There is no ambiguity in DANE.
what's the purpose of
On 2/11/11 4:39 AM, Rob Stradling wrote:
On Friday 11 Feb 2011 05:08:10 Steve Schultze wrote:
- OCSP and CRLs are unnecessary with DANE
Steve, may we presume that you only intended this statement to apply to the
use of self-signed certs with DANE?
When an EV (or OV) certificate issued by a t
On 2/10/11 5:36 PM, Eddy Nigg wrote:
On 02/10/2011 10:40 PM, From Stephen Schultze:
Until you actually explain why you think it's not correct that DV
relies on DNS,
I didn't say DV doesn't rely on DNS, almost everything on the [net] uses it.
Of course, but the fact th
On 2/10/11 3:33 PM, Eddy Nigg wrote:
On 02/10/2011 08:51 PM, From Stephen Schultze:
As I have said repeatedly (and you have never addressed) the CA DV
model relies on DNS and thus imports any vulnerabilities that exist in
a DNS-based model. CA DV blindly trusts DNS.
That's exactly
On 2/10/11 1:25 PM, Eddy Nigg wrote:
On 02/10/2011 07:20 PM, From Steve Schultze:
Zack, arguing with Eddy on this point is a losing proposition.
DNSSEC+TLSA is has some demonstrably superior characteristics to CA
DV, but Eddy is not willing to concede this or even give detailed
reasoning.
Well
9 matches
Mail list logo
