Hi Patricia,
patri...@certstar.com schrieb:
We have now strengthened our domain validation system so that such
abuse cannot happen again.
just curious: How do you normally validate domain ownership?
TIA,
Thorsten
___
dev-tech-crypto mailing list
Eddy,
thanks for your elaborate answer. I have only a few questions (I'm still
learning... ;-) )
Eddy Nigg schrieb:
>
> Let me add a few things here in order to make it clear what I meant:
>
> The Mozilla CA policy requires auditing of the CA and its
> infrastructure. In the past there were v
In Bug #378882 Eddy Nigg directed me here because of a SubCA audit
question: He states that root CAs in mozilla NSS must "Not circumvent
the audit requirement set forth by the Mozilla CA policy.
This means that the CAs which belong to this PKI and are under this root
MUST
be part of the audit. C
Nelson Bolyard wrote:
> On the other hand, it is possible that the domain validation was performed
> but that it was deceived through the use of DNS attacks. In his slides
> on the subject of DNS attacks, Dan Kaminsky did say that it was possible
> to deceive domain validation through DNS attacks.
Frank Hecker schrieb:
> Second, in the case of T-Systems the issue seems to be that T-Systems
> functions primarily as a root CA, not as a CA issuing end-entity
> certificates. Therefore the T-Systems CPS does not address practices
> relating to issuance of end-entity certificates.
> The solu
Nelson B Bolyard schrieb:
>
>> I think the solution that Jean-Marc outlined above would make some
>> sense: It would make it a bit easier to visit certain sites, but disturb
>> permanently if someone visits a site that has no trust anchor in firefox.
>
> There's a great deal of evidence, and co
Jean-Marc Desperrier schrieb:
> So the solution I'd be in favor of is :
> - Declare the current SSL error screen a failure
> - Let people go through the SSL error screen easily, just like in Fx 2
> - After they have gone though the SSL error screen and as long as they
> stay on this SSL site, dis
Eddy,
just to make it clear: I'm not working for a CA, I am just a user.
Eddy Nigg schrieb:
> Ohoommm, please note that the audit of T-Systems was completed only at
> the end of the previous year, which is usually a bad time anyway
> (holidays, vacations etc). Subsequently the process was star
Eddy Nigg schrieb:
> Thorsten Becker:
>>
>> that's an excellent idea to schedule the start of a public discussion
>> phase every two weeks. Additionally it would be great to have a "public
>> queue", where every request that has passed the information gath
Steve schrieb:
> I know, however if you look at the costs of a new certificate vs. the
> costs involved in training, waiting, applying workaround; purchasing a
> new certificate would make sense.
It would have made sense over a year ago when the whole process was
started - If Mozilla had said:
Eddy,
Eddy Nigg schrieb:
> I think one CA in public discussion per time just fine, however the
> overall throughput could be accelerated. That would allow for a new CA
> every two weeks or so.
that's an excellent idea to schedule the start of a public discussion
phase every two weeks. Additi
Steve schrieb:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] says...
>> Think about it : Instead of protecting them, Fx has pushed them to take
>> a decision that heightens their risk level, it would have been more
>> secure to let them go though the warning and access the site with Fx
Steve schrieb:
> May I ask why a university didn't just obtain another SSL certificate?
> I mean you can obtain SSL certificates (RapidSSL is ~$20) cheap now.
We are on only one of almost 200 universities and research institutes in
Germany that rely on services provided by the "Deutsche Forschung
Frank Hecker wrote:
> As it happens, I will be starting the first public comment period for
> T-Systems today.
That really is good news!
> We are doing what we can. However by design we do not simply
> "rubber-stamp" CA requests. We have an official policy which was
> developed through a proce
Hello,
I'm responsible for a university site in Germany that is SSL secured,
with a certificate issued by a CA which is trusted by T-Systems. The
T-Systems cert is not (yet) included in firefox, the details can be seen
in Bug 378882.
I'm currently seeing more and more Firefox users migrating t
15 matches
Mail list logo
