Eddy Nigg wrote:
[...] We
received already calls from people confusing us with them.
- *certstar.com* as opposed to *cert.startcom*.org
Then sue them really. A concurrent that use a company name that brings
confusion for ordinary people is a typical case in which you can sue.
Call your lawy
On Dec 31 2008, 12:28 am, "Kyle Hamilton" wrote:
> (note: "unknown_issuer" without talking at all about who the issuer
> claims to be
you're missing a critical point:
the issuer is something about which we know nothing.
someone could claim "issuer: GOD" or "issuer: POTUS" or "issuer:
VeriSign".
On Dec 25 2008, 12:36 am, "Kyle Hamilton" wrote:
> To be honest, Mozilla doesn't distribute keytool with Firefox, which
> means that I have to try to go into the
> (unbatchable) interface
this is false.
the ui is built as xul with js bindings to c++ objects which use idl
to expose methods. the j
Kyle,
Kyle Hamilton wrote:
I am minded of the CRL entry reason "remove from CRL". Does NSS
properly handle that reason-code?
The reason code "remove from CRL" is only applicable to delta CRLs. In
addition, this is only allowed if the certificate had the status of "on
hold" in the base CRL.
Kyle,
Kyle Hamilton wrote:
On Wed, Dec 24, 2008 at 2:46 PM, Eddy Nigg wrote:
On 12/25/2008 12:36 AM, Kyle Hamilton:
To be honest, Mozilla doesn't distribute keytool with Firefox, which
means that I have to try to go into the (unbatchable) interface and
remove the flags one. by. one. by. one.
On 01/03/2009 06:41 PM, Florian Weimer:
I can understand that point of view. But what you seem to be asking
is that browser vendors take the role of judges, regulating CA
behavior. Shouldn't that be better left to the court system, keeping
Mozilla out of the loop? What advantage does Mozilla
Gervase Markham wrote, On 2008-12-27 05:07:
> Hi John,
>
> You raise some important questions, but it's worth having clarity on a
> few matters of fact.
>
> John Nagle wrote:
>>1.AddTrust, a company which apparently no longer exists, has an
>> approved
>> root CA certificate. This in
* Eddy Nigg:
>> just because CAs start to play games with each other. This is not
>> about "security proper". You're trying to pull us into a PR attack
>> on one of your competitors, thereby willingly reducing confidence
>> in ecommerce. (I'm exaggerating a bit, of course.)
>
> Exactly the oppo
On Tue, Dec 30, 2008 at 1:04 PM, Florian Weimer wrote:
> BCP 38 requires that active MITM attacks don't work on LANs. LANs
> which violate that and are under attack are typically not very usable:
> Search engines blocks you due to automated queries, DHCP and DNS
> delivers data which is not 100% a
Ian G wrote:
> Where is this documented? I do not recall a mention of this in the
> guidelines. It would seem to be a fairly important point!
As I understand it, this is a feature of our implementation of EV, not
anything to do with the guidelines. Just as we are enabling roots for EV
one at a t
Ben Bucksch wrote:
> We try to train users to check that the bar is green (on sites where it
> was green before), and not use the site when it's merely blue.
> Otherwise, EV is useless, as the scammer could get a, say, CertStar
> cert, to fake an EV site, right? Only when people start getting
> con
Florian Weimer wrote, On 2008-12-30 13:04:
> * Michael Ströder:
>
>> Florian Weimer wrote:
>>> Even if you've got the certificate, you need to attack IP routing or
>>> DNS. If you can do that, chances are that you can mount this attack
>>> against one of the domain-validating RAs, and still recei
* Michael Ströder:
> Florian Weimer wrote:
>> Even if you've got the certificate, you need to attack IP routing or
>> DNS. If you can do that, chances are that you can mount this attack
>> against one of the domain-validating RAs, and still receive a
>> certificate. So the browser PKI is current
On 27.12.2008 13:34, Gervase Markham wrote:
sayrer wrote:
The truth is that we are basically unable to act without a lot of
collateral damage. We should keep this in mind with future security
technology. Relying on companies willing to take money for doing
absolutely nothing (not even the ba
Kyle Hamilton wrote, On 2008-12-27 15:56:
> I am a user. I am worried about MITM attacks.
>
> Unlike most users, I'm technically and legally savvy enough to know:
> 1) Why to perform my due diligence
> 2) How to perform my due diligence
> 3) How to add the root into my store
>
> However, I have
I am a user. I am worried about MITM attacks.
Unlike most users, I'm technically and legally savvy enough to know:
1) Why to perform my due diligence
2) How to perform my due diligence
3) How to add the root into my store
However, I have additional problems that I can't deal with through
the st
On 12/27/2008 10:36 PM, Florian Weimer:
As a downstream distributor of Mozilla code,
StartCom is also a downstream distributor of Mozilla code...
I'd hate to roll out updates (especially security updates)
...which happens every two month anyway...
just because CAs start to play games with
On 12/27/2008 11:07 PM, Michael Ströder:
I meant the RA should also be audited during the CA audit.
This in turn would be similar to this
https://wiki.mozilla.org/CA:Problematic_Practices#Allowing_external_entities_to_operate_unconstrained_subordinate_CAs
At this stage I'm not proposing to
Florian Weimer wrote:
> Even if you've got the certificate, you need to attack IP routing or
> DNS. If you can do that, chances are that you can mount this attack
> against one of the domain-validating RAs, and still receive a
> certificate. So the browser PKI is currently irrelevant for practica
Eddy Nigg wrote:
> On 12/27/2008 05:10 PM, Michael Ströder:
>> Frank Hecker wrote:
>>> (Plus the expense of a full WebTrust for
>>> CAs audit is likely an order of magnitude higher than Certstar's
>>> probable revenues.)
>>
>> It's Comodo's business decision whether they delegate some tasks to an
>
* Eddy Nigg:
> On 12/27/2008 05:38 PM, Florian Weimer:
>>> Isn't that, by itself, a very good reason to take immediate action?
>>> Security should be default-fail rather than default-pass.
>>
>> This is not about security, this is about the presence or absence of
>> an obscure browser warning.
>
>
On 12/27/2008 03:07 PM, Gervase Markham:
This is extremely common. Certificates change hands. Failing to honour
root certificates which are no longer owned by the companies which
created them would break a significant proportion of the web. Microsoft
does not have a policy preventing this.
In
On 27/12/08 20:01, Eddy Nigg wrote:
On 12/27/2008 05:38 PM, Florian Weimer:
Isn't that, by itself, a very good reason to take immediate action?
Security should be default-fail rather than default-pass.
This is not about security, this is about the presence or absence of
an obscure browser warn
On 12/27/2008 05:38 PM, Florian Weimer:
Isn't that, by itself, a very good reason to take immediate action?
Security should be default-fail rather than default-pass.
This is not about security, this is about the presence or absence of
an obscure browser warning.
Huuu? Have you understood the
On 12/27/2008 05:10 PM, Michael Ströder:
Frank Hecker wrote:
(Plus the expense of a full WebTrust for
CAs audit is likely an order of magnitude higher than Certstar's
probable revenues.)
It's Comodo's business decision whether they delegate some tasks to an
external RA or not and whether the r
Michael Ströder wrote:
If e.g. a Linux distributor wants to ship Firefox and trims the list of
pre-installed trusted root CA certs is it still allowed to distribute
the resulting code as Firefox?
That's a decision for the people at the Mozilla Corporation who work
with Linux distributors and o
Frank Hecker wrote:
> John Nagle wrote:
>>As a user of SSL certificates in our SiteTruth system, which
>> attempts to identify and rate the business behind a web site, we're
>> concerned about CA reliability and trust. We've been using Mozilla's
>> approved root cert list for our system, and a
Ian G wrote:
> That "earlier story" has no real place here, IMHO. This is a forum for
> the discussion of technical, crypto, root and general PKI issues, by
> either dictat or convention. It is not a forum for the airing of
> general business complaints.
I agree that the effects of this whole st
On 12/27/2008 5:48 AM, Michael Ströder wrote [in part]:
> ro...@comodo.com wrote [in part]:
>> On Dec 24, 2:13 am, "Paul C. Bryan" wrote:
>>> 2. Are resellers subject to the same audits that Comodo presumably had
>>> to undergo to get its root certs added to Mozilla? Who performs, and
>>> who veri
On 12/27/2008 5:07 AM, Gervase Markham wrote [in part]:
> Hi John,
>
> You raise some important questions, but it's worth having clarity on a
> few matters of fact.
>
> John Nagle wrote [also in part]:
>>1.AddTrust, a company which apparently no longer exists, has an
>> approved
>> ro
* Hendrik Weimer:
> Frank Hecker writes:
>
>> My intent is to balance the disruption that would be caused by pulling
>> a root vs. the actual security threat to users. Right now we have no
>> real idea as to the extent of the problem (e.g., how many certs might
>> have been issued without proper
Ian G wrote:
> On 27/12/08 13:43, Eddy Nigg wrote:
>> So? Mozilla really shouldn't care about the business revenues of some
>> CAs. How is that relevant?
>
> Well, a normal lesson of business is that we can't get business people
> to agree to something if their revenues go down... PKI is business
Frank Hecker wrote:
> John Nagle wrote:
>>2.CertStar must separately undergo an audit to WebTrust standards,
>> and the audit report must be published.
>
> Certstar isn't a CA, and thus the WebTrust for CAs criteria are not
> necessarily a good fit for it.
If a CA delegates some tasks
On 27/12/08 13:43, Eddy Nigg wrote:
On 12/27/2008 02:16 PM, Ian G:
Indeed, this is the "Verisign buyout model"; outsource something new,
get huge, get bought out by Verisign.
What has that to do exactly with what Paul agreed to?
It doesn't matter in business principle whether it outsources a
On 27/12/08 13:34, Gervase Markham wrote:
sayrer wrote:
The truth is that we are basically unable to act without a lot of
collateral damage. We should keep this in mind with future security
technology. Relying on companies willing to take money for doing
absolutely nothing (not even the bare min
John Nagle wrote:
As a user of SSL certificates in our SiteTruth system, which
attempts to identify and rate the business behind a web site, we're
concerned about CA reliability and trust. We've been using Mozilla's
approved root cert list for our system, and are considering whether
we should
Eddy Nigg wrote:
> On 12/27/2008 02:34 PM, Gervase Markham:
>> One of the points of EV was to allow us to act against a CA without
>> massive collateral damage. We can remove EV status from a root without
>> disabling the root entirely.
>
> Which unfortunately isn't really effective for the issue
Gervase Markham wrote:
> We (Mozilla) would expect Comodo to be issuing certificates under any
> root it owns, whether the name on the root is its own or another's,
> in compliance with the Mozilla CA policy and the audits it has
> passed.
> [..]
> There are root certificates in the store which bea
ro...@comodo.com wrote:
> On Dec 24, 2:13 am, "Paul C. Bryan" wrote:
>> 2. Are resellers subject to the same audits that Comodo presumably had
>> to undergo to get its root certs added to Mozilla? Who performs, and
>> who verifies such audits? How often are they performed?
> No, the RAs are not su
Ian G wrote:
> On 26/12/08 00:36, Michael Ströder wrote:
>> Paul Hoffman wrote:
>>> At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
>
> I do not see a rogue CA. The evidence of the posts here suggests a flaw
> leading t
On 27/12/08 02:21, Paul C. Bryan wrote:
On Dec 26, 4:40 pm, Ian G wrote:
With respect:
This is a forum for the discussion of technical, crypto, root and general PKI
issues, by either dictat or convention. It is not a forum for the airing of
general
business complaints.
Are you characteriz
Hi John,
You raise some important questions, but it's worth having clarity on a
few matters of fact.
John Nagle wrote:
>1.AddTrust, a company which apparently no longer exists, has an
> approved
> root CA certificate. This in itself is troublesome.
This is extremely common. Certifi
On 12/27/2008 02:34 PM, Gervase Markham:
One of the points of EV was to allow us to act against a CA without
massive collateral damage. We can remove EV status from a root without
disabling the root entirely.
Which unfortunately isn't really effective for the issue we are facing
today. Removin
I'll also mention that these CAs are supposed to be audited to
"financial services" levels. The root that it chains to is
EV-enabled.
The fact that audits didn't pick up on the discrepancies that Eddy
found between Comodo's CP/CPS and Robin's statements suggests that
Comodo's playing dirty pool,
On 12/27/2008 02:16 PM, Ian G:
Indeed, this is the "Verisign buyout model"; outsource something new,
get huge, get bought out by Verisign.
What has that to do exactly with what Paul agreed to?
It doesn't matter in business principle whether it outsources a function
to a reseller, to its emplo
Dan Colascione wrote:
> Frankly, that's even *more* disturbing. It means that there are almost
> certainly unverified certificates in the wild, and that this problem
> is pervasive.
You mean, you wouldn't be disturbed at all if Comodo had done loads of
auditing and found absolutely no problems wha
sayrer wrote:
> The truth is that we are basically unable to act without a lot of
> collateral damage. We should keep this in mind with future security
> technology. Relying on companies willing to take money for doing
> absolutely nothing (not even the bare minimum they agreed to) is not a
> pleas
Michael Ströder wrote:
> Given the large amount of self-generated server certs this problem
> already exists.
Large number != large % of visits. A million Joe Publics might use the
Internet for 5 years to do their online shopping without once
encountering a self-signed cert or a certificate error
On 27/12/08 04:47, Paul C. Bryan wrote:
On Dec 26, 5:38 pm, Nelson B Bolyard wrote:
Clearly several participants in this discussion were surprised that a CA would
delegate the duty of validating domain control to an RA, and some opined
that a CA ought to perform that duty itself.
I certainly
On Dec 26, 5:38 pm, Nelson B Bolyard wrote:
> Clearly several participants in this discussion were surprised that a CA would
> delegate the duty of validating domain control to an RA, and some opined
> that a CA ought to perform that duty itself.
I certainly fall in that category.
> I'm not con
I am minded of the CRL entry reason "remove from CRL". Does NSS
properly handle that reason-code?
If so, a temporary revocation of all unknown certificates might be a
sound practice, removing them from the CRL as they're found and
verified.
We are running up against problems that are caused by a
ro...@comodo.com wrote, On 2008-12-26 03:28:
>We have finished our initial investigation on the certificates
> issued by Certstar.
>
> Of the 111 orders that had been placed through Certstar there remain
> 13 orders for which we have still not been able to gather adequate
> evidence of the ap
On 12/27/2008 03:22 AM, Eddy Nigg:
You don't seem to get it, do you? The story starts before your stating
of the facts you would like us to believe. The story starts with putting
resellers and so-called RAs in charge of validation procedures they have
no clue about and with failing to audit, app
On 12/27/2008 02:40 AM, Ian G:
On 27/12/08 00:53, Eddy Nigg wrote:
Yeah right! It really depends what the right balance is, ehhh?!
There is no "right balance" just like there is no world peace. Security
is an economic phenomena, not a beauty pageant.
No, security is an inconvenience, but
On Dec 26, 4:40 pm, Ian G wrote:
With respect:
> This is a forum for the discussion of technical, crypto, root and general PKI
> issues, by either dictat or convention. It is not a forum for the airing of
> general
> business complaints.
Are you characterizing this issue as merely a general b
On 27/12/08 00:53, Eddy Nigg wrote:
On 12/27/2008 12:54 AM, Ian G:
We can no more "prevent" bad certs than we can stop the winter from
coming. The point is to put in place economically reasonable policies
and practices that meet an appropriate balance of security versus cost.
Yeah right! It
On 12/27/2008 12:54 AM, Ian G:
We can no more "prevent" bad certs than we can stop the winter from
coming. The point is to put in place economically reasonable policies
and practices that meet an appropriate balance of security versus cost.
Yeah right! It really depends what the right balance
On 27/12/08 00:15, Kyle Hamilton wrote:
On Fri, Dec 26, 2008 at 3:12 PM, Ian G wrote:
(Although I think, it is a singular observation: there is no effective
dispute resolution for this case or any other. What does that say?)
That there is no reason to trust a system without dispute resoluti
On Fri, Dec 26, 2008 at 3:12 PM, Ian G wrote:
> (Although I think, it is a singular observation: there is no effective
> dispute resolution for this case or any other. What does that say?)
That there is no reason to trust a system without dispute resolution procedures.
-Kyle H
On 26/12/08 02:28, Gen Kanai wrote:
On Dec 26, 2008, at 1:49 AM, Frank Hecker wrote:
Beyond that? It's somewhat of an open question.
Frank
Mozilla needs to have a concrete policy and procedures in place so that
there is no question as to what the penalties would be for future
actions of thi
On 26/12/08 22:38, Kyle Hamilton wrote:
See, Robin, my thought is this:
You've already shown that it's possible for the RA function to bypass
all controls. At this point, because they're not subject to the same
audits that Comodo is, and because the last WebTrust audit that anyone
here can find
On Dec 26, 2:18 pm, "Paul C. Bryan" wrote:
> This link responds with an error result.
Apologies. Disregard my statement about the link error. I realized
it's two links. I will now go drink some more coffee to increase my
alertness level.
___
dev-tech-c
Thanks for your response Robin.
On Dec 26, 1:10 pm, ro...@comodo.com wrote:
> Comodo accepts responsibility for the work of its RAs in the
> validation that they do leading to the issuance of certificates under
> our root certificates.
You failed to answer the other half of this question. What s
On Fri, Dec 26, 2008 at 1:52 PM, Eddy Nigg wrote:
> On 12/26/2008 11:38 PM, Kyle Hamilton:
>>
>> You've already shown that it's possible for the RA function to bypass
>> all controls. At this point, because they're not subject to the same
>> audits that Comodo is, and because the last WebTrust au
On 12/26/2008 11:38 PM, Kyle Hamilton:
You've already shown that it's possible for the RA function to bypass
all controls. At this point, because they're not subject to the same
audits that Comodo is, and because the last WebTrust audit that anyone
here can find any record of is in 2007, I find
See, Robin, my thought is this:
You've already shown that it's possible for the RA function to bypass
all controls. At this point, because they're not subject to the same
audits that Comodo is, and because the last WebTrust audit that anyone
here can find any record of is in 2007, I find it diffi
On Dec 24, 2:13 am, "Paul C. Bryan" wrote:
> On Dec 23, 5:56 pm, ro...@comodo.com wrote:
> Some questions:
>
> 1. Does Comodo take full responsibility for the actions of its
> resellers? If so, how should the repercussions of such failures be to
> Comodo?
Comodo accepts responsibility for the work
Dear Robin:
You have not yet responded to my questions. I believe they are
reasonable. Will you answer them in this forum?
Yours truly,
Paul C. Bryan
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/
On 12/26/2008 01:28 PM, ro...@comodo.com:
www.mozilla.com, as he has already described. As we previously
stated, the certificate for www.mozilla.com was revoked shortly after
it was issued.
It would behoove yourself if you'd stick with the facts at least. You
keep claiming that you detected i
Kyle Hamilton wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=426575
UTN-UserFIRST-Hardware is enabled for EV per that bug.
My apologies, you are right and my recollection was wrong.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
___
dev-te
On Dec 25, 4:49 pm, Frank Hecker wrote:
> Michael Ströder wrote:
> > Could you please define a time-frame within Comodo MUST react?
>
> Comodo (in the person of Robin Alden) has already made a reply:
>
> http://groups.google.com/group/mozilla.dev.tech.crypto/msg/b24e70ea2c396bb5
>
> The question i
https://bugzilla.mozilla.org/show_bug.cgi?id=426575
UTN-UserFIRST-Hardware is enabled for EV per that bug.
-Kyle H
On Thu, Dec 25, 2008 at 9:59 AM, Frank Hecker
wrote:
> Kyle Hamilton wrote:
>>
>> What is the effect of this problem on the request to enable the
>> UTN-UserFirst-Hardware root for
On 26/12/08 00:36, Michael Ströder wrote:
Paul Hoffman wrote:
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
I do not see a rogue CA. The evidence of the posts here suggests a flaw
leading to false certs was found an
On 12/26/2008 03:28 AM, Gen Kanai:
I personally like John Nagle's proposal from earlier in this thread:
http://groups.google.com/group/mozilla.dev.tech.crypto/msg/9443ba781a669879
Gen, one thing to note, that Comodo most likely performs a yearly
WebTrust audit, though the last one I can see
On Dec 26, 2008, at 1:49 AM, Frank Hecker wrote:
Beyond that? It's somewhat of an open question.
Frank
Mozilla needs to have a concrete policy and procedures in place so
that there is no question as to what the penalties would be for future
actions of this kind.
I personally like John
Paul Hoffman wrote:
> At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
>> I'd tend to punish a rogue CA by removing their root CA cert from NSS.
>> Maybe this serves as a good example to other CAs that the Mozilla CA
>> policy is really enforced. Otherwise nobody will care.
>
> This is Firefox we
On 12/26/2008 12:24 AM, Paul Hoffman:
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
Maybe this serves as a good example to other CAs that the Mozilla CA
policy is really enforced. Otherwise nobody will care.
This is Fir
On 12/25/2008 08:16 PM, Michael Ströder:
The question is, what else do what want Comodo to do in this case?
What really strikes me is that this case was only
detected by Eddy because of Certstar's spam e-mails.
Even though I believe that Robin and his crew are really angry with me
right now
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
>I'd tend to punish a rogue CA by removing their root CA cert from NSS.
>Maybe this serves as a good example to other CAs that the Mozilla CA
>policy is really enforced. Otherwise nobody will care.
This is Firefox we're talking about, not IE. Do yo
At 11:13 PM -0800 12/24/08, Daniel Veditz wrote:
>Paul Hoffman wrote:
>> At 1:16 AM +0200 12/24/08, Eddy Nigg wrote:
>>> Select Preferences -> Advanced -> View Certificates -> Authorities.
>>> Search for AddTrust AB -> AddTrust External CA Root and click
>>> "Edit". Remove all Flags.
>>
>> Doesn't
If Frank's desire to balance user benefit from keeping the root in
with user security by taking the root out is to be upheld, then there
needs to be a way to notify the software user that there is a valid
complaint against the operator of the CA in question.
If it drives business away from the CA
I've already stated my preference.
To reiterate:
Actually, I think it's very important that the accounting include this:
for each name (not just certificate, but name in
subjectAlternativeNames) that has been certified, a connection to the
TLS ports should be made, and the certificate presented
Frank Hecker wrote:
> Michael Ströder wrote:
>> Frank Hecker wrote:
>>> From my point of view I'd wait on more
>>> information regarding items 2 and 3 above before making a
>>> recommendation.
>>
>> Could you please define a time-frame within Comodo MUST react?
>
> Comodo (in the person of Robin A
Kyle Hamilton wrote:
What is the effect of this problem on the request to enable the
UTN-UserFirst-Hardware root for EV,
https://bugzilla.mozilla.org/show_bug.cgi?id=401587 ?
I think (but don't have time to confirm right at the moment) that that
request is moot. As far as I know, Comodo EV cer
Michael Ströder wrote:
Frank Hecker wrote:
From my point of view I'd wait on more
information regarding items 2 and 3 above before making a recommendation.
Could you please define a time-frame within Comodo MUST react?
Comodo (in the person of Robin Alden) has already made a reply:
http://g
On 24/12/08 15:17, Frank Hecker wrote:
Gen Kanai wrote:
More discussion on this topic over at Programming Reddit:
http://www.reddit.com/r/programming/comments/7lb96/ssl_certificate_for_mozillacom_issued_without/
Unfortunately the discussion devolved (as it always does :-) into the
merits of
On 12/25/2008 02:39 PM, Michael Ströder:
doug...@theros.info wrote:
I, for example, have a ssl cert from comodo reseller, and they DO have
made all the validation steps.
My site, a legitimate one, would be in trouble with this. Are you all
sure that it is a good measure to just knock off the ro
doug...@theros.info wrote:
> I, for example, have a ssl cert from comodo reseller, and they DO have
> made all the validation steps.
>
> My site, a legitimate one, would be in trouble with this. Are you all
> sure that it is a good measure to just knock off the root cert or
> security bit?
>
> pl
Justin Dolske wrote:
> ...I think there's some risk that if a Firefox update suddenly breaks a
> large swath of legitimate SSL sites, that could end up training users to
> ignore the problem.
Given the large amount of self-generated server certs this problem
already exists. Ultimately you cannot h
Kyle Hamilton wrote:
> I hate to say this, but this IS The Worst-Case Scenario. A CA has
> gone rogue and issued certificates that violate its standards, and the
> standards of the root programs that it's a part of -- it is true that
> Comodo didn't /intend/ to go rogue, but it has, and we can't a
Kyle Hamilton wrote:
> [..many good observations snipped..]
> Because of this, my recommendation that Comodo's trust bits be removed
> until a full audit of their practices (and a full audit of all issued
> certificates) stands, and I am that much more resolute in my belief.
Full ack!
Ciao, Micha
Frank Hecker wrote:
> From my point of view I'd wait on more
> information regarding items 2 and 3 above before making a recommendation.
Could you please define a time-frame within Comodo MUST react?
Ciao, Michael.
___
dev-tech-crypto mailing list
dev-t
Eddy Nigg wrote:
> On 12/23/2008 09:09 AM, Kyle Hamilton:
>> Of course, this would be an NSS change (the addition of a 'trust
>> suspended' bit,
>
> I think this to be an interesting idea and should be considered.
I really wonder why there should be one state more. And how is it going
to be set (
Kyle Hamilton wrote:
> (Especially if Comodo delegates full Registration Authority capability
> without verification, which seems to be the case -- though they could
> have simply issued a sub-CA certificate.)
Delegating the RA's tasks is still different from issuing a sub-CA cert
since with a del
Kyle Hamilton wrote:
> I then have to click at least six
> times to try to figure out what's going on, and then when I do find a
> site that's protected by an unknown CA certificate (OR that I've
> removed the trust bits on), I have to do the following:
>
> 1) Click 'add an exception'
> 2) click '
Paul Hoffman wrote:
> At 1:16 AM +0200 12/24/08, Eddy Nigg wrote:
>> Select Preferences -> Advanced -> View Certificates -> Authorities.
>> Search for AddTrust AB -> AddTrust External CA Root and click
>> "Edit". Remove all Flags.
>
> Doesn't this seem like a better solution than "sue Mozilla fo
At 1:46 PM -0800 12/24/08, Nelson B Bolyard wrote:
>Paul Hoffman wrote, On 2008-12-24 09:55:
> > - Remove all trust anchors one-by-one
>> - Add your single trust anchor
>> - Sign the certs of any CA you want
>> - Add those signed certs to the pre-loaded validation path (not root)
> > cert list
>
>O
At 11:35 AM -0800 12/24/08, Kyle Hamilton wrote:
>In the terminology of ASN.1 and PKIX, I want a standardized PKIX
>extension that allows for a SEQUENCE OF Certificate within the
>tbsCertificate structure.
That makes no sense to me, but I would have to see a complete proposal to
understand why yo
On Dec 23, 10:33 pm, Paul Hoffman wrote:
> At 1:16 AM +0200 12/24/08, Eddy Nigg wrote:
>
> >Select Preferences -> Advanced -> View Certificates -> Authorities. Search
> >for AddTrust AB -> AddTrust External CA Root and click "Edit". Remove all
> >Flags.
>
> Put more rudely, why do you expect Dad
Kyle Hamilton wrote, On 2008-12-24 14:53:
> On Wed, Dec 24, 2008 at 2:46 PM, Eddy Nigg wrote:
>> On 12/25/2008 12:36 AM, Kyle Hamilton:
>>> To be honest, Mozilla doesn't distribute keytool with Firefox, which
>>> means that I have to try to go into the (unbatchable) interface and
>>> remove the fl
1 - 100 of 186 matches
Mail list logo
