Re: Pre- and Post- controls

On 01/04/2009 04:48 AM, Ian G: On the punishment side, about all we have is "drop the root!" which I earlier described as a blunt weapon. Are we being sensible when we now have to "drop the root" for the three CAs who have reported problems? Actually we've discussed this issue just recently but

Re: Pre- and Post- controls

On 01/04/2009 10:20 AM, Eddy Nigg: On 01/04/2009 04:48 AM, Ian G: On the punishment side, about all we have is "drop the root!" which I earlier described as a blunt weapon. Are we being sensible when we now have to "drop the root" for the three CAs who have reported problems? Oh btw. where do

Re: Fully open operation

On 1/3/2009 6:51 PM, Ian G wrote: > It was written: >> But aren't auditors the eye of the public performing and recording those >> operations? > > > That's one theory. Here is another: Who is the client of the auditor? > The auditor has a duty to the client that (arguably) outweighs the > d

Re: Fully open operation

On 04.01.2009 19:54, David E. Ross wrote: The line from auditor to the public has been drawn in the courts, where lawsuits against auditors by investors injured by corporate fraud have been successful. Yes. But as Ian pointed out, and you can see in the audit documents, e.g.

Re: Pre- and Post- controls

Eddy Nigg wrote: > On 01/04/2009 10:20 AM, Eddy Nigg: >> On 01/04/2009 04:48 AM, Ian G: >>> On the punishment side, about all we have is "drop the root!" which I >>> earlier described as a blunt weapon. Are we being sensible when we now >>> have to "drop the root" for the three CAs who have reporte

Re: CABForum place in the world

Ian G wrote, On 2009-01-03 19:19: > On 3/1/09 23:40, Nelson B Bolyard wrote: >> There's a great deal of anecdotal evidence (and some serious studies) >> that suggest that anything that goes on outside of the "content" area >> of the browser, and that does not actively engage the user, will be >

Re: Pre- and Post- controls

* Ian G.: > So what to do? Should "Mozilla" become "the judge" in the post-event > phase? Do we leave this job to the courts? Should we group together > on this list and pass final judgement? Should we all vote? Demand > changes? Should we implement California rules -- 3 strikes and the > ro

Re: Pre- and Post- controls

Florian Weimer wrote: > EV is (also) an attempt to devalue existing infrastructure, so it's > some form of group punishment. It also provides browsers with a slightly less blunt weapon. If a CA clearly violates EV guidelines the browser could remove the EV-ness of the root without removing the roo

Re: Pre- and Post- controls

On 01/04/2009 09:34 PM, Daniel Veditz: Florian Weimer wrote: EV is (also) an attempt to devalue existing infrastructure, so it's some form of group punishment. It also provides browsers with a slightly less blunt weapon. If a CA clearly violates EV guidelines the browser could remove the EV-ne

Re: Pre- and Post- controls

On 01/04/2009 09:27 PM, Daniel Veditz: Eddy Nigg wrote: On 01/04/2009 10:20 AM, Eddy Nigg: On 01/04/2009 04:48 AM, Ian G: On the punishment side, about all we have is "drop the root!" which I earlier described as a blunt weapon. Are we being sensible when we now have to "drop the root" for the

Proposal to split this list (was: Re: Full Disclosure!)

At 12:11 AM +0100 1/4/09, Jan Schejbal wrote: >>Why is this relevant to this mailing list? > >Because there was a security failure in one of the Firefox trusted CAs >allowing anyone to get fake certificates. This event and the reaction of the >CA are important to determine if the CA is (still) tr

Re: Proposal to split this list

On 01/04/2009 10:32 PM, Paul Hoffman: The current list is way too unfocused. People asking actual tech questions get drowned out by threads that have literally nothing to do with crypto but everything to do with policy. Thoughts? +1 from me. -- Regards Signer: Eddy Nigg, StartCom Ltd. Ja

Re: CABForum place in the world

On 01/04/2009 09:32 PM, Nelson B Bolyard: do that, too, and phishers will be quick to imitate it. The main point of "chrome" is that content cannot effectively mimic it. It's unspoofable. (It wasn't, always, but browsers have finally gotten wise to that.) And what about this? https://blog.sta

Re: CABForum place in the world

Eddy Nigg wrote, On 2009-01-04 14:28: > On 01/04/2009 09:32 PM, Nelson B Bolyard: >> do that, too, and phishers will be quick to imitate it. The main point of >> "chrome" is that content cannot effectively mimic it. It's unspoofable. >> (It wasn't, always, but browsers have finally gotten wise to

Re: CABForum place in the world

On 01/05/2009 12:42 AM, Nelson B Bolyard: Eddy Nigg wrote, On 2009-01-04 14:28: On 01/04/2009 09:32 PM, Nelson B Bolyard: do that, too, and phishers will be quick to imitate it. The main point of "chrome" is that content cannot effectively mimic it. It's unspoofable. (It wasn't, always, but b

Re: Proposal to split this list

On 1/4/09 12:32 PM, Paul Hoffman wrote: I propose that Mozilla form a new mailing list, dev-policy-trustanchors. Yes. I'd also very much like to see this split. I'm interested in the technical side of things, but not so much the policy stuff (and, frankly, the incessant bickering and advocac

Re: SECOM Trust EV root inclusion request

On 12/30/2008 06:23 PM, István Zsolt BERTA: István, even though I understand your frustration and agree with the basic understanding that requirements should be published accordingly, I also must state there has been at least one issue (notably with your OCSP responder I think) in addition to our

Re: Proposal to split this list

Paul Hoffman wrote, On 2009-01-04 12:32: > I propose that Mozilla form a new mailing list, dev-policy-trustanchors. > The current list is way too unfocused. People asking actual tech > questions get drowned out by threads that have literally nothing to do > with crypto but everything to do with po

Re: Proposal to split this list

On 4/1/09 21:32, Paul Hoffman wrote: I propose that Mozilla form a new mailing list, dev-policy-trustanchors. The topics for that list would include: - All new trust anchors being added to the Mozilla trust anchor pile - Proposals for changes to the Mozilla trust anchor policy - Complaints abo

Re: Proposal to split this list

On 01/05/2009 01:36 AM, Nelson B Bolyard: 3. I wonder if the non-developer topics are already within the scope of another extant low-traffic list, namely dev-security (a.k.a. mozilla.dev.security), except that I think the new list does not belong in the "dev" hierarchy. A dev.security...yes

Re: Proposal to split this list

Ian G wrote, On 2009-01-04 16:01: > On 4/1/09 21:32, Paul Hoffman wrote: > >> I propose that Mozilla form a new mailing list, >> dev-policy-trustanchors. The topics for that list would include: >> >> - All new trust anchors being added to the Mozilla trust anchor pile >> - Proposals for changes to

Re: Proposal to split this list

>Ian G wrote, On 2009-01-04 16:01: >> On 4/1/09 21:32, Paul Hoffman wrote: >> >>> I propose that Mozilla form a new mailing list, >>> dev-policy-trustanchors. The topics for that list would include: >>> >>> - All new trust anchors being added to the Mozilla trust anchor pile >>> - Proposals for cha

Re: CABForum place in the world

Eddy Nigg wrote, On 2009-01-04 14:48: > On 01/05/2009 12:42 AM, Nelson B Bolyard: >> Eddy Nigg wrote, On 2009-01-04 14:28: >>> On 01/04/2009 09:32 PM, Nelson B Bolyard: do that, too, and phishers will be quick to imitate it. The main point of "chrome" is that content cannot effectively m

Re: CABForum place in the world

On 01/05/2009 02:49 AM, Nelson Bolyard: And right next to the lock icon is the DNS name that matched the cert. This solves one problem with confusing URLs. I view the padlock and the DNS name in that area completly superfluous. It serves no real purpose and is so90's really. Browsers rea

Re: Proposal to split this list

On Sun, Jan 4, 2009 at 4:45 PM, Paul Hoffman wrote: >>Ian G wrote, On 2009-01-04 16:01: >>There's no mozilla.policy hierarchy. So I'm searching for ideas for a >>good hierarchy for these discussions. Here are some ideas. How about: >> >>mozilla.security.CA >>mozilla.security.UI >>mozilla.securi

Re: PositiveSSL is not valid for browsers

On 01/04/2009 12:05 AM, Gervase Markham: You want us to make a IV certificate which can be issued to businesses without "verifiable physical existence and business presence"? Yes, that is, many times small businesses and "trading as" are run from home or small offices. Some aren't exactly busi