On Mon, May 18, 2020, 19:46 Ryan Sleevi wrote:
> On Mon, May 18, 2020 at 7:55 PM Kyle Hamilton via dev-security-policy
> wrote:
>
> > Regardless of that potential con, though, there is one very important
> thing
> > which Proof of Possession is good for, regardless
That is my reading of the situation, that they're not doing an actual
certification of an enrollment without verifying the actual key-identity
binding.
In addition, I'm wondering if the concept of "third-party attestation" (of
identity) is even a thing anymore, given that most CAs issue certificat
CABForum's current Basic Requirements, section 3.2.1, is titled "Method to
prove possession of private key".
It is currently blank.
A potential attack without Proof of Possession which PKIX glosses over
could involve someone believing that a signature on a document combined
with the non-possessio
it a case of "rumor
mill reported as fact"?
-Kyle H
On 2017-10-31 06:21, Kyle Hamilton wrote:
http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business
___
dev-security-policy mailing list
dev-
http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business
___
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
The WoSign affair shows that there exist serious deficiencies and
vulnerabilities in the Web PKI (and PKI in general).
1. Certificates are clearly not acceptable revocation vectors.
WoSign is known to be cross-signed by several independent CAs (as well as 1
CA which is no longer deemed to be inde
On 9/12/2016 20:20, Jakob Bohm wrote:
> On 13/09/2016 03:03, Kyle Hamilton wrote:
>> I would prefer not to see a securelogin-.arubanetworks.com
>> name, because such makes it look like Aruba Networks is operating the
>> captive portal. If (for whatever
s,
>> Steven Medin
>> PKI Policy Manager, Symantec Corporation
>>
>> -Original Message-
>> From: Jeremy Rowley [mailto:[email protected]]
>> Sent: Tuesday, September 06, 2016 7:06 PM
>> To: Steve Medin
>> Cc: Gervase Markham ; Kyle Hamilt
I do have to ask this, though: WoSign has at least one EV issuer. I do
not know if there is an issuer with EV permissions in NSS, but WoSign
does have an EV code signing issuer in the Microsoft root program. Has
this issuer been checked to ensure that it could not have misissued
certificates? (
On 9/4/2016 02:04, Eddy Nigg wrote:
> On 09/02/2016 07:02 PM, Nick Lamb wrote:
>> On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote:
>>> Lets speak about relying parties - how does this bug affect you?
>> As a relying party I am entitled to assume that there is no more than
>> one cert
On 9/6/2016 04:59, Ben Laurie wrote:
> On 1 September 2016 at 11:29, Peter Gutmann wrote:
>> Rob Stradling writes:
>>
I guess it makes them easy to revoke, if a single revocation can kill 313
certs at once.
>>> That's true.
>> Hey, WoSign has solved the CRL scalability problem!
>>
>>>
As far as I know, GeoTrust is not at fault here. They just signed this
(domain validated) certificate, and I don't know if they've been
notified of it before. That said, I don't have GeoTrust's contact info,
and I'm presuming that someone here does.
Information here comes from
http://blog.sec-co
Robin (and everyone),
I'm not so sure it's over the top. The fact is, CAs essentially try to
do this by issuing through particular certification paths, but expect
everyone to have already taken the time to reach out and individually
engage with their CAs and read their policies and figure out how
I have come to the conclusion that I cannot rely on commercial
certification authorities with whom I do not have an outstanding
contract.
This means that the security layer of Mozilla is useless to me.
To make it useful to me, there are several things that Mozilla must
administratively do. Since
14 matches
Mail list logo
