Symantec's gone and updated [2] and [4] and both of those links are 404ing now. Updated links:
[2] https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_13_2015v3.pdf [4] https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportUnregisteredv2.pdf Michael On 13 October 2015 at 14:46, Kathleen Wilson <[email protected]> wrote: > In September of this year, the CA Symantec revealed[0] that they had > mis-issued a number of certificates for domains that they did not own or > control, for testing purposes. After an “exhaustive review”, they issued a > Final Report[1] which documented 23 such certificates. > > Yesterday, Symantec updated their final report[2] to indicate that the > problem was more extensive than they had at first believed. They said, in > part: > > “While our current investigation is ongoing, so far we have found 164 > additional instances where test certificates were inappropriately issued. > All of these test certificates have been revoked. These test certificates > were spread over 76 domain owners whom we are in the process of contacting.” > > In addition, they have identified 3073 test certificates which were issued > for domains which were (at the time) unregistered, since the practice was > banned (which happened at different times for EV certs and other certs). > They have provided two lists[3][4], one of the 164 certs and another of the > 3073. > > They are continuing to search, and will update the Final Report again when > their investigations are complete. > > The 164 certificates will be added to Mozilla’s OneCRL system[5]. (We do not > think the risk from the 3073 is significant enough to warrant this step.) > > This message has been posted to begin a discussion in the Mozilla community > as to what additional action, if any, Mozilla should take in response to > these events. > > Kathleen, Gerv and Richard > > [0]http://www.symantec.com/connect/blogs/tough-day-leaders > [1]https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report.pdf > [2]https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_12_2015.pdf > [3]https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportOwnedDomains.pdf > [4]https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportUnregistered.pdf > [5]https://bugzilla.mozilla.org/show_bug.cgi?id=1214321 > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
