People are using CAA. Cool!
On Mon, Dec 7, 2015 at 11:25 PM, <[email protected]> wrote: > ISRG CPS Section 4.2.1: "The CA checks for relevant CAA records prior to > issuing certificates. The CA acts in accordance with CAA records if > present." > > At 9:45am U.S. Pacific time on December 7th, 2015, it was reported to us > that our Certificate Authority Authorization (CAA) record checks were not > working properly [1]. We determined that the report was accurate. > > At 1:11pm U.S. Pacific time on the same day a fix was deployed to > production. The fix has been verified to be correct. > > The cause of the problem was determined to be a bug in our "boulder" CA > software. > > An analysis of logs and our certificate database determined that six > certificates were improperly issued to domains restricted by CAA. These > certificates have been revoked. > > https://crt.sh/?id=11015552 > https://crt.sh/?id=11129526 > https://crt.sh/?id=11129525 > https://crt.sh/?id=11145944 > https://crt.sh/?id=11146361 > https://crt.sh/?id=11147768 > > We work hard to make sure that we're issuing in compliance with all > relevant policies. We will be reviewing our policies and procedures to > determine how we might best reduce the risk of such a mistake happening > again. > > [1] https://github.com/letsencrypt/boulder/issues/1231 > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
