Of course, adding the affected certs to OneCRL should be done immediately. WoSign also has to be transparent about all (mis) issued certs in the past and have to provide this info in the future. If they can't, I think we may consider if the current certs that are valid for 3 years should be restricted to a shorter period.
Regards, Jonas > For the thread's reference, here's the crt.sh link for the misissued GitHub > certificate: > > https://crt.sh/?id=29647048 > > Valid for 3 years, for github.com. It's not in OneCRL, CRLset, or > Microsoft's disallowedcert.stl. > > > > On Wed, Aug 24, 2016 at 9:08 AM, Gervase Markham <g...@mozilla.org> wrote: > >> Taking into account all these incidents and the actions of this CA, >> Mozilla is considering what action to take. Your input is welcomed.
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy