Of course, adding the affected certs to OneCRL should be done immediately.

WoSign also has to be transparent about all (mis) issued certs in the
past and have to provide this info in the future.
If they can't, I think we may consider if the current certs that are
valid for 3 years should be restricted to a shorter period.


> For the thread's reference, here's the crt.sh link for the misissued GitHub
> certificate:
> https://crt.sh/?id=29647048
> Valid for 3 years, for github.com. It's not in OneCRL, CRLset, or
> Microsoft's disallowedcert.stl.
> On Wed, Aug 24, 2016 at 9:08 AM, Gervase Markham <g...@mozilla.org> wrote:
>> Taking into account all these incidents and the actions of this CA,
>> Mozilla is considering what action to take. Your input is welcomed.

Attachment: signature.asc
Description: OpenPGP digital signature

dev-security-policy mailing list

Reply via email to