See below inline, thanks. Best Regards,
Richard -----Original Message----- From: dev-security-policy [mailto:[email protected]] On Behalf Of Ryan Sleevi Sent: Friday, August 26, 2016 3:10 AM To: [email protected] Subject: Re: Incidents involving the CA WoSign On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote: > We can post all 2015 issued SSL certificate to CT log server if necessary. Is there any reason not to do that proactively? R: OK, we will post all 2015 issued SSL certificates to CT log server, but this take time since we issued 115K SSL certificate in 2015. Now we are posting the (1) using higher level port validated orders related to incident 0, total 72 certificates. To be clear, those certificates are validated by website control validation method that using other port except 80 and 443; (2) Mis-issued certificate with un-validated subdomain related to incident 1, total 33 certificates. I will list all crt.sh URL to this mail thread. Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks. > For BR auditor, I think this issue is too technical that fewer auditor can > find out this problem. The audit letter included an attestation from Management that, during the time of the audit, management believed that the CA complied with the Baseline Requirements. Management was aware of non-compliance, by virtue of revocation and system and procedural changes to align with compliance. Thus, do you believe it was faithful and accurate for Management to warrant that the CA was operated in compliance with the BRs, given that Management was aware of incidents of non-compliance? R: This is my fault that I think it is not serious enough to state in the assertion letter, now I know and every related employee know how to do this in the future. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
