On 29/08/16 05:46, Richard Wang wrote: > For incident 1 - mis-issued certificate with un-validated subdomain, > total 33 certificates. We have posted to CT log server and listed in > crt.sh, here is the URL. Some certificates are revoked after getting > report from subscriber, but some still valid, if any subscriber think > it must be revoked and replaced new one, please contact us in the > system, thanks.
Er, no. If these certificates were issued with unvalidated parent domains (e.g. with github.com when the person validation foo.github.com) then they need to all be revoked. You should actively contact your customers and issue them new certificates containing only validated information, and then revoke these ones. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
