On 29/08/16 05:46, Richard Wang wrote:
> For incident 1 - mis-issued certificate with un-validated subdomain,
> total 33 certificates. We have posted to CT log server and listed in
> crt.sh, here is the URL. Some certificates are revoked after getting
> report from subscriber, but some still valid, if any subscriber think
> it must be revoked and replaced new one, please contact us in the
> system, thanks. 

Er, no. If these certificates were issued with unvalidated parent
domains (e.g. with github.com when the person validation foo.github.com)
then they need to all be revoked. You should actively contact your
customers and issue them new certificates containing only validated
information, and then revoke these ones.

dev-security-policy mailing list

Reply via email to