Yes, we plan to revoke all after getting confirmation from subscriber. We are doing this.
Regards, Richard > On 29 Aug 2016, at 16:38, Gervase Markham <g...@mozilla.org> wrote: > >> On 29/08/16 05:46, Richard Wang wrote: >> For incident 1 - mis-issued certificate with un-validated subdomain, >> total 33 certificates. We have posted to CT log server and listed in >> crt.sh, here is the URL. Some certificates are revoked after getting >> report from subscriber, but some still valid, if any subscriber think >> it must be revoked and replaced new one, please contact us in the >> system, thanks. > > Er, no. If these certificates were issued with unvalidated parent > domains (e.g. with github.com when the person validation foo.github.com) > then they need to all be revoked. You should actively contact your > customers and issue them new certificates containing only validated > information, and then revoke these ones. > > Gerv
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy