On Monday, August 29, 2016 at 5:41:06 PM UTC+9, Gervase Markham wrote:
> On 29/08/16 05:46, Richard Wang wrote:
> > For incident 1 - mis-issued certificate with un-validated subdomain,
> > total 33 certificates. We have posted to CT log server and listed in
> > crt.sh, here is the URL. Some certificates are revoked after getting
> > report from subscriber, but some still valid, if any subscriber think
> > it must be revoked and replaced new one, please contact us in the
> > system, thanks. 
> 
> Er, no. If these certificates were issued with unvalidated parent
> domains (e.g. with github.com when the person validation foo.github.com)
> then they need to all be revoked. You should actively contact your
> customers and issue them new certificates containing only validated
> information, and then revoke these ones.
> 
> Gerv

Not only that, I see *two* certs issued for GitHub subdomains plus the parent 
domain:

https://crt.sh/?id=29647048
https://crt.sh/?id=29805567

Why wasn't this additional cert identified and disclosed prior to the 
aforementioned list being posted? It seems a no-brainer to manually audit the 
list for obvious cases of mis-issuance (i.e. not only the domain was not 
validated, but the customer clearly has no ability to validate it if asked).
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to