On Monday, August 29, 2016 at 5:41:06 PM UTC+9, Gervase Markham wrote: > On 29/08/16 05:46, Richard Wang wrote: > > For incident 1 - mis-issued certificate with un-validated subdomain, > > total 33 certificates. We have posted to CT log server and listed in > > crt.sh, here is the URL. Some certificates are revoked after getting > > report from subscriber, but some still valid, if any subscriber think > > it must be revoked and replaced new one, please contact us in the > > system, thanks. > > Er, no. If these certificates were issued with unvalidated parent > domains (e.g. with github.com when the person validation foo.github.com) > then they need to all be revoked. You should actively contact your > customers and issue them new certificates containing only validated > information, and then revoke these ones. > > Gerv
Not only that, I see *two* certs issued for GitHub subdomains plus the parent domain: https://crt.sh/?id=29647048 https://crt.sh/?id=29805567 Why wasn't this additional cert identified and disclosed prior to the aforementioned list being posted? It seems a no-brainer to manually audit the list for obvious cases of mis-issuance (i.e. not only the domain was not validated, but the customer clearly has no ability to validate it if asked). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
