If I understand correctly, these 105 certificates are all mis-issued using the 
incorrect policies of either (0) website control validation with higher port 
numbers, or (1) parent domain-name verification by demonstrating control of a 

It is unclear why, given the fact that incorrect validation was done for these 
certificates, they are not already revoked. I don't understand why you are 
expecting a report from your respective subscriber to do that, as they have not 
proven control of the domain names in any case.

These certificates must all be revoked immediately.

On Monday, August 29, 2016 at 7:49:33 AM UTC+3, Richard Wang wrote:
> For incident 1 - mis-issued certificate with un-validated subdomain, total 33 
> certificates. We have posted to CT log server and listed in crt.sh, here is 
> the URL. Some certificates are revoked after getting report from subscriber, 
> but some still valid, if any subscriber think it must be revoked and replaced 
> new one, please contact us in the system, thanks.   
> For incident 0, the certificate issued related using higher level port 
> validated, total 72 certificates. To be clear, those certificates are 
> validated by website control validation method that using other port except 
> 80 and 443. So we think those certificate no need to be revoked. The crt.sh 
> link just for your reference.

dev-security-policy mailing list

Reply via email to