On Wed, August 31, 2016 10:09 pm, Richard Wang wrote: > Thanks for your so detail instruction. > Yes, we are improved. The two case is happened in 2015 and the mis-issued > certificate period is only 5 months that we fixed 3 big bugs during the 5 > months. > For CT, we will improve the posting system.
I had a little trouble parsing this, but let's make sure we're on the same page. I've continued Gerv's original numbering: Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 certificates ( https://cert.webtrust.org/SealFile?seal=2019&file=pdf ) Incident -1: April 4, 2015 - WoSign is informed it's routinely violating its CPS for issued certificates ( https://www.wosign.com/policy/wosign-policy-1-2-10.pdf ) Incident X: April 9 - April 14, 2015 - 392 duplicate serial numbers Incident 0: April 23, 2015 - 72 potentially dangerous port-validated certificates Incident 1: June, 2015 - 33 unvalidated base-domain from sub-domain certificates Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate (was this the only one? I wasn't clear from https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/gksYkOTLCwAJ ) Just making sure we're in agreement about the facts and timelines surrounding these, so that it's easier than debating 2 or 3 or 5 or more. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy