On Sat, Sep 03, 2016 at 11:45:21AM +0200, Kurt Roeckx wrote: > On Sat, Sep 03, 2016 at 09:29:45AM +0100, Gervase Markham wrote: > > On 02/09/16 16:21, Peter Bowen wrote: > > > It seems then there is a newly exposed bug. > > > https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad > > > shows a certificate issued by your CA that has a notBefore in March > > > 2015. It does not appear in the CT log. However another certificate > > > with identical serial number and subject, but different Validity, does > > > appear in the log. > > > > https://crt.sh/?id=30326062 appears in the log; I assume that's the cert > > you mean. > > > > > Are you aware of a bug where you were issuing certificates identical > > > except for validity period? > > > > Well, the _period_ is the same; the start and end dates are offset by an > > identical amount ;-) > > That offset being 37 seconds. > > I've submitted it to Google's aviator log.
So the two are: https://crt.sh/?id=30326062 https://crt.sh/?id=30736090 Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
