On Sun, Sep 04, 2016 at 10:05:11AM +0100, Gijs Kruitbosch wrote:
> So if I understand correctly, you've published all certificates issued in
> 2015 to CT, and any cert with a notBefore of/after July 5th 2016. Is that
> correct?
> As noted in 
> https://groups.google.com/d/msg/mozilla.dev.security.policy/Q3zjv95VhXI/p40n2Zv6DAAJ
> , this thread has turned up https://crt.sh/?id=29884704 which was mississued
> and had a notBefore of June 23, 2016.
> In addition to that, there was discussion about backdated SHA1 certs ( 
> https://groups.google.com/d/msg/mozilla.dev.security.policy/KNuiSDVl7qc/z8rPfqX7DAAJ
> , https://bugzilla.mozilla.org/show_bug.cgi?id=1293366 ) that were issued in
> 2016 but backdated to 2015.
> When explicitly asked if you were publishing all the certs with a notBefore
> after 20150101000000Z in 
> https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/FNYETUsnDQAJ
> you responded with:
> On 02/09/2016 16:11, Richard Wang wrote:
> > Yes, we posted all 2015 issued SSL from WoSign trusted root.
> It has already been established that you issued certificates in 2016 that
> were backdated to 2015, and so we have no reason to even assume that when
> you say "all 2015 issued SSL [certs]", that this will include any other such
> hypothetical backdated certs. It has also been established that certs were
> mississued in 2016 outside of the July 5th and later period. So it seems
> that it would be in your own interest to be as transparent as possible for
> the 2016 certs as well, and to simply log any and every cert with a
> notBefore after 20150101000000Z.

>From the document they send, they plan to submit all those from
2016 too, but it will take some time.


dev-security-policy mailing list

Reply via email to