On 26/09/16 18:10, Andrew Ayer wrote: > This contradicts the "Issue D" section at > https://wiki.mozilla.org/CA:WoSign_Issues which says that this > issue was not a BR violation.
You are quite right, thank you - fixed :-) > The two *.zlbaba.com certificates (https://crt.sh/?id=30773543 and > https://crt.sh/?id=31103218) do not appear to be matching to me: > their public keys and serial numbers are different. The serial numbers of all the pairs are different (which is good; issuing two certs with the same serial number is an RFC violation, see Issues H and P). I've not done an analysis of whether the public keys match for some of the pairs; feel free to do one if you like. If you think two different public keys casts doubt on the idea that these two certs were issued at the same time, feel free to think that. However, the document does not stand or fall on whether or not these are co-issued pairs or not; that is merely a conjecture to try and establish how long the misissuance happened for, as we have no other reliable dates. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
