On Friday, February 24, 2017 at 11:25:22 PM UTC, Gervase Markham wrote: > On 24/02/17 08:25, Andrew Ayer wrote: > > Below is an unrevoked SHA-1 serverAuth certificate for > > getset.trustis.com issued from this CA with a Not Before date of > > 2016-11-07. > > Blake: you wrote: "As part of the incident handling procedure, Trustis’ > security management committee, commissioned a full investigation into > the circumstances surrounding this incident." > > It seems this investigation was not full enough to discover the > existence of a second SHA-1 certificate issued 20 minutes after the > first one for a very similar domain, presumably by the same operator and > using the same processes? > > Gerv
Hi Gerv, We have engaged with our external auditors in relation to this and the previous certificate that was reported. Once that activity has concluded we will be providing further information. Kind regards, Blake _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
