We are in discussions with Intesa Sanpaolo about implementing/pursuing
OneCRL or a similar approach (e.g. outright revocation of the CAs).

-----Original Message-----
From: dev-security-policy
[] On
Behalf Of Nick Lamb via dev-security-policy
Sent: Sunday, July 23, 2017 2:35 PM
Subject: Re: Certificate with invalid dnsName issued from Baltimore

On Sunday, 23 July 2017 20:12:18 UTC+1, Charles Reiss  wrote:
> This CA also issued a recent certificate for the unqualified dNSName 
> 'webinterfacestrong':

Another name that it shouldn't be possible to issue for, but this time one
which can actually exist in local networks and therefore is put at risk by
the existence of such bogus certificates.

>From the view on it appears that this CA does not
automatically log all the certificates it issues which Mozilla will end up
trusting. It may have issued certificates we haven't seen yet.

DigiCert / Ben is that statement correct?

If we cannot today see the "whole iceberg" of certificates issued by this
subCA, and we know it can and does issue problematic certificates I think
it's a good candidate for distrust in OneCRL.
dev-security-policy mailing list

Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to