Nick and Mozilla Community,

Here is the response from Intesa Sanpaolo concerning the disruption that
revocation will cause to their banking operations:

Good Evening Ben,

       About the problem with the certificate you recently notified us, I
confirm you that we have replaced the certificates today, so we have now
revoked the wrong one.

Concerning the CA revocation, first of all, I want to underline that for us
it would be a major issue: we don't have enough time and resources to
replace all the certificates before the end of the year and the revocation
of the CA will cause us several critical operating problems with our
infrastructural services.

Moreover, I would like to inform you that in order to rationalize our
infrastructure and create new synergy between our suppliers, we've planned
to move our certificates to an Italian CA outsourcer. We have already
started this activity and our intent is to complete the migration before the
end of the year, to respect the contract we have settled, with deadline
December, 31st 2017.

Therefore I have to kindly recommend you not to revoke the CA, before the
end of the contract, because it will cause several problems to the Bank and
to our users (customers and colleagues).

We are available to set up a call conference with you to discuss the matter.
Looking forward to hear from you.

Best regards,
Riccardo D'Agostini

-----Original Message-----
From: dev-security-policy
[] On
Behalf Of Ben Wilson via dev-security-policy
Sent: Thursday, August 3, 2017 7:33 AM
To: Nick Lamb <>;
Subject: RE: Certificate with invalid dnsName issued from Baltimore

That would be fine.  Also, we have given Intesa Sanpaolo a scheduled
revocation date of 15 August 2017, and I'm waiting to hear back.

-----Original Message-----
From: dev-security-policy
[] On
Behalf Of Nick Lamb via dev-security-policy
Sent: Wednesday, August 2, 2017 10:34 AM
Subject: Re: Certificate with invalid dnsName issued from Baltimore

On Monday, 24 July 2017 17:34:03 UTC+1, Ben Wilson  wrote:
> Nick,
> We are in discussions with Intesa Sanpaolo about implementing/pursuing 
> OneCRL or a similar approach (e.g. outright revocation of the CAs).
> Thanks,
> Ben

Is there any progress on this? To be honest I was more meaning that Mozilla
(Gerv?) should just add this subCA to OneCRL and be done with it.

dev-security-policy mailing list

Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to