Thanks for writing this incident report.
The latter of the two certificates was issued after popular web browsers had ceased accepting SHA-1 as far as I understand it. As a result it seems likely that it would not have functioned as expected if a customer deployed it on a Web server. You mention that you reached out to the affected customer, did they indicate that they'd noticed any problem with their certificate? Do you have any reason to think that in practice it was not used? (e.g. customer ordered & received a SHA-256 cert for the same name shortly afterwards). _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
