Hi Connie, On 06/09/17 20:38, [email protected] wrote: > SwissSign has identified the following incident: > two Certificate signed with SHA1: Violation BR 7.3.1
Thank you for this report. There have been a couple of reasonable follow-up questions here in the m.d.s.p. group; could you please answer them? > 6) > The additional functionality introduced in January 2017 had a weak point. > This vulnerability was only found because of the detailed error analysis > performed by finding the certificate that was misissued. > The misissued certificates where detected by the improved quality control. No > further measures are currently planned. Have automated tests been put in place to make sure the operation of reissuing a SHA-1 certificate always fails, even after further updates to the software? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
