On 14/09/2017 17:05, Inigo Barreira wrote:
All,
...
We should add the existing Certnomis cross-signs to OneCRL to revoke all the
existing certificates. As of 10th August (now a month ago) StartCom said they
have 50000 outstanding SSL certs which are valid due to the Certnomis cross-
sign.
I´ve never said this. In fact, despite having that cross-signed which were
provided to us in july we have never used and provided to any of our customers
to build a trusted path. So none of those 50000, or the new ones, go with the
Certinomis path because none have it. But all those 50000 certs are untrusted
because we´re not in the Mozilla root, not the new one, and the old one was
distrusted.
In fact, recently, I asked for permission to use the Certinomis cross-signed
certificates and have no response. I don´t know if this is an administrative
silence which may allow me to use it but until having a clear direction we
haven´t used it.
I can't speak for Mozilla, but the obvious point is, that as soon as
the cross certificate from Certinomis was published in CT-logs or
elsewhere, any StartCom customer could (and still can) download it and
install it on their server, thus activating the Certinomis path for
their server.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
