> On 14/09/2017 17:05, Inigo Barreira wrote: > > All, > > > > ... > >> > >> We should add the existing Certnomis cross-signs to OneCRL to revoke > >> all the existing certificates. As of 10th August (now a month ago) > >> StartCom said they have 50000 outstanding SSL certs which are valid > >> due to the Certnomis cross- sign. > > > > I´ve never said this. In fact, despite having that cross-signed which were > provided to us in july we have never used and provided to any of our > customers to build a trusted path. So none of those 50000, or the new ones, > go with the Certinomis path because none have it. But all those 50000 certs > are untrusted because we´re not in the Mozilla root, not the new one, and the > old one was distrusted. > > In fact, recently, I asked for permission to use the Certinomis cross-signed > certificates and have no response. I don´t know if this is an administrative > silence which may allow me to use it but until having a clear direction we > haven´t used it. > > > > > I can't speak for Mozilla, but the obvious point is, that as soon as the cross > certificate from Certinomis was published in CT-logs or elsewhere, any > StartCom customer could (and still can) download it and install it on their > server, thus activating the Certinomis path for their server. >
AFAIK, Certinomis only disclosed in the CCADB and even we received it, we have not sent to any customer nor posted anywhere. And I know crt.sh includes it and when questioned for it Rob answered that crt.sh includes all certs that have been submitted to one or more of the monitored CT logs, and includes all trust paths that can be built. I don´t think any StartCom customer has downloaded from wherever it could be and installed and created the trusted path. Our customers base are not very familiar with this stuff. Usually we need to provide all of them with instructions on what and how to do it. > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This > public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
