Am Mittwoch, 6. September 2017 22:38:35 UTC+2 schrieb Nick Lamb: > Thanks for writing this incident report. > > The latter of the two certificates was issued after popular web browsers had > ceased accepting SHA-1 as far as I understand it. As a result it seems likely > that it would not have functioned as expected if a customer deployed it on a > Web server. You mention that you reached out to the affected customer, did > they indicate that they'd noticed any problem with their certificate? Do you > have any reason to think that in practice it was not used? (e.g. customer > ordered & received a SHA-256 cert for the same name shortly afterwards).
In fact the customers did not use this certificates. Best Regards Conny _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
