> > > Those tests were done to check the CT behaviour, there was any other > testing of the new systems, just for the CT. Those certs were under control > all > the time and were lived for some minutes because were revoked inmediately > after checking the certs were logged correctly in the CTs. It´s not a mis- > issuance by means of we didn´t know what happened, we had to investigate, > etc. It was not a good practice and I can´t excuse for that, but it was not > related to the regular issuance procedure as someone suggested. We > provided a report in which indicated all that happened and what we did to > not happen this again, updating the EJBCA roles permissions. > > 1) Why didn't StartCom build a test hierarchy?
Considering that we were distrusted, that we didn´t reapply for inclussion, that CT is only required by Chrome and it´s not included in the Mozilla policy (even we were requested that all of our certs had to be CT logged) nor required by Firefox, that those certs were under our control all the time and lived for some minutes because were revoked inmediately, at that time, when we did it, we didn´t expect this reaction for sure. Of course if we had known it we hadn´t done it and for sure had built a test hierarchy but there´s nothing we can do now. Only wanted to state that those certs were under our control all the time, and lived for some minutes because were revoked after the test. There were not any other testing of any other nature directly in the production system > 2) Why didn't StartCom use the TestTube CT log for testing CT? We tried to check and test the same behaviour before going live with the CT logging, so followed the requirements to use 3 logs, one google and one non-google, for the EVs and this is what we did. We used the same settings we had before the distrust using the startcom log and the google ones (pilot and rocketeer).
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
