On 15/09/17 11:01, Inigo Barreira wrote: > Considering that we were distrusted, that we didn´t reapply for > inclussion, that CT is only required by Chrome and it´s not included > in the Mozilla policy (even we were requested that all of our certs > had to be CT logged) nor required by Firefox, that those certs were > under our control all the time and lived for some minutes because > were revoked inmediately, at that time, when we did it, we didn´t > expect this reaction for sure.
But surely CT testing is not the only sort of testing you've been doing? E.g. you made some test certificates with different types of ECC curve, which you then had to revoke some of as against browser policies. If these had been in a testing hierarchy there would have been no problem. CAs have been heavily criticised over the past few years for issuing test certificates in public hierarchies (see e.g. Symantec). The danger of doing so should be well known to all CAs by now. Perhaps once a test has been passed and checked in a testing system, and if the certificates concerned do not violate any policies, it could be repeated on a production system to deal with any possible differences between the two. But starting with the production system is not a good idea. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
