> On 15/09/17 11:01, Inigo Barreira wrote: > > Considering that we were distrusted, that we didn´t reapply for > > inclussion, that CT is only required by Chrome and it´s not included > > in the Mozilla policy (even we were requested that all of our certs > > had to be CT logged) nor required by Firefox, that those certs were > > under our control all the time and lived for some minutes because were > > revoked inmediately, at that time, when we did it, we didn´t expect > > this reaction for sure. > > But surely CT testing is not the only sort of testing you've been doing?
Yes, this is the only test we did it in production > E.g. you made some test certificates with different types of ECC curve, which > you then had to revoke some of as against browser policies. No, those weren´t tests. We allowed the use of curves permitted by the BRs but this issue came up in the mozilla policy (I think Arkadiusz posted) and I also asked about it in the last CABF F2F (I asked Ryan about it) and then, with that outcome and as the browsers didn´t accept them, we revoked and then not allow the issuance. I think the discussion is still active (i.e. the use of P-521). > If these had been in a testing hierarchy there would have been no problem. > > CAs have been heavily criticised over the past few years for issuing test > certificates in public hierarchies (see e.g. Symantec). The danger of doing so > should be well known to all CAs by now. Yes, I know. But the only testing we did in production was the one related to the CT. > > Perhaps once a test has been passed and checked in a testing system, and if > the certificates concerned do not violate any policies, it could be repeated > on > a production system to deal with any possible differences between the two. > But starting with the production system is not a good idea. True, but it seems you´re understanding that we have only a production system in which we test everything and this is not the case. Before moving anything into production, we have tested in development and in the QA system. > > Gerv
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy