Hi, I have a couple of follow-up questions if I may:
On Tue, 12 Dec 2017 02:09:47 -0800 (PST) "cornelia.enke--- via dev-security-policy" <[email protected]> wrote: > The subject information in the affected certificates were not > validated correctly due to the misconfiguration. 10 certificates were > issued based on this misconfiguration between 2017/12/06 12.10 p.m. > UTC and 2017/12/08 3.40 p.m. UTC. Can you say more about what validation if any was still in place? Would it have been possible, with this misconfiguration, for your CA to issue certificates without any of the validation steps required by the BRs? Also, from the rest of the description it sounds as though the misconfigured system was only used by an existing customer of SwissSign, named Secardeo GmbH, is that correct? So in a similar situation a hypothetical third party attacker would NOT be able to obtain certificates without validation, only the (un)happy incident customer? > The implemented controls detected the misconfiguration within 24 > hours. The incorrect configuration was nevertheless recorded as a > security incident. The handling of the security incident by the > information security management team is still underway. Further > measures will be decided within this process. I suspect I speak for others on m.d.s.policy when I ask that you let us know of any such measures that are decided. This sort of incident could happen to many CAs, there's no need for everybody to learn the hard way. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
