> On Feb 27, 2018, at 16:35, Jonathan Rudenberg via dev-security-policy > <[email protected]> wrote: > > >> On Feb 27, 2018, at 16:17, Wayne Thayer via dev-security-policy >> <[email protected]> wrote: >> >> This request has been in public discussion for more than 6 months, so I >> would like to make a decision soon. If you have comments or concerns with >> this request, please post them here by 6-March 2018. > > Given the misissued certificates in CT under the existing root, I believe > this request should be rejected, and a new clean root with audits should be > required before moving forward. > > The errors in the issued certificates indicate a lack of technical controls > in addition to improperly implemented certificate profiles. Given this, an > explanation should also be provided of what changes have been made to the > issuance environment to ensure these types of mistakes will not happen under > the new root.
I just took a closer look at the thread, and it appears that some misissuance was pointed out in July and most of the controls that were suggested as a solution relied on humans. These controls appear to have predictably failed, as multiple misissued certificates are from this fall, well after the fixes should have been in place. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
