On Tuesday, March 13, 2018 at 4:27:23 PM UTC-6, Matthew Hardeman wrote: > I thought I recalled a recent case in which a new root/key was declined > with the sole unresolved (and unresolvable, save for new key generation, > etc.) matter precluding the inclusion being a prior mis-issuance of test > certificates, already revoked and disclosed. Perhaps I am mistaken.
I haven't seen this directly addressed. I'm not sure what incident you are referring to, but I'm fairly that the mis-issuance that needed new keys was for certificates that were issued for domains that weren't properly validated. In the case under discussion in this thread, all the mis-issued certificates are only mis-issued due to encoding issues. The certificates are for sub-domains of randomly generated subdomains of aws.radiantlock.org (which, according to whois, is controlled by Let's Encrypt). I presume these domains are created specifically for testing certificate issuance in the production environment in a way that complies with the BRs. To put it succinctly, the issue you are referring to is about issuing certificates for domains that aren't authorized (whether for testing or not), rather than creating test certificates. -- Tom Prince _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy