On Tuesday, March 13, 2018 at 4:27:23 PM UTC-6, Matthew Hardeman wrote:
> I thought I recalled a recent case in which a new root/key was declined
> with the sole unresolved (and unresolvable, save for new key generation,
> etc.) matter precluding the inclusion being a prior mis-issuance of test
> certificates, already revoked and disclosed.  Perhaps I am mistaken.

I haven't seen this directly addressed.  I'm not sure what incident you are 
referring to, but I'm fairly that the mis-issuance that needed new keys was for 
certificates that were issued for domains that weren't properly validated.

In the case under discussion in this thread, all the mis-issued certificates 
are only mis-issued due to encoding issues. The certificates are for 
sub-domains of randomly generated subdomains of aws.radiantlock.org (which, 
according to whois, is controlled by Let's Encrypt). I presume these domains 
are created specifically for testing certificate issuance in the production 
environment in a way that complies with the BRs.

To put it succinctly, the issue you are referring to is about issuing 
certificates for domains that aren't authorized (whether for testing or not), 
rather than creating test certificates.

-- Tom Prince
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to