(Forgot to post it to m.d.s.p) Your right that we all failed to conduct the proper due diligence source code checks on EJBCA and therefore missed this important issue. We all need to learn from this past mistake and implement better checks which prevents issues like this that might arise in the future.
Thank you, Burton On Thu, Mar 14, 2019 at 10:57 PM Ryan Sleevi <[email protected]> wrote: > > > On Thu, Mar 14, 2019 at 6:54 PM James Burton via dev-security-policy < > [email protected]> wrote: > >> Let's Encrypt CA software 'Boulder' is open source for everyone to browse >> and check for issues. All other CAs should follow the Let's Encrypt lead >> and open source their own CA software for everyone to browse and check for >> issues. We might have found the serial number issue sooner. >> > > Considering EJBCA is open-source, this does not seem that it would > logically follow. > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
