On Mon, 12 Aug 2019, Nuno Ponte via dev-security-policy wrote:
Recently, we (Multicert) had to rollout a general certificate replacement due to the serial number entropy issue. Some of the most troubled cases to replace the certificates were customers doing certificate pinning on mobile apps. Changing the certificate in these cases required configuration changes in the code base, rebuild app, QA testing, submission to App stores, call for expedited review of each App store, wait for review to be completed and only then the new app version is made available for installation by end users (which is turn are required to update the app the soonest). Meeting the 5-days deadline with this sort of process is “challenging”, at best.
The OS and/or App should look at Certificate Transparency, instead of hacks that hardcode the certificate serial number. Paul _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
