On Mon, 12 Aug 2019, Nuno Ponte via dev-security-policy wrote:

Recently, we (Multicert) had to rollout a general certificate replacement due 
to the serial number entropy issue. Some of the most troubled cases to replace 
the certificates were customers doing certificate pinning on mobile apps. 
Changing the certificate in these cases required configuration changes in the 
code base, rebuild app, QA testing, submission to App stores, call for 
expedited review of each App store, wait for review to be completed and only 
then the new app version is made available for installation by end users (which 
is turn are required to update the app the soonest).

Meeting the 5-days deadline with this sort of process is “challenging”, at best.

The OS and/or App should look at Certificate Transparency, instead of
hacks that hardcode the certificate serial number.

dev-security-policy mailing list

Reply via email to