Hey all, The key used to sign SCTs for the CT2 log was compromised yesterday at 7pm through the Salt root bug. The remaining logs remain uncompromised and run on separate infrastructure. We discovered the compromise today and are working to turn that log into read only mode so that no new SCTs are issued. We doubt the key was used to sign anything as you'd need to know the CT build to do so. However, as a precaution, we ask that you consider all SCTs invalid if the SCT was issued from CT2 after 7pm MST on May 2nd . Please let me know what questions you have.
Jeremy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
