The timestamp on a SCT is fully controlled by the signer, so why should SCTs bearing a timestamp before May 2 still be considered trusted?
Alex On Sun, May 3, 2020 at 6:19 PM Jeremy Rowley via dev-security-policy < [email protected]> wrote: > Hey all, > > The key used to sign SCTs for the CT2 log was compromised yesterday at 7pm > through the Salt root bug. The remaining logs remain uncompromised and run > on separate infrastructure. We discovered the compromise today and are > working to turn that log into read only mode so that no new SCTs are > issued. We doubt the key was used to sign anything as you'd need to know > the CT build to do so. However, as a precaution, we ask that you consider > all SCTs invalid if the SCT was issued from CT2 after 7pm MST on May 2nd . > Please let me know what questions you have. > > Jeremy > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
