On Friday, May 17, 2019 at 10:11:55 PM UTC+1, Doug Beattie wrote: > All customers were migrated from this API > but the API was not disabled. >One of our custom on-premise applications was > misconfigured to use this old API. >
This text in your mail seems to imply that customers were migrated away and that the remaining application was an internal application that was part of your estate. This is contradicted by the details in your bug report that states the application while provided by yourselves was used by a 3rd party and allowed them to issue certificates with unvalidated common names. 1. If it was possible for the customer to issue certificates with no technical control on the CN then what guarantees do you have that other certificates issued by this API were correctly validated? For example have you revalidated all such certificates? 2. What failures in process allowed an API that issues unvalidated certificates to be left in a usable state? How will these be addressed? 3. Do you have other deprecated but still usable APIs that allow issuance? (this is partly addressed by your comments in the ticket). Rich _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
