On Thu, Jul 27, 2017 at 11:14 PM, Gervase Markham via
dev-security-policy wrote:
> Google have made a final decision on the various dates they plan to
> implement as part of the consensus plan in the Symantec matter. The
> message from blink-dev is included
For reference, I’ve added crt.sh links for the replacement certificates below.
> On Jul 29, 2017, at 09:08, kaddachi olfa via dev-security-policy
> wrote:
>
> https://crt.sh/?id=15126121 is an expired certificate (notBefore March 2016;
> notAfter March
> On Jul 29, 2017, at 09:08, kaddachi olfa via dev-security-policy
> wrote:
>
> ==> The CA proceeded to notify the end entity of the certificate
> https://crt.sh/?id=21813439. The certificate is revoked on 28/07/2017. No new
> certificate is issued by
https://crt.sh/?id=21813439 is a certificate issued by this CA which has a
domain name in the common name but only an email address in the SAN. (The
certificate has TLS server/client usage EKUs.)
==> The CA proceeded to notify the end entity of the certificate
https://crt.sh/?id=21813439. The
Other contributors have, I think, summed up the pros and cons of the two ways
forward on the specific date very effectively.
So I will expend my effort instead on pressing for Mozilla to handle final
distrust of the old Symantec CA roots in its usual fashion and explicitly _not_
do as Symantec
5 matches
Mail list logo