On Wednesday, March 2, 2016 at 7:07:23 AM UTC-8, Rob Stradling wrote: > On 02/03/16 14:56, Rob Stradling wrote: > <snip> > > I've also added an "excludeCAs" parameter, which takes a comma-separated > > list of crt.sh CA IDs. > > > > To exclude SHA-1 certs issued by Symantec and Comodo from previously > > trusted roots, try this: > > https://crt.sh/?cablint=211&dir=^&sort=1&minNotBefore=2016-01-01&excludeCAs=7198,11000&group=none > > I couldn't help but notice this SHA-1 precertificate issued by Symantec > a couple of days ago: > https://crt.sh/?id=13407116&opt=cablint > > Dean, Rick, could you comment on this? > > It doesn't seem to be related to the limited SHA-1 exception you > obtained for WorldPay. Any idea why the "Remediation:" [1] steps you > took in January didn't prevent the issuance of this precertificate? > > Thanks. > > > [1] https://cabforum.org/pipermail/public/2016-January/006519.html > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online
Rob, This was a pre-certificate. Our systems do not allow issuance of SHA-1 certificates and no certificate was issued. The pre-certificate was logged but then rejected. We are still investigating. Thanks. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy