On Thu, 30 Jun 2016 15:54:02 -0400 Jonathan Rudenberg <jonat...@titanous.com> wrote:
> > > On Jun 30, 2016, at 15:44, Christiaan Ottow <cot...@computest.nl> > > wrote: > > > > The certificates we had issuedto us as proof of concept (only for > > our own domains), were not revoked and we don't see them in the CT > > logs. However, we informed StartCom that we had only issued > > certificates for domains under our control, so I can imagine no red > > flags were raised by their helpdesk. > > The lack of CT logging is interesting, as StartCom claims that all > certificates they issue are being logged to at least three CT > servers: https://www.startssl.com/NewsDetails?date=20160323 > > Do you mind uploading the certificate files that were obtained > somewhere and linking us to them? It would be best not to release the full certificates quite yet, since doing so would make it impossible to determine who logged them if they later show up in CT logs. Providing a hash of the certificate and the contents of the SCT extension, if any, would be OK. Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy