On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote: > Lets speak about relying parties - how does this bug affect you?
As a relying party I am entitled to assume that there is no more than one certificate signed by a particular issuer with a certain serial number. If I have seen this certificate and verified by whatever means I choose that it's OK, then I can safely assume that any time I see a certificate in the future signed by that issuer with that same serial number it's the same one, and skip the verification process. Except, with StartCom apparently this very basic rule is broken, and in fact at any time I may be presented with a certificate I haven't previously verified, but which has the exact same serial number as an earlier one. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
