On Sun, Sep 04, 2016 at 10:05:11AM +0100, Gijs Kruitbosch wrote: > So if I understand correctly, you've published all certificates issued in > 2015 to CT, and any cert with a notBefore of/after July 5th 2016. Is that > correct? > > > As noted in > https://groups.google.com/d/msg/mozilla.dev.security.policy/Q3zjv95VhXI/p40n2Zv6DAAJ > , this thread has turned up https://crt.sh/?id=29884704 which was mississued > and had a notBefore of June 23, 2016. > > In addition to that, there was discussion about backdated SHA1 certs ( > https://groups.google.com/d/msg/mozilla.dev.security.policy/KNuiSDVl7qc/z8rPfqX7DAAJ > , https://bugzilla.mozilla.org/show_bug.cgi?id=1293366 ) that were issued in > 2016 but backdated to 2015. > > When explicitly asked if you were publishing all the certs with a notBefore > after 20150101000000Z in > https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/FNYETUsnDQAJ > you responded with: > > On 02/09/2016 16:11, Richard Wang wrote: > > Yes, we posted all 2015 issued SSL from WoSign trusted root. > > > It has already been established that you issued certificates in 2016 that > were backdated to 2015, and so we have no reason to even assume that when > you say "all 2015 issued SSL [certs]", that this will include any other such > hypothetical backdated certs. It has also been established that certs were > mississued in 2016 outside of the July 5th and later period. So it seems > that it would be in your own interest to be as transparent as possible for > the 2016 certs as well, and to simply log any and every cert with a > notBefore after 20150101000000Z.
>From the document they send, they plan to submit all those from 2016 too, but it will take some time. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy