On Tuesday, September 6, 2016 at 10:10:44 PM UTC-4, Richard Wang wrote: > ... we can't find the info what port is used, our CMS system just record this > order is validated by website control validation method, not record the used > port at that time. > > Why we can find out other 72 certificate? We try to search every validation > process evidence in many systems to analyze the related log to catch the > info. I can't guarantee all high port validation order are listed in the > report, but as we said in the report, each certificate is properly validated > using high port. > > > Best Regards, > > Richard >
My trust in this CA has dropped even more. Even if all non-standard port validations were otherwise issued correctly, it does not bode well that WoSign's system failed to record enough information in its logs. If people are manually looking through logs for suspicious certificates, we can never be sure that they caught them all, and there may be false positives as well. If the logs didn't store even the simple port information, what else isn't it storing? You say you'll do better in the future, but you have to be able to account for current and future bugs. In order to do that, you need accurate and verbose logs, or else a future vulnerability may be unable to be contained. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
