Hi, In their report and the audit statement they talk about 392 duplicate serial numbers, with links to the crt.sh page for those serial numbers.
But they in fact actually point to 393, the first group has 314 and not 313 duplicates in it. This was already the case before they published their new report. The last one in the group of 314 has the oldest SCT from September the 7th. But the whole group was from 4 days during 2015 which we were told were all send to the CT logs a week before that. This is the one that was added later: https://crt.sh/?id=31258021 What is also not very clear from their report is that the duplicates in the 314 group seem to have been from 2 different issues. It seems there are also that belong to issue F: https://crt.sh/?id=8573890 https://crt.sh/?id=30333598 https://crt.sh/?id=30333161 https://crt.sh/?id=7158549 https://crt.sh/?id=30333305 https://crt.sh/?id=30333303 https://crt.sh/?id=7190187 https://crt.sh/?id=30333436 https://crt.sh/?id=30333165 https://crt.sh/?id=30333160 There might be some more, I'm not sure what I should use as the time limit for issue F, the report at least has an example of 204 seconds. Looking at other cases for duplicate serial numbers, I also find those not mentioned in the report: 2 for the same CA, but different URIs in it: https://crt.sh/?serial=44807b207cf2052e8d3411770266d295&iCAID=1450 2 for the same CA with order fields different, and different URIs: https://crt.sh/?serial=3adec402270bf4ee9e892cc65e0ada21&iCAID=1450 Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy