On 2016-09-27 11:31, Gervase Markham wrote:
Hi Kurt,
On 26/09/16 23:45, Kurt Roeckx wrote:
In their report and the audit statement they talk about 392
duplicate serial numbers, with links to the crt.sh page for those
serial numbers.
But they in fact actually point to 393, the first group has 314
and not 313 duplicates in it. This was already the case before
they published their new report.
The last one in the group of 314 has the oldest SCT from September
the 7th. But the whole group was from 4 days during 2015 which we
were told were all send to the CT logs a week before that. This is
the one that was added later: https://crt.sh/?id=31258021
We don't know who sends certs to the log. It could be that WoSign sent
this one in late, or it could be that someone else discovered it on the
web somewhere. This might speak to WoSign not having complete track of
all their certs, but without more evidence it's risky to speculate.
I think someone on this list pointed to that cert on the censys.io site
and that I actually submitted it to CT, but only to Aviator. This
should be in the archive somewhere.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
