Nick, We are in discussions with Intesa Sanpaolo about implementing/pursuing OneCRL or a similar approach (e.g. outright revocation of the CAs). Thanks, Ben
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On Behalf Of Nick Lamb via dev-security-policy Sent: Sunday, July 23, 2017 2:35 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificate with invalid dnsName issued from Baltimore intermediate On Sunday, 23 July 2017 20:12:18 UTC+1, Charles Reiss wrote: > This CA also issued a recent certificate for the unqualified dNSName > 'webinterfacestrong': https://crt.sh/?id=177606495 Another name that it shouldn't be possible to issue for, but this time one which can actually exist in local networks and therefore is put at risk by the existence of such bogus certificates. >From the view on https://crt.sh/ it appears that this CA does not automatically log all the certificates it issues which Mozilla will end up trusting. It may have issued certificates we haven't seen yet. DigiCert / Ben is that statement correct? If we cannot today see the "whole iceberg" of certificates issued by this subCA, and we know it can and does issue problematic certificates I think it's a good candidate for distrust in OneCRL. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy