We´re revoking all those unrevoked certs to avoid any more problems. Regarding the pre-certs, yes, I was aware of the discussion. As Gerv says there´s a binding statement of "intent" ... the problem with these is that we generated the pre-certs and logged in the CT log, where crt.sh looks or monitor, but those weren´t finally issued, so there are not such certs. In any case, as said, we´re revoking all of those listed and will update the bugzilla accordingly
Best regards Iñigo Barreira CEO StartCom CA Limited -----Original Message----- From: Patrick Figel [mailto:patrick@figel.email] Sent: jueves, 3 de agosto de 2017 13:07 To: Inigo Barreira <in...@startcomca.com>; Franck Leroy <fr.le...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: StartCom cross-signs disclosed by Certinomis On 03/08/2017 10:47, Inigo Barreira via dev-security-policy wrote> 1. The un-revoked test certificates are those pre-sign ones with uncompleted > ctlog. So they are not completed certificates. > https://crt.sh/?opt=cablint&id=134843670 > https://crt.sh/?opt=cablint&id=134843674 > https://crt.sh/?opt=cablint&id=134843685 > https://crt.sh/?opt=cablint&id=139640371 My understanding of Mozilla's policy is that misissued precerts are considered misissuance nonetheless[1]. [1]: https://groups.google.com/d/msg/mozilla.dev.security.policy/6pBLHJBFNts/kM3k EJKMAgAJ
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy