+mdsp > On Aug 15, 2017, at 16:45, Adriano Santoni <adriano.sant...@staff.aruba.it> > wrote: > > Hi, we did receive your message about 1 certificate issued by us and > containing some invalid domain names. Those are internal server names and > their inclusion in SSL certificates was still permitted at the time when that > certificate was issued. > We should have revoked that certificate however, by now, so we are > investigating on why it's still active. In the meantime we have contacted our > customer and are explaining the need to revoke that certificate. > Thank you for letting us know of this issue. > > Regards > Adriano Santoni > Actalis > > > > > Inviato dal mio dispositivo Samsung > > > -------- Messaggio originale -------- > Da: Jonathan Rudenberg via dev-security-policy > <dev-security-policy@lists.mozilla.org> > Data: 15/08/2017 21:59 (GMT+01:00) > A: r...@sleevi.com > Cc: mozilla-dev-security-policy > <mozilla-dev-security-pol...@lists.mozilla.org>, Kathleen Wilson > <kwil...@mozilla.com> > Oggetto: Re: Bugzilla Bugs re CA issuance of non-compliant certs > > > > On Aug 15, 2017, at 15:45, Ryan Sleevi via dev-security-policy > > <dev-security-policy@lists.mozilla.org> wrote: > > > > I would note that any CA which does not or has not promptly revoked these > > within 24 hours of contact should, at a minimum, contact all root programs > > that they participate in to acknowledge this non-compliance and discuss > > what expectations other, non-Mozilla Root Programs have with respect to > > these certificates. Similarly, if such programs have requirements around > > "Security Incident Reporting," that CAs are timely in such reports. > > It’s worth noting that with the exception of the metadata-only subject fields > issue, Alex and I have attempted to contact every CA listed directly via > their public certificate problem reporting channels. In addition to this, the > Mozilla Root Store policy requires all CAs to monitor this mailing list. So > there are only two categories for a CA that has not taken action yet: > > 1) They are not monitoring either this list or their problem reporting > channels (or in some cases, those channels are inoperative) and as a result > are not aware of the issues; or > 2) They are aware of the issues and have not taken action. > > I believe that both of these categories are extremely concerning. > > Jonathan > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy