> 2018-11-12, 09:01 UTC CA became aware via https://crt.sh/ of a syntax error > in one tls certificate issued on 2018-06-02. The PrintableString of OBJECT > IDENTIFIER serialNumber (2 5 4 5) contains an invalid character. For more > details see https://crt.sh/?id=514472818 > 2018-11-12, 10:30 UTC Customer was contacted the first time. Customer runs an > international critical trade platform for emissions. Immediate revocation of > the certificate would cause irreparable harm to the public. > 2018-11-22, 16:08 UTC The certificate with the serial number 3c 7c fb bf ea > 35 a8 96 c6 79 c6 5c 82 ec 40 13 was revoked by customer.
Going forward, if the platform is that important, have you advised the customer to have a second certificate from a different CA (with a different key) ready for emergencies? Being too big to fail seems like a really lame excuse for not planning ahead. Additionally, if the platform's operation is critical, it would seem to be a good idea to apply an even stricter standard of security than mandated by the BR than to laxen it (revocation in more than 10 days instead of less than 24 hours). E.g., it seems also like a bad idea, though permitted by BR, to issue certificates with a lifetime of around 2 years to such a service, while MUCH shorter lifetimes would seem more appropriate. If, on the contrary, your are arguing that availability is more important than security, operating the service over unencrypted HTTP would be wise. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy