El lunes, 4 de marzo de 2019, 12:37:43 (UTC+1), arnold...@t-systems.com escribió: > The incident report can be found here, > https://bugzilla.mozilla.org/show_bug.cgi?id=1530718
Hello, related to this... Is there a policy about test certificates and CT logs? Sometimes it's required to do "negative tests" to check our systems and it can lead to a missisuance if a control fails, this typically would happen for a test certificate that is issued for a domain owned by the CA and revoked immediately after the test. It's clear that first thing is to test with a dev environment, but sometimes it's required to do final validation tests in production, and, let's agree, "sh*t happens" Now all these tests go public in the CT logs and are treated as any other misissuance, and I don't know if it was discussed here in the past some good practice for these test certificates and potential "controlled and inoffensive" misissuances. Maybe a CA could disclose some "sandbox domain", on which we can do tests without raising excessive concerns.. Thanks! _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy