Daymion, You linked to a thread in m.d.s.p and cited it as confirming a specific interpretation of 7.1 - as that's a long thread (with some possible questionable information), could you possibly share what criteria you used to determine what certificates were impacted by this issue and which ones were not? Seeing a reduction from >1.8M to 12k is a substantial difference, and thus is bound to make participants curious.
I think that would be very helpful to ensure that everyone is on the same page about what is and isn't compliant with 7.1. Thanks On Tuesday, March 12, 2019 at 12:28:11 PM UTC-4, Daymion Reynolds wrote: > As of 9pm AZ on 3/6/2019 GoDaddy started researching the 64bit certificate > Serial Number issue. Due to a m.d.s.p.[1] discussion validating an > interpretation of BR 7.1 our revised count is approximately 12,152 live > certificates not meeting the 64bit serial number requirement. Additionally, > we have identified 273,784 “orphaned” certificates meeting the initial > interpretation of BR 7.1. Orphaned certificates are certs, which were stopped > mid-issuance due to a variety of reasons like requestor cancellation, system > errors etc. These certs are most often pre-certificates, but some are > leaf-certificates, which were logged to CT, but never received by the > certificate requestor. > ... > [1] > https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/7WuWS_20758 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
