Hi, I just saw this on twitter: https://twitter.com/sam280/status/1133008218677022722
And later in the thread: https://twitter.com/sam280/status/1133112699385257985 The first tweet points out that Certinomis seems to use wrong OIDs in their certs (quote "Of course the first invalid #PSD2 #QWAC had to come from Certinomis... guys, the entire PSD2 roles OID arc is not meant to be included in the list of certificate policies"). I don't know what PSD2 and QWAC means, I'll leave it to others to interpret how big of an issue this is. The second tweet points to a cert issued for an unregistered domain: https://crt.sh/?id=1514142478 That obviously seems like a big deal. (Cert issued 2 days ago, so I believe it's unlikely that this domain existed at the point this cert was generated.) I understand the removal of Certinomis from NSS is already decided, but maybe these incidents justify some acceleration. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy