If I understand correctly, these 105 certificates are all mis-issued using the incorrect policies of either (0) website control validation with higher port numbers, or (1) parent domain-name verification by demonstrating control of a subdomain.
It is unclear why, given the fact that incorrect validation was done for these certificates, they are not already revoked. I don't understand why you are expecting a report from your respective subscriber to do that, as they have not proven control of the domain names in any case. These certificates must all be revoked immediately. On Monday, August 29, 2016 at 7:49:33 AM UTC+3, Richard Wang wrote: > > For incident 1 - mis-issued certificate with un-validated subdomain, total 33 > certificates. We have posted to CT log server and listed in crt.sh, here is > the URL. Some certificates are revoked after getting report from subscriber, > but some still valid, if any subscriber think it must be revoked and replaced > new one, please contact us in the system, thanks. > > For incident 0, the certificate issued related using higher level port > validated, total 72 certificates. To be clear, those certificates are > validated by website control validation method that using other port except > 80 and 443. So we think those certificate no need to be revoked. The crt.sh > link just for your reference. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy