136
edits
Changes
→Issue F.3: Inadequate Controls on Production Testing: Add another O=Entreprise TEST" cert
A very similar problem had originally been [https://bugzilla.mozilla.org/show_bug.cgi?id=1496088 brought to Certinomis’ attention] back on 3-October, 2018. That problem had also been [https://bugzilla.mozilla.org/show_bug.cgi?id=1496088#c2 blamed on human error]. A total of 7 certificates were revoked in that incident, including one with a SAN of “www.pourtest.com”. On 31-November, 2018, Certinomis reported that they would complete a remediation action item by the end of the year, to “implement domain validation in this workflow”, referring to the process used to issue certificates for testing. As of 9-April we do not have confirmation that this functionality has been implemented, although it was [https://bugzilla.mozilla.org/show_bug.cgi?id=1496088#c18 reported] to be “running on pre-production platform” in February.
On 17-April, 2019, [https://crt.sh/?sha256=97C78F92745645FE7ABC5A531C27F4C29D54F193563FB2035C01A0BE74CA3BBA another certificate] was [https://bugzilla.mozilla.org/show_bug.cgi?id=1496088#c20 discovered]. This one contains "O=Entreprise TEST" and was issued in January, after [https://bugzilla.mozilla.org/show_bug.cgi?id=1496088#c11 Certinomis stated] that such issuance had been stopped.
==== Issue F.4: Validity > 825 Days ====
