On Sat, Sep 9, 2017 at 8:14 PM, josh--- via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> Thank you for bringing this oversight to our attention. The certificate in
> question has been revoked.
>
> The original incident report from July 16 was accidentally considered
> closed on the basis of a fix for our infrastructure without actually
> revoking the certificate that led to the report.
>
> Reading the recorded conversation, it seems we got overly focused on fix
> for our infrastructure and lost sight of the fact that the certificate
> itself needed to be revoked. I imagine our guard was let down a bit by the
> fact that the cert was issued specifically to test us, it wasn't a weak key
> "in the wild."
>
> Let’s Encrypt has checked for some forms of weak keys since we launched,
> and we added additional checks that would have caught this on July 20,
> 2017. We were already in the process of developing and deploying the
> additional checks before we received the original report from Hanno.
>
> On Saturday, September 9, 2017 at 2:22:07 PM UTC-5, Hanno Böck wrote: