On 15/10/15 00:04, Rick Andrews wrote:
On Tuesday, October 13, 2015 at 5:16:10 PM UTC-7, Charles Reiss wrote:
<snip>
This list of test certs for owned domains contains an entry for
a cert with serial number 0xc222a issued by RapidSSL CA, valid from 05/18/2013
22:27:16 GMT to 06/20/2015 13:57:13 GMT (last entry of the owned domains PDF).
This appears to be this certificate https://crt.sh/?id=1990400 which has:
<snip>
Thanks for your post.
Symantec does not own the icns.com.au domain, but we had authorization by the
domain owner to use the domain for testing. This icns.com.au test certificate
was properly authenticated, and was installed and used externally by the domain
owner.
We included this certificate on our list of certificates associated with
domains that we do not own, which is accurate. However, because we had
authorization from the domain owner to issue the certificate, this certificate
did not need to be on this list but was included for completeness.
Hi Rick.
Doesn't "installed and used externally" conflict with the following
statement from your report [1] (emphasis mine) ?
"Through a comprehensive internal review, we confirmed this incident
was limited only to the issuance of test certificates, which *at all
times were fully controlled within Symantec* and never posed any
threat to any user or organization."
BTW, [2] also lists another, older certificate for the same domain -
*.icns.com.au:
https://crt.sh/?id=658905
[1]
https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_13_2015v3.pdf
[2]
https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportOwnedDomains.pdf
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
