For this case, WoSign notice Alibaba after getting report. I think this case is another case for website control validation problem.
Now, many CDN, Internet service provider provide a subdomain to its customer like: myname.CDNprovider.com, this customer can do the website control validation, then he can get this certificate. You can't say this is mis-issued or fake cert. This validation method is allowed by BR, so we need to make clear that if the ISP/Cloud service provider don't notice CA that which domain's subdomain is not allowed to issue certificate to customer, then this issued certificate is OK. Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of Percy Sent: Friday, September 2, 2016 5:50 AM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign They have confirmed that it's a fake cert. Alibaba knew this prior to my contact and said they already contacted WoSign. Percy Alpha(PGP <https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF30D100F7FE124AE>) On Wed, Aug 31, 2016 at 3:15 AM, Gervase Markham <g...@mozilla.org> wrote: > On 29/08/16 22:53, Percy wrote: > > Gerv, I've notified the security team in Alibaba about this possible > fake cert and ask them to confirm that they have not applied a cert. > > It's unlikely that Alibaba will use a free cert from WoSign. As a > commercial site, they usually use Verisign or globalSign > > That might also help; thank you. Please ask them to contact me > directly to confirm this cert was not requested by them. > > Gerv > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy