First, I must make declaration that I don't know "Showfom", and I don't know if he/she is a WoSign customer.
As I said in my final statement that I wish all Mozilla trusted CA can post their issued certificate to CT log server for full transparency, I am sure not WoSign mis-issued certificate only, maybe some CA have more serious problems. I paste my statement again here: WoSign believes that the Certificate Transparency is a very good solution for self-discipline that force employees to attach great importance to product quality control, and for external oversight mechanism that let the third party supervise the CA's activity. WoSign is the first CA that volunteer to post all issued SSL Certificates to Google CT log server initiatively. Our aim is to let the worldwide users trust WoSign SSL certificates, and hope to drive the global CAs to be open and transparent publishing all issued certificates to CT log server, making worldwide users, browser vendors and related stakeholder to take an overall supervision, this will benefit the global Internet security. @Showfom: you don't need to say " Sorry for my bad English", your English is very good! Our native language is Chinese, not English, so no need to say sorry, I NEVER say this word again. Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of Showfom Sent: Saturday, September 24, 2016 2:30 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Comodo issued a certificate for an extension First, let me introduce myself, I'm a famous investor of ccTLD domains from China. Recently we get an easy-remember domain www.sb, please note the extension is .sb I ordered a Comodo Positive SSL for this domain, the common name which I submit is www.sb Usually they will give us a certificate for www.sb and www.www.sb, but this time Comodo issues a certificate with DNS name www.sb and sb I can't find our certificate in crt.sh but can be viewed here https://censys.io/certificates/719c282a51e935051e88bf6115dda0731da21c0e12c08e6bcea36078e83e4966 Or you can simply type https://www.sb/ in your browser to view the certificate https://www.sb/uploads/images/201609/24/181/n9k4qfbVYj.png I also tried to make an nginx conf in my server for https://sb/ you can change your /etc/hosts or just use curl commmand curl -v -H "Host: sb" https://www.sb/ You can find 403 Forbidden in title without any SSL certificate error because I set the return status for https://sb/ to 403 Sorry for my bad English Best Regards, @Showfom _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy