On Sun, Sep 25, 2016 at 9:19 AM, Nick Lamb <[email protected]> wrote: > On Sunday, 25 September 2016 15:35:07 UTC+1, [email protected] wrote: >> am I the only one who a) thinks this is slightly problematic and b) is >> surprised that the cert still isn't revoked? > > I don't know enough about the .sb ccTLD to be clear how problematic the > described scenario is. I would certainly like to know more. Wikipedia tells > me that .sb is operated like .uk used to be, with registrant domains > appearing only as 3LDs e.g. you used to able to buy example.co.uk but not > example.uk, so that having control of example.sb is itself exceptional, let > alone www.sb
According to https://nic.net.sb/, which is linked from http://www.iana.org/domains/root/db/sb.html: "Starting from February 12, 2016 Solomon Telekom Company Limited is pleased to announce the extending of .sb domain space place by allowing registrations directly at the ‘second-level’." So it appears that the scenario is that someone (presumably the reporter of this issue) registered www.sb., a second level domain name, which would be in accordance with the described change. > It is important to me - as a relying party - to know if there is a problem in > Comodo's domain validation which allows people to obtain certificates for > names which they do not (or perhaps, depending how .sb is run, even cannot) > control. It is not terribly important to me in principle which names are > affected, but in practice the extent of the risk might influence Mozilla's > decision as to what if anything should be done, by them or by Comodo. > > However right now it's the weekend, people who do this stuff as their day > job, rather than an outside interest, may not have responded because they're > busy watching televised sports or baking cakes. I will grow more concerned if > there's no follow-up from anybody next week. It is unclear if this has been reported to the CA (Comodo). While some CA operators do read this Mozilla forum, it is not an official communication channel for any CA, as far as I know. Any request to revoke a certificate needs to be sent to the address specified by the CA in their CPS. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
