Hi All,
We did receive a direct report of the problem yesterday (24th
September) from a Mozilla rep., thanks, and we undertook an investigation and
remediation exercise yesterday.The software problem which caused or allowed this certificate to be issued has been corrected. That certificate (https://crt.sh/?id=34242572) was revoked yesterday morning. We will issue a report tomorrow (26th September). Regards Robin Alden Comodo > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > [email protected]] On Behalf Of Peter Bowen > Sent: 25 September 2016 17:37 > To: Nick Lamb <[email protected]> > Cc: [email protected] > Subject: Re: Comodo issued a certificate for an extension > > On Sun, Sep 25, 2016 at 9:19 AM, Nick Lamb <[email protected]> wrote: > > On Sunday, 25 September 2016 15:35:07 UTC+1, [email protected] > wrote: > >> am I the only one who a) thinks this is slightly problematic and b) is > surprised that the cert still isn't revoked? > > > > I don't know enough about the .sb ccTLD to be clear how problematic the > described scenario is. I would certainly like to know more. Wikipedia tells me > that .sb is operated like .uk used to be, with registrant domains appearing > only as 3LDs e.g. you used to able to buy example.co.uk but not example.uk, > so that having control of example.sb is itself exceptional, let alone www.sb > > According to https://nic.net.sb/, which is linked from > http://www.iana.org/domains/root/db/sb.html: > > "Starting from February 12, 2016 Solomon Telekom Company Limited is > pleased to announce the extending of .sb domain space place by > allowing registrations directly at the ‘second-level’." > > So it appears that the scenario is that someone (presumably the > reporter of this issue) registered www.sb., a second level domain > name, which would be in accordance with the described change. > > > It is important to me - as a relying party - to know if there is a problem > > in > Comodo's domain validation which allows people to obtain certificates for > names which they do not (or perhaps, depending how .sb is run, even > cannot) control. It is not terribly important to me in principle which names > are > affected, but in practice the extent of the risk might influence Mozilla's > decision as to what if anything should be done, by them or by Comodo. > > > > However right now it's the weekend, people who do this stuff as their day > job, rather than an outside interest, may not have responded because > they're busy watching televised sports or baking cakes. I will grow more > concerned if there's no follow-up from anybody next week. > > It is unclear if this has been reported to the CA (Comodo). While > some CA operators do read this Mozilla forum, it is not an official > communication channel for any CA, as far as I know. Any request to > revoke a certificate needs to be sent to the address specified by the > CA in their CPS. > > Thanks, > Peter > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
