I think I know the reason; this may be helpful for your investigation.
This is a code bug from CA issuing system that the engineer mis-understand the
free additional domain added rule. System treat the "www" as a subdomain, most
case it is, but in this case, it is top domain.
Subscriber finished the domain validation for domain "www.sb", then the issuing
system using the rule "if the domain is validated, and if the cert request is
for www.domain.com, then add its top domain - domain.com to the certificate
automatically", then the signing system added the domain ".sb" as its top
domain to the certificate. This rule is ok for more case, but for this case, it
is wrong.
There is another bug that it means Comodo don't have the gTLD blocking system
that according to the BR, CA can't issue the gTLD domain to subscriber.
And the excuse of "don’t know this new gTLD" is not a good reason that there
are many new gTLDs come out very frequently, system can NOT issue the gTLD name
for subscribers, system must block any known or unknown gTLD in the
certificate. And this domain - "www.sb" is passed the domain validation, it
means Comodo system know this gTLD.
This is a BR violated misissuance, I don't know if any more certificates are
mis-issued since it is a bug in the code that may affect other similar order. I
recommend Comodo post all issued SSL certificate to CT log server for full
transparency to let worldwide user to check if any more mis-issuance happened.
Best Regards,
Richard
-----Original Message-----
From: dev-security-policy
[mailto:[email protected]] On
Behalf Of Robin Alden
Sent: Monday, September 26, 2016 1:29 AM
To: 'Peter Bowen' <[email protected]>; 'Nick Lamb' <[email protected]>
Cc: [email protected]
Subject: RE: Comodo issued a certificate for an extension
Hi All,
We did receive a direct report of the problem yesterday (24th
September) from a Mozilla rep., thanks, and we undertook an investigation and
remediation exercise yesterday.
The software problem which caused or allowed this certificate to be issued has
been corrected.
That certificate (https://crt.sh/?id=34242572) was revoked yesterday morning.
We will issue a report tomorrow (26th September).
Regards
Robin Alden
Comodo
> -----Original Message-----
> From: dev-security-policy [mailto:dev-security-policy-
> [email protected]] On Behalf Of Peter Bowen
> Sent: 25 September 2016 17:37
> To: Nick Lamb <[email protected]>
> Cc: [email protected]
> Subject: Re: Comodo issued a certificate for an extension
>
> On Sun, Sep 25, 2016 at 9:19 AM, Nick Lamb <[email protected]> wrote:
> > On Sunday, 25 September 2016 15:35:07 UTC+1, [email protected]
> wrote:
> >> am I the only one who a) thinks this is slightly problematic and b)
> >> is
> surprised that the cert still isn't revoked?
> >
> > I don't know enough about the .sb ccTLD to be clear how problematic
> > the
> described scenario is. I would certainly like to know more. Wikipedia
> tells me that .sb is operated like .uk used to be, with registrant
> domains appearing only as 3LDs e.g. you used to able to buy
> example.co.uk but not example.uk, so that having control of example.sb
> is itself exceptional, let alone www.sb
>
> According to https://nic.net.sb/, which is linked from
> http://www.iana.org/domains/root/db/sb.html:
>
> "Starting from February 12, 2016 Solomon Telekom Company Limited is
> pleased to announce the extending of .sb domain space place by
> allowing registrations directly at the ‘second-level’."
>
> So it appears that the scenario is that someone (presumably the
> reporter of this issue) registered www.sb., a second level domain
> name, which would be in accordance with the described change.
>
> > It is important to me - as a relying party - to know if there is a
> > problem in
> Comodo's domain validation which allows people to obtain certificates
> for names which they do not (or perhaps, depending how .sb is run,
> even
> cannot) control. It is not terribly important to me in principle which
> names are affected, but in practice the extent of the risk might
> influence Mozilla's decision as to what if anything should be done, by them
> or by Comodo.
> >
> > However right now it's the weekend, people who do this stuff as
> > their day
> job, rather than an outside interest, may not have responded because
> they're busy watching televised sports or baking cakes. I will grow
> more concerned if there's no follow-up from anybody next week.
>
> It is unclear if this has been reported to the CA (Comodo). While
> some CA operators do read this Mozilla forum, it is not an official
> communication channel for any CA, as far as I know. Any request to
> revoke a certificate needs to be sent to the address specified by the
> CA in their CPS.
>
> Thanks,
> Peter
> _______________________________________________
> dev-security-policy mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
