It seams that wosign has registered the domains letsencrypt.cn and letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt :
whois letsencrypt.cn Domain Name: letsencrypt.cn ROID: 20141120s10001s72911711-cn Domain Status: clientTransferProhibited Registrant ID: k35-n2041486_00 Registrant: 深圳市沃通电子商务服务有限公司 Registrant Contact Email: [email protected] Sponsoring Registrar: 厦门三五互联科技股份有限公司 Name Server: ns3.dns-diy.com Name Server: ns4.dns-diy.com Registration Time: 2014-11-20 09:57:27 Expiration Time: 2017-11-20 09:57:27 DNSSEC: unsigned whois letsencrypt.com.cn Domain Name: letsencrypt.com.cn ROID: 20141120s10011s84227837-cn Domain Status: clientTransferProhibited Registrant ID: k35-n2041486_00 Registrant: 深圳市沃通电子商务服务有限公司 Registrant Contact Email: [email protected] Sponsoring Registrar: 厦门三五互联科技股份有限公司 Name Server: ns3.dns-diy.com Name Server: ns4.dns-diy.com Registration Time: 2014-11-20 09:57:28 Expiration Time: 2017-11-20 09:57:28 Let's Encrypt was announced publicly on November 18, 2014 ( http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm ). That domain appear to be registered two days after. Certificate authorities are about trust. I don't feel comfortable about a CA registering a domain matching the name of another CA. What is the position of Mozilla about that? Maybe Let's Encrypt or wosign have more information about these domains? https://community.letsencrypt.org/t/letsencrypt-cn-and-letsencrypt-com-cn-was-registered-by-wosign/23786 Other relevant thread: Comodo Legal Phishing attack against ISRG? https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
