On 06/01/17 09:52, Nick Lamb wrote: > Comodo https://crt.sh/?id=1246507 > https://crt.sh/?id=1825806 > > Verisign / Symantec https://crt.sh/?id=1450883 > > I would appreciate feedback, generally from m.d.s.policy participants > about whether they believe that for some reason these certificates > did not need to be revoked to achieve compliance with 7.1.4.2.1 and > specifically from Comodo and Symantec on why the certificates weren't > in fact revoked.
One possibility for the latter two is that Comodo and/or Symantec used an algorithm for detecting certs with internal names which was "no dots", which wouldn't have turned these up. .local is clearly a local domain - RFC 6762. .corp was originally just another TLD, but it was controversial due to widespread internal use, and I was arguing for it to be reserved for special use, but I don't know if it ever was. Does anyone know the current status? However, the first one of the three is a clear internal name, and it would be good to hear from Comodo as to how it missed their revocation sweep. > I would also be interested in learning whether auditors would be > expected to identify and report this deviation. Given that you had to process 2 million certs to find them, and given that auditors currently check on a "sampling" basis, I wouldn't necessarily expect auditors to find these. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
