I hope you could investigate it even further as this might be just the 
beginning.
I just did a random quick lookup so far. And I guess there are over a thousand 
or more Digicert certificates issued for Dutch websites and companies. 

Does this mean the validation process is lacking proper validation or missing 
the tools and assets to know where to check for this information? For locations:

- Maps services from Google
- Wikipedia (although not favourable) 
- Company registration agencies (kvk in The Netherlands), which already did the 
address check




On Wednesday, 19 April 2017 22:28:09 UTC+2, Jeremy Rowley  wrote:
> I’m looking into it right now. I’ll report back shortly. 
> 
>  
> 
> Jeremy
> 
>  
> 
> From: Ryan Sleevi [mailto:r...@sleevi.com] 
> Sent: Wednesday, April 19, 2017 2:25 PM
> To: Mike vd Ent <pasarellaph...@gmail.com>
> Cc: mozilla-dev-security-policy 
> <mozilla-dev-security-pol...@lists.mozilla.org>; Jeremy Rowley 
> <jeremy.row...@digicert.com>; Ben Wilson <ben.wil...@digicert.com>
> Subject: Re: CA Validation quality is failing
> 
>  
> 
>  
> 
>  
> 
> On Wed, Apr 19, 2017 at 3:47 PM, Mike vd Ent via dev-security-policy 
> <dev-security-policy@lists.mozilla.org 
> <mailto:dev-security-policy@lists.mozilla.org> > wrote:
> 
> Ryan,
> 
> My answers on the particular issues are stated inline.
> But the thing I want to address is how could (in this case Digicert) validate 
> such data and issues certificates? I am investigation more of them and afraid 
> even linked company names or registration numbers could be false. Shouldn't 
> those certificates be revoked?
> 
>  
> 
> You are correct that it appears these certificates should not have issued. 
> Hopefully Jeremy and Ben from DigiCert can comment on this thread ( 
> https://groups.google.com/d/msg/mozilla.dev.security.policy/DgeLqKMzIds/ig8UmHT2DwAJ
>  for the archive) with details about the issues and the steps taken.

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to