On 18/07/17 15:31, Jakob Bohm via dev-security-policy wrote:
On 18/07/2017 16:19, Rob Stradling wrote:
On 17/07/17 16:14, Jonathan Rudenberg via dev-security-policy wrote:
This certificate, issued by “Intesa Sanpaolo CA Servizi Esterni
Enhanced” which chains up to a Baltimore CyberTrust root, contains an
invalid dnsName of “www.intesasanpaolovita..biz” (note the two dots):
This raises some questions about the technical controls in place for
issuance from this CA.
Yesterday evening Jonathan privately made me aware of a leaf
certificate (https://crt.sh/?id=73190674) with two SAN:dNSNames that
contain consecutive dots, which was issued by a Comodo intermediate.
He found this cert using the crt.sh DB's lint records.
This morning Robin and I have investigated this bug in our code and
we've taken the following actions:
- We've deployed a hotfix to our CA system to prevent any further
"double dot" mis-issuances.
- We've confirmed that the bug only affected labels to the left of
the registrable domain. (e.g., dNSNames of the form www..domain.com
were not always rejected, but those of the form www.domain..com were
This doesn't match the one reported by Ben Wilson, which also exhibits
various Microsoft related oddities:
Hi Jakob. Why would you expect it to?
Jonathan found certs containing "double dots" in dNSNames in leaf certs
that chain to both DigiCert roots and Comodo roots.
Note that DigiCert != Comodo.
Senior Research & Development Scientist
COMODO - Creating Trust Online
dev-security-policy mailing list