On 07/09/2017 17:17, Gervase Markham wrote:
Mozilla has decided that there is sufficient concern about the
activities and operations of the CA "PROCERT" to collect together our
list of current concerns. That list can be found here:
https://wiki.mozilla.org/CA:PROCERT_Issues
Note that this list may expand or reduce over time as issues are
investigated further, with information either from our or our
community's investigations or from PROCERT.
We expect PROCERT to engage in a public discussion of these issues and
give their comments and viewpoint. We also hope that our community will
make comments, and perhaps provide additional information based on their
own investigations.
When commenting on these issues, please clearly state which issue you
are addressing on each occasion. The issues have been given identifying
letters to help with this.
At the end of a public discussion period between Mozilla, our community
and PROCERT, which we hope will be no longer than a couple of weeks,
Mozilla will move to make a decision about the continued trust of
PROCERT, based on the picture which has then emerged.
Gerv
Although violating the same rules, and involving the same certificates;
for purposes of risk assessment I think issue K should be divided into
two issues:
K1 (most serious): Multiple certificates issued for the bare hostname
OWASERVER (uppercase, no qualifying domain). As pointed out by Ryan
Sleevi, many e-mail clients (including mobile clients) may look for
this name on their local DNS search list and may or may not (depending
on client implementation) accept any of these bare certificates as
proving they are talking to their "home" mail server. So far none of
the other MS mail server magic/default names have been found as bare
name SANs.
K2 (very serious): Multiple certificates issued to potentially
non-unique subdomains of the local. TLD previously common for LAN DNS,
but now mostly reserved for multicast DNS. These violations should
only pose a risk to clients who have somehow chosen the same arbitrary
2. level domain under local. as the certificate holder(s). The main
issue here is that since the local. TLD doesn't have an official
registry, there is no way that the CA could have properly validated
that *any* applicant was the proper owner of such a 2nd level domain,
because noone is.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
