Thanks Gerv - we're working on a patch today for it. We'll also revoke the cert today.
-----Original Message----- From: Gervase Markham [mailto:[email protected]] Sent: Monday, September 11, 2017 9:12 AM To: Jeremy Rowley <[email protected]>; [email protected] Subject: Re: CAA Certificate Problem Report On 09/09/17 10:21, Jeremy Rowley wrote: > Certificate 1 contains a single DNS identifier for > big.basic.caatestsuite.com <http://big.basic.caatestsuite.com> . This > DNS name has a CAA resource record set that is too large to fit within > a single DNS UDP packet, but small enough to fit within a DNS TCP > packet. The only CAA record containing an issue property is: > > big.basic.caatestsuite.com <http://big.basic.caatestsuite.com> . IN > CAA 0 issue "caatestsuite.com <http://caatestsuite.com> " > > Therefore, only caatestsuite.com <http://caatestsuite.com> is allowed > to issue for this identifier. >From the discussion so far, I'd say that this one is clearly a misissuance, and needs treating as one. (I see this as a clever vuln, not as CA implementation incompetence.) The jury is still out on the CNAME and DNSSEC-based reports. Gerv
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
