Hi Kathleen,
Comodo issued a number of certificates to .tg domains during the
period of interest.We see a history of applications for <something>.gouv.tg certificates which we had been previously been rejecting and suddenly in the period of interest we issued them - which might support the notion of the .tg registry being compromised. It could, of course, also indicate a sudden burst of activity by the Togo government in setting up websites. It is hard to tell. We issued certificates including around 170 names matching <something>.gouv.tg. Issued names certificates 19/06/2017 2 1 01/08/2017 1 1 25/10/2017 31 7 26/10/2017 46 15 27/10/2017 7 3 28/10/2017 8 4 30/10/2017 19 8 31/10/2017 20 4 01/11/2017 12 2 02/11/2017 9 3 03/11/2017 8 4 04/11/2017 5 2 and that's when we blocked .tg. When we first got a heads-up about this we looked at the data and I said that it looked to me like 25th October was the transition to chaos, since that is when we issued the first of many gouv.tg certificates. I hope that helps a little. Regards Robin Alden Comodo CA Ltd > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+robin=comodo....@lists.mozilla.org] On Behalf Of Kathleen Wilson > via dev-security-policy > Sent: 14 November 2017 16:31 > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: .tg Certificates Issued by Let's Encrypt > > On 11/14/17 4:34 AM, douglas.beat...@gmail.com wrote: > > > > Do we believe that this issue has been resolved by the Registry and issuance > an resume as normal, or are there ongoing concerns which CAs should be > aware of when issuing certificates to .tg domains? > > > > > Based on information from folks that are monitoring their NS Records, we > believe that the .tg Registry problems were fixed on November 1, and > have remained fixed since then. > > I have not looked into how Registries are operated and maintained, so > here is my personal (uneducated) opinion: I think it is possible that > the .tg Registry could be compromised again. I have no idea if all of > the newer Registries are using good network and security protocols, > infrastructure, etc. > > I think that we will need to have much deeper investigation and > discussions about Registries, so I have added this to my to-do list, but > I will not be able to get to it until January. > > Thanks, > Kathleen > > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
