On 01/06/2018 06:22, Richard S. Leung wrote:
I'm not sure if this is the appropriate place to post this topic, but I felt
like this is important.
I bought myself a new domain this month, and found out that there is a 3-year
SSL certificate valid for my domain via crt.sh.
Naturally I contacted Comodo SSL Abuse Dept. and got redirected to the reseller
- Namecheap,
after reaching out to Namecheap they insisted that as long as I issued a new
certificate, the valid certificate that the former domain owner had will have
no power whatsoever ( which is not true ).
Quote:
```
Hello Richard!
Thank you for clarifying.
Regretfully, revocation can only be done with the authorization of certificate
owner (i.e. the same details are required for it).
The certificate in question is not installed on your hosting, so it will not
affect your domain name any way.
Unless the person with the access to the certificate hacks your hosting access,
he will not be able to use it.
As the extra measure, you can also prohibit that certificate usage with CAA DNS
record or HPKP header.
```
Even after ticket escalation, they're just re-assuring me that MITM somehow will not
exist as long as I set up a new SSL cert and "there is no need to worry about the
security of your website and the information transmitted via Internet".
So, according to Namecheap's statement, Wosign accident is just a fraud and
people obtained github.com's certificate will do absolutely no harm to Github.
I will post the whole reply Namecheap sent me if someone requested.
Please contact the CA again, and inform them that BR 4.9.1.1 #6 requires
the CA (not some reseller) to revoke the certificate within 24 hours if:
The CA is made aware of any circumstance indicating that use of a
Fully-Qualified Domain Name or IP address in the Certificate is no
longer legally permitted (e.g. a court or arbitrator has revoked a
Domain Name Registrant’s right to use the Domain Name, a relevant
licensing or services agreement between the Domain Name Registrant
and the Applicant has terminated, or the Domain Name Registrant has
failed to renew the Domain Name);
While CAs are not required to discover such situations themselves, they
must revoke once made aware of the situation (in this case by you
telling them).
At least, this is how I read the rules.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
