Technically, the same issue could exist on the system. However, co.uk is actually blocked as a valid approval address by our system. In-addr.arpa was not blocked.
Here's a status update: 1) We identified 3000 certificates where the scope was changed by validation staff based on a WHOIS document. 2) Of the 3,000, the only certificate we found where the scope was not set to be the scope of the WHOIS document was the one reported by Cynthia. The next step is to look at why we didn't block in-addr.arpa as an eligible scope. We generally pull from the PSL, so I need to find out why in-addr.arpa was not blocked. Thanks! Jeremy -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Cynthia Revström via dev-security-policy Sent: Saturday, March 2, 2019 1:46 AM To: George Macon <george.ma...@gmail.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Possible DigiCert in-addr.arpa Mis-issuance On 2019-03-02 01:49, George Macon via dev-security-policy wrote: > One specific question on this point: Why did the software permit > setting the approval scope to a public suffix (as defined by inclusion > on the public suffix list)? Could validation agent action set the > approval scope to some other two-label public suffix like co.uk? I think this is highly unlikely seeing as this was a human error and unlike in-addr.arpa, people might know about .co.uk. - Cynthia _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy