2022-11-09 14:10 GMT+01:00 'Ryan Dickson' via [email protected] <[email protected]>: > We identified that ~35% of the dnsNames represented in the certificates > issued by TrustCor were publicly accessible at the time of evaluation, and > only 59% of those served TrustCor-issued Certificates. > > > Closely studying issuance patterns, most TrustCor-issued certificates were > issued to the following domains: ddns.net, hopto.org, sytes.net, zapto.org, > myddns.me, servebeer.com, myftp.org, and servehttp.com. > > > We would have expected a substantially broader set of publicly accessible > domains, but this is not intended to express wrongdoing by TrustCor. >
Thank you Kathleen and Ryan for quickly addressing the issues with the trustworthiness of this CA operator. I also noticed the same issuance patterns, and wanted to note that all those domains belong to the same Dynamic DNS service [1] which offers free Trustcor certificates [2]. I agree that this doesn't indicate any wrongdoing, but I expect that the fact that this CA seems to mostly serve a single service provider will be part of the "self-assessment of risk versus benefit of the TrustCor CA’s root certificates being included in Mozilla’s root store" that Kathleen requested. [1]: https://www.noip.com/support/faq/free-dynamic-dns-domains/ [2]: https://www.noip.com/support/knowledgebase/configure-trustcor-standard-dv-ssl/ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/557734f9-b316-46ac-b81c-b39ed6a69e51%40app.fastmail.com.
