Misissuance Report
On February 25th 2017, we received a report that there was a SAN in an
Incapsula OV certificate (specifically an OV certificate issued via the
GlobalSign CloudSSL product) for a domain that is no longer registered
(testsslfeb20.me).
1) GlobalSign CloudSSL product descriptio
On 03/03/17 20:59, douglas.beat...@gmail.com wrote:
> In general, when we receive new orders and issue certificates, the
> vetting is done just prior to issuance time which permits the
> certificate to be replaced up until expiration. We're looking into
> cases where new "orders" may have used cer
I wanted to send out a short update of were we are on looking into the reported
Incapusla/testslsslfeb20.me certificate and the thread of comments and
questions above.
In this specific case the domain was verified within 39 months of
issuance/reissuance (no difference as Ryan pointed out).
In
On Friday, 3 March 2017 07:49:28 UTC, Ryan Sleevi wrote:
> It is not acceptable. It's explicitly prohibited multiple ways to allow
> more than 24 hours when such situations are brought to the CAs' attention.
I'm sympathetic to the idea, here and in all cases where we have no reason to
suppose th
On Thu, Mar 2, 2017 at 11:03 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> But is this stated explicitly, or simply an interpretation?
>
Yes. Section 4.2.1
> As this seems to be a multi-SAN certificate for some kind of hosting
> provider (based on the
On 03/03/2017 06:44, Ryan Sleevi wrote:
Hi Jakob,
On Thu, Mar 2, 2017 at 9:14 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
I read his previous answer as saying that the system will in no case
extend the validity of a validation beyond the duration of
Hi Jakob,
On Thu, Mar 2, 2017 at 9:14 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> I read his previous answer as saying that the system will in no case
> extend the validity of a validation beyond the duration of the
> certificate in which it was orig
On 02/03/2017 00:59, Ryan Sleevi wrote:
On Wed, Mar 1, 2017 at 12:12 PM, douglas.beattie--- via dev-security-policy
wrote:
On Wednesday, March 1, 2017 at 8:26:34 AM UTC-5, Peter Kurrasch wrote:
Would it be possible to get a more precise answer other than "in
accordance with"? I am left to as
On Wed, Mar 1, 2017 at 12:12 PM, douglas.beattie--- via dev-security-policy
wrote:
> On Wednesday, March 1, 2017 at 8:26:34 AM UTC-5, Peter Kurrasch wrote:
> > Would it be possible to get a more precise answer other than "in
> accordance with"? I am left to assume that in fact no verification was
On Wednesday, March 1, 2017 at 8:26:34 AM UTC-5, Peter Kurrasch wrote:
> Would it be possible to get a more precise answer other than "in accordance
> with"? I am left to assume that in fact no verification was performed because
> the previous verification was in the 39 month window.
For this SS
Would it be possible to get a more precise answer other than "in accordance
with"? I am left to assume that in fact no verification was performed because
the previous verification was in the 39 month window.
Original Message
From: douglas.beattie--- via dev-security-policy
Sent: Tuesday, Fe
On Tuesday, February 28, 2017 at 6:00:47 PM UTC+2, Nick Lamb wrote:
> This is useful independent evidence that (at least some of) the names did
> exist at one time.
The problem is that they're "re-keying" certificates for domains that are no
longer in control of their subscribers (as Andrew Ayer
On Tuesday, February 28, 2017 at 5:49:32 PM UTC+2, Andrew Ayer wrote:
> Note that the BRs do not require a domain to exist when a CA issues a
> DV/OV certificate for it. The BRs only require that the CA validated
> the domain at some point in the 39 months prior to issuance.
Sad to know. Pasting
On Tuesday, 28 February 2017 16:00:47 UTC, Nick Lamb wrote:
> e.g. http://domaingraveyard.com/list/2016-05-10.txt
Typical, I posted that and then I checked from another browser and it now gives
an access error. Anyway, there are others of the same ilk out there, these
names (at least some of th
On Tuesday, 28 February 2017 12:29:30 UTC, Itzhak Daniel wrote:
> I also would like to have an official reply from GlobalSign saying that "on
> the date they issue the certificate the domain exists".
Doug/ GlobalSign has responded but I'll mention here that lists of recently
abandoned domain na
On Tue, 28 Feb 2017 04:29:20 -0800 (PST)
Itzhak Daniel via dev-security-policy
wrote:
> I also would like to have an official reply from GlobalSign saying
> that "on the date they issue the certificate the domain exists".
Note that the BRs do not require a domain to exist when a CA issues a
DV/O
On Tuesday, February 28, 2017 at 7:29:30 AM UTC-5, Itzhak Daniel wrote:
> On Tuesday, February 28, 2017 at 1:38:25 PM UTC+2, Gervase Markham wrote:
> > I think that without more evidence we must assume that GlobalSign
> > validated this domain correctly at a time when it existed.
>
> There are man
On Tuesday, February 28, 2017 at 1:38:25 PM UTC+2, Gervase Markham wrote:
> I think that without more evidence we must assume that GlobalSign
> validated this domain correctly at a time when it existed.
There are many more test*.* domains, non of those (about 10) I checked exist. I
will compose a
On 26/02/17 00:50, Itzhak Daniel wrote:
> I talked with Ofer from Incapsula, he said the domain exist at some
> point; Someone have access to domain tools or other tool to verify
> this matter? Based on domaintools I can say the domain did exist but
> I can't tell when it cease to exist.
I think t
I talked with Ofer from Incapsula, he said the domain exist at some point;
Someone have access to domain tools or other tool to verify this matter? Based
on domaintools I can say the domain did exist but I can't tell when it cease to
exist.
https://research.domaintools.com/research/whois-histor
This practice seem to go back to Apr 2014.
Link: https://crt.sh/?dNSName=testslsslfeb20.me
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
21 matches
Mail list logo