GlobalSign BR violation
It appears GlobalSign has issued an EV certificate containing dNSNames which include spaces which are non-valid DNS characters. This is a violation of CABF Baseline Regulations Sections 7.1.4.2.1. and presumably 3.2.2.4. since there is no way to confirm control of a non-valid DNS name. Pre-certificate: https://crt.sh/?q=2d935bf09230c5ba9552c4ac5f0e6dd85e44fa2755819ade9a6f54beff7555de Certificate: https://crt.sh/?q=7b64ea5a8f0572c99e63cc36939163ff80ea9cd62d03d1fa661aeb0627ef8633 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)
I talked with Ofer from Incapsula, he said the domain exist at some point; Someone have access to domain tools or other tool to verify this matter? Based on domaintools I can say the domain did exist but I can't tell when it cease to exist. https://research.domaintools.com/research/whois-history/search/?q=testslsslfeb20.me There are several other domains, maybe someone can compose a better list: https://censys.io/certificates?q=parsed.subject.common_name%3A+incapsula.com+and+parsed.extensions.subject_alt_name.dns_names%3A+test*ssl*%28jan%7Cfeb%7Cmar%7Capr%7Cmay%7Cjun%7Cjul%7Caug%7Csep%7Coct%7Cnov%7Cdec%29 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)
This practice seem to go back to Apr 2014. Link: https://crt.sh/?dNSName=testslsslfeb20.me ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy