Re: Violation report - Comodo CA certificates revocation delays
the scenes about this issue? I've noticed that the soft limit to fill an Incident Report expired more than a week ago, and I'm starting to be a bit worried that some of the evidence in the CT logs might disappear if the investigation is not completed before December 6th, the earliest expiration date among the affected certificates. Guillaume Fortin-Debigaré From: please please mailto:pleaseiwantt...@hotmail.com>> Sent: September 17, 2018 23:39 To: Wayne Thayer Cc: MDSP Subject: Re: Violation report - Comodo CA certificates revocation delays Good to know, and thank you very much for following up on this! Small update by the way: I finally received a reply from Comodo CA confirming their 2nd wave of revocations a few hours ago, on September 17 at 16:55 UTC to be exact. Strangely, it was in response to an email where I informed them that I had already noticed they fully completed my revocation request. I don't think it's a relevant detail but I wanted to mention it to avoid any potential confusion. Guillaume Fortin-Debigaré From: Wayne Thayer mailto:wtha...@mozilla.com>> Sent: September 17, 2018 20:09 To: pleaseiwantt...@hotmail.com<mailto:pleaseiwantt...@hotmail.com> Cc: MDSP Subject: Re: Violation report - Comodo CA certificates revocation delays I have created a bug and requested a response from Comodo: https://bugzilla.mozilla.org/show_bug.cgi?id=1492006 As noted, there are no specific requirements regarding how CAs validate revocation requests in the BRs. Every CA may do this however they choose, so I don't believe there is any action required in regard to DigiCert's response to their problem report. - Wayne On Sun, Sep 16, 2018 at 8:30 PM please please via dev-security-policy mailto:dev-security-policy@lists.mozilla.org>> wrote: Hello, I am the domain owner of debigare.com<http://debigare.com>. I would like to make you aware that Comodo CA took more than 5 days to revoke certificates they had signed for my domain and subdomains after requesting them to do through their sslabuse email address, past the 24 hours maximum mentioned in the Baseline Requirements as stipulated in section 4.9.1.1. For context, I was previously using Cloudflare's Universal SSL feature, but disabling it did not revoke the old certificates that had not yet expired, but simply removed them from its system, and some of the certificates were still valid for more than 6 months. I first attempted to contact Cloudflare's support to ask them to revoke the certificates themselves on September 6 at 7:43 UTC. This only led to irrelevant responses and confused customer support agents that had no idea what I was talking about, and this appeared to go nowhere. I eventually got a response from them on September 11 at 5:53 UTC that they would request CAs to perform the revocation, but that was after I did so myself, and I never got a status report back afterwards. There were two CAs affected by this issue. The vast majority of certificates were signed by Comodo CA, and the rest by DigiCert. I did not run into any issues with DigiCert (they in fact proactively checked with Cloudflare my claim and revoked the certificates before I even had the chance to attempt their domain ownership challenge), but Comodo CA was another story entirely. My first request to Comodo CA to revoke the certificates for debigare.com<http://debigare.com> and all of its subdomains was on September 8 at 4:37 UTC. I did not get a reply until September 9 at 15:53 UTC stating that the certificates have been revoked. Not only was this past the 24 hours requirement, but it was also false, as only the most recent certificates had been revoked, not all of them. I mentioned to them their mistake on September 10 at 5:55 UTC with a full list of affected certificates just in case my initial request was unclear to them, and never got a reply back. I did, however, notice that the certificates eventually got revoked on September 13 at 16:04 UTC according to their Certificate Transparency logs, a fact that I only discovered on September 15. Assuming the log is correct, that would be a delay of more than 3 days after notifying them of the incomplete revocation, more than 5 days after my initial request to them, and more than a week until I finally noticed the problem was fixed. It's also worth noting that throughout this entire series of events, Comodo CA never requested proof of domain ownership beyond the evidence I initially provided, so that cannot explain the delays. One detail that I'm not sure about is why my initial evidence for domain ownership was apparently sufficient for Comodo CA but not for DigiCert. On this regard, the only evidence I provided to both of them was that the email address I used to contact them matched the contact information on my website. (My emails were protected with SPF, DKIM and DMARC f
Re: Violation report - Comodo CA certificates revocation delays
I just noticed that Comodo CA has finally posted its incident report in https://bugzilla.mozilla.org/show_bug.cgi?id=1492006 Comments: - The report suggests that no BR violation occurred because I was not the Subscriber to fulfill the conditions in bullet point 1 of BR 4.9.1.1. However, I believe I fulfilled the conditions for triggering the 24 hours revocation anyway because of bullet point 6 of the same BR, which states "The CA is made aware of any circumstance indicating that use of a Fully Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. [...] a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated [...])", as I explicitly stated in my initial revocation request email that Cloudflare was no longer authorized to represent my domain but still controlled the private keys. - Comodo CA claims that my request was "potentially ambiguous", but did not explain in what regard, nor did they ever asked me for clarifications. I can only assume as of now that the issue was to get an exhaustive list of certificates as I ran into the same problem and could not do so efficiently myself, but assumed Comodo CA would have had the means necessary to extract them easily from their own data based on my request. - I'm concerned that the incident report was posted more than 2 months past Mozilla's soft deadline to do so, especially when considering that the incident was also about being late to take necessary action for a deadline. Let me know if you need additional information from me to complete your assessment of the incident. Guillaume Fortin-Debigaré From: please please Sent: October 11, 2018 19:19 To: Wayne Thayer Cc: MDSP Subject: Re: Violation report - Comodo CA certificates revocation delays I was under the impression that CAs were allowed to remove CRL entries and OCSP support for expired certificates for some reason. Good to know! On a slightly-unrelated note, you might also want to poke Comodo CA about https://bugzilla.mozilla.org/show_bug.cgi?id=1461391 Thanks again! Guillaume Fortin-Debigaré From: Wayne Thayer Sent: October 11, 2018 13:53 To: pleaseiwantt...@hotmail.com Cc: MDSP Subject: Re: Violation report - Comodo CA certificates revocation delays I just poked Comodo in the bug - https://bugzilla.mozilla.org/show_bug.cgi?id=1492006 CT Logs are designed such that certificates cannot be removed from them. The evidence will not disappear once the certificates expire. On Wed, Oct 10, 2018 at 5:26 PM please please mailto:pleaseiwantt...@hotmail.com>> wrote: Any update behind the scenes about this issue? I've noticed that the soft limit to fill an Incident Report expired more than a week ago, and I'm starting to be a bit worried that some of the evidence in the CT logs might disappear if the investigation is not completed before December 6th, the earliest expiration date among the affected certificates. Guillaume Fortin-Debigaré From: please please mailto:pleaseiwantt...@hotmail.com>> Sent: September 17, 2018 23:39 To: Wayne Thayer Cc: MDSP Subject: Re: Violation report - Comodo CA certificates revocation delays Good to know, and thank you very much for following up on this! Small update by the way: I finally received a reply from Comodo CA confirming their 2nd wave of revocations a few hours ago, on September 17 at 16:55 UTC to be exact. Strangely, it was in response to an email where I informed them that I had already noticed they fully completed my revocation request. I don't think it's a relevant detail but I wanted to mention it to avoid any potential confusion. Guillaume Fortin-Debigaré From: Wayne Thayer mailto:wtha...@mozilla.com>> Sent: September 17, 2018 20:09 To: pleaseiwantt...@hotmail.com<mailto:pleaseiwantt...@hotmail.com> Cc: MDSP Subject: Re: Violation report - Comodo CA certificates revocation delays I have created a bug and requested a response from Comodo: https://bugzilla.mozilla.org/show_bug.cgi?id=1492006 As noted, there are no specific requirements regarding how CAs validate revocation requests in the BRs. Every CA may do this however they choose, so I don't believe there is any action required in regard to DigiCert's response to their problem report. - Wayne On Sun, Sep 16, 2018 at 8:30 PM please please via dev-security-policy mailto:dev-security-policy@lists.mozilla.org>> wrote: Hello, I am the domain owner of debigare.com<http://debigare.com>. I would like to make you aware that Comodo CA took more than 5 days to revoke certificates they had signed for my domain and subdomains after requesting them to do through their sslabuse email address, past the 24 hours maximum mentioned in the Baseline Requirements as stipulated in section 4.9.1.1. For co
Re: Violation report - Comodo CA certificates revocation delays
I was under the impression that CAs were allowed to remove CRL entries and OCSP support for expired certificates for some reason. Good to know! On a slightly-unrelated note, you might also want to poke Comodo CA about https://bugzilla.mozilla.org/show_bug.cgi?id=1461391 Thanks again! Guillaume Fortin-Debigaré From: Wayne Thayer Sent: October 11, 2018 13:53 To: pleaseiwantt...@hotmail.com Cc: MDSP Subject: Re: Violation report - Comodo CA certificates revocation delays I just poked Comodo in the bug - https://bugzilla.mozilla.org/show_bug.cgi?id=1492006 CT Logs are designed such that certificates cannot be removed from them. The evidence will not disappear once the certificates expire. On Wed, Oct 10, 2018 at 5:26 PM please please mailto:pleaseiwantt...@hotmail.com>> wrote: Any update behind the scenes about this issue? I've noticed that the soft limit to fill an Incident Report expired more than a week ago, and I'm starting to be a bit worried that some of the evidence in the CT logs might disappear if the investigation is not completed before December 6th, the earliest expiration date among the affected certificates. Guillaume Fortin-Debigaré From: please please mailto:pleaseiwantt...@hotmail.com>> Sent: September 17, 2018 23:39 To: Wayne Thayer Cc: MDSP Subject: Re: Violation report - Comodo CA certificates revocation delays Good to know, and thank you very much for following up on this! Small update by the way: I finally received a reply from Comodo CA confirming their 2nd wave of revocations a few hours ago, on September 17 at 16:55 UTC to be exact. Strangely, it was in response to an email where I informed them that I had already noticed they fully completed my revocation request. I don't think it's a relevant detail but I wanted to mention it to avoid any potential confusion. Guillaume Fortin-Debigaré From: Wayne Thayer mailto:wtha...@mozilla.com>> Sent: September 17, 2018 20:09 To: pleaseiwantt...@hotmail.com<mailto:pleaseiwantt...@hotmail.com> Cc: MDSP Subject: Re: Violation report - Comodo CA certificates revocation delays I have created a bug and requested a response from Comodo: https://bugzilla.mozilla.org/show_bug.cgi?id=1492006 As noted, there are no specific requirements regarding how CAs validate revocation requests in the BRs. Every CA may do this however they choose, so I don't believe there is any action required in regard to DigiCert's response to their problem report. - Wayne On Sun, Sep 16, 2018 at 8:30 PM please please via dev-security-policy mailto:dev-security-policy@lists.mozilla.org>> wrote: Hello, I am the domain owner of debigare.com<http://debigare.com>. I would like to make you aware that Comodo CA took more than 5 days to revoke certificates they had signed for my domain and subdomains after requesting them to do through their sslabuse email address, past the 24 hours maximum mentioned in the Baseline Requirements as stipulated in section 4.9.1.1. For context, I was previously using Cloudflare's Universal SSL feature, but disabling it did not revoke the old certificates that had not yet expired, but simply removed them from its system, and some of the certificates were still valid for more than 6 months. I first attempted to contact Cloudflare's support to ask them to revoke the certificates themselves on September 6 at 7:43 UTC. This only led to irrelevant responses and confused customer support agents that had no idea what I was talking about, and this appeared to go nowhere. I eventually got a response from them on September 11 at 5:53 UTC that they would request CAs to perform the revocation, but that was after I did so myself, and I never got a status report back afterwards. There were two CAs affected by this issue. The vast majority of certificates were signed by Comodo CA, and the rest by DigiCert. I did not run into any issues with DigiCert (they in fact proactively checked with Cloudflare my claim and revoked the certificates before I even had the chance to attempt their domain ownership challenge), but Comodo CA was another story entirely. My first request to Comodo CA to revoke the certificates for debigare.com<http://debigare.com> and all of its subdomains was on September 8 at 4:37 UTC. I did not get a reply until September 9 at 15:53 UTC stating that the certificates have been revoked. Not only was this past the 24 hours requirement, but it was also false, as only the most recent certificates had been revoked, not all of them. I mentioned to them their mistake on September 10 at 5:55 UTC with a full list of affected certificates just in case my initial request was unclear to them, and never got a reply back. I did, however, notice that the certificates eventually got revoked on September 13 at 16:04 UTC according to their Certificate Transparency logs, a
Re: Violation report - Comodo CA certificates revocation delays
Any update behind the scenes about this issue? I've noticed that the soft limit to fill an Incident Report expired more than a week ago, and I'm starting to be a bit worried that some of the evidence in the CT logs might disappear if the investigation is not completed before December 6th, the earliest expiration date among the affected certificates. Guillaume Fortin-Debigaré From: please please Sent: September 17, 2018 23:39 To: Wayne Thayer Cc: MDSP Subject: Re: Violation report - Comodo CA certificates revocation delays Good to know, and thank you very much for following up on this! Small update by the way: I finally received a reply from Comodo CA confirming their 2nd wave of revocations a few hours ago, on September 17 at 16:55 UTC to be exact. Strangely, it was in response to an email where I informed them that I had already noticed they fully completed my revocation request. I don't think it's a relevant detail but I wanted to mention it to avoid any potential confusion. Guillaume Fortin-Debigaré From: Wayne Thayer Sent: September 17, 2018 20:09 To: pleaseiwantt...@hotmail.com Cc: MDSP Subject: Re: Violation report - Comodo CA certificates revocation delays I have created a bug and requested a response from Comodo: https://bugzilla.mozilla.org/show_bug.cgi?id=1492006 As noted, there are no specific requirements regarding how CAs validate revocation requests in the BRs. Every CA may do this however they choose, so I don't believe there is any action required in regard to DigiCert's response to their problem report. - Wayne On Sun, Sep 16, 2018 at 8:30 PM please please via dev-security-policy mailto:dev-security-policy@lists.mozilla.org>> wrote: Hello, I am the domain owner of debigare.com<http://debigare.com>. I would like to make you aware that Comodo CA took more than 5 days to revoke certificates they had signed for my domain and subdomains after requesting them to do through their sslabuse email address, past the 24 hours maximum mentioned in the Baseline Requirements as stipulated in section 4.9.1.1. For context, I was previously using Cloudflare's Universal SSL feature, but disabling it did not revoke the old certificates that had not yet expired, but simply removed them from its system, and some of the certificates were still valid for more than 6 months. I first attempted to contact Cloudflare's support to ask them to revoke the certificates themselves on September 6 at 7:43 UTC. This only led to irrelevant responses and confused customer support agents that had no idea what I was talking about, and this appeared to go nowhere. I eventually got a response from them on September 11 at 5:53 UTC that they would request CAs to perform the revocation, but that was after I did so myself, and I never got a status report back afterwards. There were two CAs affected by this issue. The vast majority of certificates were signed by Comodo CA, and the rest by DigiCert. I did not run into any issues with DigiCert (they in fact proactively checked with Cloudflare my claim and revoked the certificates before I even had the chance to attempt their domain ownership challenge), but Comodo CA was another story entirely. My first request to Comodo CA to revoke the certificates for debigare.com<http://debigare.com> and all of its subdomains was on September 8 at 4:37 UTC. I did not get a reply until September 9 at 15:53 UTC stating that the certificates have been revoked. Not only was this past the 24 hours requirement, but it was also false, as only the most recent certificates had been revoked, not all of them. I mentioned to them their mistake on September 10 at 5:55 UTC with a full list of affected certificates just in case my initial request was unclear to them, and never got a reply back. I did, however, notice that the certificates eventually got revoked on September 13 at 16:04 UTC according to their Certificate Transparency logs, a fact that I only discovered on September 15. Assuming the log is correct, that would be a delay of more than 3 days after notifying them of the incomplete revocation, more than 5 days after my initial request to them, and more than a week until I finally noticed the problem was fixed. It's also worth noting that throughout this entire series of events, Comodo CA never requested proof of domain ownership beyond the evidence I initially provided, so that cannot explain the delays. One detail that I'm not sure about is why my initial evidence for domain ownership was apparently sufficient for Comodo CA but not for DigiCert. On this regard, the only evidence I provided to both of them was that the email address I used to contact them matched the contact information on my website. (My emails were protected with SPF, DKIM and DMARC for authenticity.) For some reason, DigiCert believed that this evidence did not met the Baseline R
Re: Violation report - Comodo CA certificates revocation delays
Good to know, and thank you very much for following up on this! Small update by the way: I finally received a reply from Comodo CA confirming their 2nd wave of revocations a few hours ago, on September 17 at 16:55 UTC to be exact. Strangely, it was in response to an email where I informed them that I had already noticed they fully completed my revocation request. I don't think it's a relevant detail but I wanted to mention it to avoid any potential confusion. Guillaume Fortin-Debigaré From: Wayne Thayer Sent: September 17, 2018 20:09 To: pleaseiwantt...@hotmail.com Cc: MDSP Subject: Re: Violation report - Comodo CA certificates revocation delays I have created a bug and requested a response from Comodo: https://bugzilla.mozilla.org/show_bug.cgi?id=1492006 As noted, there are no specific requirements regarding how CAs validate revocation requests in the BRs. Every CA may do this however they choose, so I don't believe there is any action required in regard to DigiCert's response to their problem report. - Wayne On Sun, Sep 16, 2018 at 8:30 PM please please via dev-security-policy mailto:dev-security-policy@lists.mozilla.org>> wrote: Hello, I am the domain owner of debigare.com<http://debigare.com>. I would like to make you aware that Comodo CA took more than 5 days to revoke certificates they had signed for my domain and subdomains after requesting them to do through their sslabuse email address, past the 24 hours maximum mentioned in the Baseline Requirements as stipulated in section 4.9.1.1. For context, I was previously using Cloudflare's Universal SSL feature, but disabling it did not revoke the old certificates that had not yet expired, but simply removed them from its system, and some of the certificates were still valid for more than 6 months. I first attempted to contact Cloudflare's support to ask them to revoke the certificates themselves on September 6 at 7:43 UTC. This only led to irrelevant responses and confused customer support agents that had no idea what I was talking about, and this appeared to go nowhere. I eventually got a response from them on September 11 at 5:53 UTC that they would request CAs to perform the revocation, but that was after I did so myself, and I never got a status report back afterwards. There were two CAs affected by this issue. The vast majority of certificates were signed by Comodo CA, and the rest by DigiCert. I did not run into any issues with DigiCert (they in fact proactively checked with Cloudflare my claim and revoked the certificates before I even had the chance to attempt their domain ownership challenge), but Comodo CA was another story entirely. My first request to Comodo CA to revoke the certificates for debigare.com<http://debigare.com> and all of its subdomains was on September 8 at 4:37 UTC. I did not get a reply until September 9 at 15:53 UTC stating that the certificates have been revoked. Not only was this past the 24 hours requirement, but it was also false, as only the most recent certificates had been revoked, not all of them. I mentioned to them their mistake on September 10 at 5:55 UTC with a full list of affected certificates just in case my initial request was unclear to them, and never got a reply back. I did, however, notice that the certificates eventually got revoked on September 13 at 16:04 UTC according to their Certificate Transparency logs, a fact that I only discovered on September 15. Assuming the log is correct, that would be a delay of more than 3 days after notifying them of the incomplete revocation, more than 5 days after my initial request to them, and more than a week until I finally noticed the problem was fixed. It's also worth noting that throughout this entire series of events, Comodo CA never requested proof of domain ownership beyond the evidence I initially provided, so that cannot explain the delays. One detail that I'm not sure about is why my initial evidence for domain ownership was apparently sufficient for Comodo CA but not for DigiCert. On this regard, the only evidence I provided to both of them was that the email address I used to contact them matched the contact information on my website. (My emails were protected with SPF, DKIM and DMARC for authenticity.) For some reason, DigiCert believed that this evidence did not met the Baseline Requirements for my request, a claim that I am currently unable to verify as I cannot find anything of the sort in them. You can read the full story on my blog, which I hope will be sufficient to prove my identity: https://www.debigare.com/4-unexpected-issues-i-encountered-upon-switching-web-hosts/ I can also provide a full copy of the email exchange I had with Comodo CA as evidence on request. Guillaume Fortin-Debigaré ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailt
Violation report - Comodo CA certificates revocation delays
Hello, I am the domain owner of debigare.com. I would like to make you aware that Comodo CA took more than 5 days to revoke certificates they had signed for my domain and subdomains after requesting them to do through their sslabuse email address, past the 24 hours maximum mentioned in the Baseline Requirements as stipulated in section 4.9.1.1. For context, I was previously using Cloudflare's Universal SSL feature, but disabling it did not revoke the old certificates that had not yet expired, but simply removed them from its system, and some of the certificates were still valid for more than 6 months. I first attempted to contact Cloudflare's support to ask them to revoke the certificates themselves on September 6 at 7:43 UTC. This only led to irrelevant responses and confused customer support agents that had no idea what I was talking about, and this appeared to go nowhere. I eventually got a response from them on September 11 at 5:53 UTC that they would request CAs to perform the revocation, but that was after I did so myself, and I never got a status report back afterwards. There were two CAs affected by this issue. The vast majority of certificates were signed by Comodo CA, and the rest by DigiCert. I did not run into any issues with DigiCert (they in fact proactively checked with Cloudflare my claim and revoked the certificates before I even had the chance to attempt their domain ownership challenge), but Comodo CA was another story entirely. My first request to Comodo CA to revoke the certificates for debigare.com and all of its subdomains was on September 8 at 4:37 UTC. I did not get a reply until September 9 at 15:53 UTC stating that the certificates have been revoked. Not only was this past the 24 hours requirement, but it was also false, as only the most recent certificates had been revoked, not all of them. I mentioned to them their mistake on September 10 at 5:55 UTC with a full list of affected certificates just in case my initial request was unclear to them, and never got a reply back. I did, however, notice that the certificates eventually got revoked on September 13 at 16:04 UTC according to their Certificate Transparency logs, a fact that I only discovered on September 15. Assuming the log is correct, that would be a delay of more than 3 days after notifying them of the incomplete revocation, more than 5 days after my initial request to them, and more than a week until I finally noticed the problem was fixed. It's also worth noting that throughout this entire series of events, Comodo CA never requested proof of domain ownership beyond the evidence I initially provided, so that cannot explain the delays. One detail that I'm not sure about is why my initial evidence for domain ownership was apparently sufficient for Comodo CA but not for DigiCert. On this regard, the only evidence I provided to both of them was that the email address I used to contact them matched the contact information on my website. (My emails were protected with SPF, DKIM and DMARC for authenticity.) For some reason, DigiCert believed that this evidence did not met the Baseline Requirements for my request, a claim that I am currently unable to verify as I cannot find anything of the sort in them. You can read the full story on my blog, which I hope will be sufficient to prove my identity: https://www.debigare.com/4-unexpected-issues-i-encountered-upon-switching-web-hosts/ I can also provide a full copy of the email exchange I had with Comodo CA as evidence on request. Guillaume Fortin-Debigaré ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
