RE: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-11-10 Thread Robin Alden
Hi Hanno, Hanno Böck, on 04 October 2016 13:34, said.. > There seem to be more certificates of that kind that weren't mentioned > in the incident report. Here's a .re / www.re certificate (expired > 2015): > https://crt.sh/?id=4467456 > > Has comodo checked its systems for other certificates of

RE: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-11-10 Thread Robin Alden
Gervase Markham, on 04 October 2016 07:10, said.. > Thank you for this report. > > On 27/09/16 02:07, Robin Alden wrote: > > When we use an 'agreed-upon change to website' method to prove > domain > > control, we consider proof of control of 'www.' as also > > proving control of '' (except where

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-11-03 Thread Gervase Markham
On 18/10/16 19:15, Rob Stradling wrote: > Hi Hanno. The questions that you and others have posted are entirely > reasonable. Sorry for the delay. Robin intends to post a reply this week. It seems like this reply has not yet appeared? I would like to make sure my initial question about "Where

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-10-18 Thread Rob Stradling
Hi Hanno. The questions that you and others have posted are entirely reasonable. Sorry for the delay. Robin intends to post a reply this week. On 15/10/16 16:56, Hanno Böck wrote: > Hello, > > I think I have asked two reasonable questions here. > Can we get an answer? > > On Tue, 4 Oct 2016

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-10-15 Thread Hanno Böck
Hello, I think I have asked two reasonable questions here. Can we get an answer? On Tue, 4 Oct 2016 14:33:38 +0200 Hanno Böck wrote: > There seem to be more certificates of that kind that weren't mentioned > in the incident report. Here's a .re / www.re certificate (expired >

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-10-06 Thread Peter Bowen
On Thu, Oct 6, 2016 at 7:33 AM, Peter Bowen wrote: > On Thu, Oct 6, 2016 at 7:29 AM, Rob Stradling > wrote: >> On 04/10/16 19:39, Peter Bowen wrote: >>> On Tue, Oct 4, 2016 at 6:29 AM, Rob Stradling >>> wrote: On

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-10-06 Thread Rob Stradling
On 04/10/16 19:39, Peter Bowen wrote: > On Tue, Oct 4, 2016 at 6:29 AM, Rob Stradling > wrote: >> On 04/10/16 13:18, Nick Lamb wrote: >>> On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote: Neither. I'd like to run cablint over all certs pre-issuance,

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-10-04 Thread Peter Bowen
On Tue, Oct 4, 2016 at 6:29 AM, Rob Stradling wrote: > On 04/10/16 13:18, Nick Lamb wrote: >> On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote: >>> Neither. I'd like to run cablint over all certs pre-issuance, but >>> unfortunately it's not practical to

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-10-04 Thread Rob Stradling
On 04/10/16 13:18, Nick Lamb wrote: > On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote: >> Neither. I'd like to run cablint over all certs pre-issuance, but >> unfortunately it's not practical to do this yet because 1) cablint is >> too slow and 2) there are some differences of

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-10-04 Thread Hanno Böck
Hi, There seem to be more certificates of that kind that weren't mentioned in the incident report. Here's a .re / www.re certificate (expired 2015): https://crt.sh/?id=4467456 Has comodo checked its systems for other certificates of that kind? Can you provide a full list of all such

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-10-04 Thread Nick Lamb
On Tuesday, 4 October 2016 11:14:01 UTC+1, Rob Stradling wrote: > Neither. I'd like to run cablint over all certs pre-issuance, but > unfortunately it's not practical to do this yet because 1) cablint is > too slow and 2) there are some differences of opinion that have been > discussed at

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-10-04 Thread Rob Stradling
On 04/10/16 11:51, Kurt Roeckx wrote: > On Tue, Oct 04, 2016 at 11:13:21AM +0100, Rob Stradling wrote: >> On 04/10/16 07:10, Gervase Markham wrote: >>> Does Comodo run cablint over all certificates post-issuance (or >>> pre-issuance)? >> >> Neither. I'd like to run cablint over all certs

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-10-04 Thread Kurt Roeckx
On Tue, Oct 04, 2016 at 11:13:21AM +0100, Rob Stradling wrote: > On 04/10/16 07:10, Gervase Markham wrote: > > >> [4] https://crt.sh/?cablint=1+week > > > > This URL is a 404. > > Sorry, crt.sh is a bit under the weather right now. Someone submitted a > batch of several million certs to the

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-10-04 Thread Rob Stradling
On 04/10/16 07:10, Gervase Markham wrote: >> [4] https://crt.sh/?cablint=1+week > > This URL is a 404. Sorry, crt.sh is a bit under the weather right now. Someone submitted a batch of several million certs to the Google CT logs, and this has rather overwhelmed the replication between crt.sh's

Re: Incident Report - certificate with 'sb' as a SAN:dnsName

2016-10-04 Thread Gervase Markham
Hi Robin, Thank you for this report. On 27/09/16 02:07, Robin Alden wrote: > When we use an 'agreed-upon change to website' method to prove domain > control, we consider proof of control of 'www.' as also > proving control of '' (except where '' is a > public suffix). > We don't give any other