Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

Misissuance Report On February 25th 2017, we received a report that there was a SAN in an Incapsula OV certificate (specifically an OV certificate issued via the GlobalSign CloudSSL product) for a domain that is no longer registered (testsslfeb20.me). 1) GlobalSign CloudSSL product

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

On 03/03/17 20:59, douglas.beat...@gmail.com wrote: > In general, when we receive new orders and issue certificates, the > vetting is done just prior to issuance time which permits the > certificate to be replaced up until expiration. We're looking into > cases where new "orders" may have used

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

I wanted to send out a short update of were we are on looking into the reported Incapusla/testslsslfeb20.me certificate and the thread of comments and questions above. In this specific case the domain was verified within 39 months of issuance/reissuance (no difference as Ryan pointed out). In

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

On Friday, 3 March 2017 07:49:28 UTC, Ryan Sleevi wrote: > It is not acceptable. It's explicitly prohibited multiple ways to allow > more than 24 hours when such situations are brought to the CAs' attention. I'm sympathetic to the idea, here and in all cases where we have no reason to suppose

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

Hi Jakob, On Thu, Mar 2, 2017 at 9:14 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I read his previous answer as saying that the system will in no case > extend the validity of a validation beyond the duration of the > certificate in which it was

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

On 02/03/2017 00:59, Ryan Sleevi wrote: On Wed, Mar 1, 2017 at 12:12 PM, douglas.beattie--- via dev-security-policy wrote: On Wednesday, March 1, 2017 at 8:26:34 AM UTC-5, Peter Kurrasch wrote: Would it be possible to get a more precise answer other

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

On Wednesday, March 1, 2017 at 8:26:34 AM UTC-5, Peter Kurrasch wrote: > Would it be possible to get a more precise answer other than "in accordance > with"? I am left to assume that in fact no verification was performed because > the previous verification was in the 39 month window. For this

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

Would it be possible to get a more precise answer other than "in accordance with"? I am left to assume that in fact no verification was performed because the previous verification was in the 39 month window.   Original Message   From: douglas.beattie--- via dev-security-policy Sent: Tuesday,

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

On Tuesday, February 28, 2017 at 6:00:47 PM UTC+2, Nick Lamb wrote: > This is useful independent evidence that (at least some of) the names did > exist at one time. The problem is that they're "re-keying" certificates for domains that are no longer in control of their subscribers (as Andrew

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

On Tuesday, 28 February 2017 16:00:47 UTC, Nick Lamb wrote: > e.g. http://domaingraveyard.com/list/2016-05-10.txt Typical, I posted that and then I checked from another browser and it now gives an access error. Anyway, there are others of the same ilk out there, these names (at least some of

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

On Tuesday, 28 February 2017 12:29:30 UTC, Itzhak Daniel wrote: > I also would like to have an official reply from GlobalSign saying that "on > the date they issue the certificate the domain exists". Doug/ GlobalSign has responded but I'll mention here that lists of recently abandoned domain

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

On Tuesday, February 28, 2017 at 7:29:30 AM UTC-5, Itzhak Daniel wrote: > On Tuesday, February 28, 2017 at 1:38:25 PM UTC+2, Gervase Markham wrote: > > I think that without more evidence we must assume that GlobalSign > > validated this domain correctly at a time when it existed. > > There are

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

On Tuesday, February 28, 2017 at 1:38:25 PM UTC+2, Gervase Markham wrote: > I think that without more evidence we must assume that GlobalSign > validated this domain correctly at a time when it existed. There are many more test*.* domains, non of those (about 10) I checked exist. I will compose

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

On 26/02/17 00:50, Itzhak Daniel wrote: > I talked with Ofer from Incapsula, he said the domain exist at some > point; Someone have access to domain tools or other tool to verify > this matter? Based on domaintools I can say the domain did exist but > I can't tell when it cease to exist. I think

Re: Incapsula via GlobalSign issued[ing] a certificate for non-existing domain (testslsslfeb20.me)

I talked with Ofer from Incapsula, he said the domain exist at some point; Someone have access to domain tools or other tool to verify this matter? Based on domaintools I can say the domain did exist but I can't tell when it cease to exist.