Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

As you have quoted it, Let's Encrpyt's CPS says: "the CA is *entitled* to revoke the certificate" The key word is "entitled." Meaning that Let's Encrypt may revoke the certificate if they chose, but are not required to. Therefore not revoking the certificate is compatible with their CPS. It's

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

According to what I??ve known, ??Acknowledgment and Acceptance: An acknowledgment and acceptance that the CA is entitled to revoke the certificate immediately if the Applicant were to violate the terms of the Subscriber or Terms of Use Agreement or if the CA discovers that the Certificate is

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

On Fri, Feb 24, 2017 at 03:09:10AM +, Richard Wang via dev-security-policy wrote: > Do you think this site is an authentic site from Microsoft? > If it is a fake site, then CA should revoke the issued certificate. Why? - Matt ___

RE: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

Do you think this site is an authentic site from Microsoft? If it is a fake site, then CA should revoke the issued certificate. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Matt

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

On Fri, Feb 24, 2017 at 01:12:38AM +, Richard Wang via dev-security-policy wrote: > I am sure this site: https://www.microsoftonline.us.com/ is a phishing site > and a fade office 365 site that I wish LE can revoke this cert. Why? It works just fine over HTTP, too. - Matt

RE: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

I am sure this site: https://www.microsoftonline.us.com/ is a phishing site and a fade office 365 site that I wish LE can revoke this cert. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

This list hosted an extensive discussion on this issue in May of 2016, subject line "SSL Certs for Malicious Websites": https://groups.google.com/d/topic/mozilla.dev.security.polic y/vMrncPi3tx8/discussion Most (all?) of the people on this thread participated on that one, and said most (all?) of

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

On Thu, Feb 23, 2017 at 03:55:43AM +, Richard Wang via dev-security-policy wrote: > If "apple", "google", "Microsoft" is not a high risk domain, then I don’t > know which domain is high risk domain, maybe only "github". That's kinda the problem: you don't know, and neither does anyone else,

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

On Thu, Feb 23, 2017 at 01:55:40AM -0800, Nick Lamb via dev-security-policy wrote: > 1. Neither registries nor registrars in the DNS system would ordinarily > have control over the existence of sub-domains. In some cases the whole > _purpose_ of the registration is to create such sub-domains

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

On 22/02/17 17:08, Richard Wang wrote: > I think "apple-id-2.com" is a high risk domain that must be blocked to issue > DV SSL to those domains. I don't represent Let's Encrypt, but their policy on such things is relevant to this discussion, and it is here:

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

On Thursday, 23 February 2017 01:11:54 UTC, Richard Wang wrote: > https://crt.sh/?id=65208905 for google.ligboy.org Without wanting to jump on this pre-existing dogpile: This specific example is illustrative of two important factors that should be considered in examining the threat here: 1.

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

Rather than what you suggest, I think the following could be high risk: свiтова-пошта.info. xn--i--7kcbgb7fdinng1f.info. гooms17139.link. xn--ooms17139-uzh.link. мцяsц.lol. xn--s-wtb4ab7b.lol. сaентология.net. xn--a-ftbfnnlhbvn2m.net. aμ.net. xn--a-mmb.net. μc.net. xn--c-lmb.net. ωe.net.

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

On Thu, Feb 23, 2017 at 01:08:49AM +, Richard Wang via dev-security-policy wrote: > I think "apple-id-2.com" is a high risk domain that must be blocked to issue > DV SSL to those domains. Why? > Here is the list of some high risk domains related to Microsoft and Google > that Let's

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

Hi Richard, Peter's point is that there is no standard definition of a "high-risk" request." It is a term defined in Section 1.6.1: "High Risk Certificate Request: A Request that the CA flags for additional scrutiny by reference to internal criteria and databases maintained by the CA, which may

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

There is no definition or requirement for what a high risk domain is. That's the point/problem. WoSign may determine "apple", "google", "microsoft", and "github" as High Risk. Amazon may determine certificates issued on the first of the month are more likely to be High Risk (because it may be

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

Hi Richard, My point was that policy requirement simply states that there needs to be a procedure, but does not establish any normative requirements. For example, a CA could develop, maintain, and implement procedures which states that any certificate that is qualified as High Risk requires Gerv

RE: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

I don't agree this. If "apple", "google", "Microsoft" is not a high risk domain, then I don’t know which domain is high risk domain, maybe only "github". Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Thursday, February 23, 2017 11:53 AM To:

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

On Wed, Feb 22, 2017 at 7:35 PM, Richard Wang via dev-security-policy wrote: > As I understand, the BR 4.2.1 required this: > > “The CA SHALL develop, maintain, and implement documented procedures that > identify and require additional verification activity

RE: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

Hi Ryan, As I understand, the BR 4.2.1 required this: “The CA SHALL develop, maintain, and implement documented procedures that identify and require additional verification activity for High Risk Certificate Requests prior to the Certificate’s approval, as reasonably necessary to ensure

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

Hi Richard, There's no policies in the Baseline Requirements or Mozilla Requirements that normalize or define high risk domain, which I believe your suggestion presupposes. Perhaps you (or Qihoo 360, as the voting member of the Forum of the Qihoo/WoSign/StartCom collection) would consider

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

On 2/22/17 7:30 PM, Gervase Markham wrote: > On Hacker News, Josh Aas writes: > > > > Update: Squarespace has confirmed that they did register the domain and > then released it after getting a certificate from us." In this case, should Squarespace have requested that the certificate be revoked

RE: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

I think "apple-id-2.com" is a high risk domain that must be blocked to issue DV SSL to those domains. Here is the list of some high risk domains related to Microsoft and Google that Let's Encrypt issued DV SSL certificates to those domains: https://crt.sh/?id=77034583 for

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

Yep, no issue here anymore. Josh Aas hadn't posted on hacker news when I sent this. Thanks, Tony Tony Zhaocheng Tan | t...@tonytan.io | PGP Key Original Message On Feb 22, 2017, 7:30 PM, Gervase Markham wrote: On 22/02/17 14:42, Tony Zhaocheng Tan wrote: > On 2017-01-03,

Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

On 22/02/17 14:42, Tony Zhaocheng Tan wrote: > On 2017-01-03, Let's Encrypt issued a certificate for apple-id-2.com. > However, until today, the domain apple-id-2.com has apparently never > been registered. How was the certificate issued? On Hacker News, Josh Aas writes: "Head of Let's Encrypt