> On Sep 5, 2016, at 16:25, hanyuwe...@gmail.com wrote: > > I thought Wosign's report is not very convincible. The bug of subdomain have > existed for a long time and it made me feel it is a feature not a bug. It's > not a secret among the admin of personal or small sites. I am not very > similar to CA stuff that time,just a subscriber of Wosign's free > certificates.I have also signed subdomain certificate without validating root > domain control. But I controlled both of them so I didn't think it is very > serve problem. > > So I think it is very important to audit how many certificates mis-issued by > Wosign. Because this bug is used widely when I am running websites for Wosign > provide FREE 3 year multi-domain certificates that time. ( We dont have Let's > encrypt that time and Startcom just issue single domain.)
Do you believe that you have certificates issued by WoSign that include unvalidated domains that are not on the list in Figure 14 of the report[0]? To clarify: validating a subdomain and issuing a certificate for it is fine, however it is incorrect to issue a certificate for a domain below the level that was validated. For example, if control of subdomain.example.com is the only thing validated, it would be incorrect to issue a certificate that included example.com or any other domains that did not end in .subdomain.example.com. [0] https://www.wosign.com/report/wosign_incidents_report_09042016.pdf _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
