On Sunday, 25 September 2016 15:35:07 UTC+1, mono...@gmail.com wrote: > am I the only one who a) thinks this is slightly problematic and b) is > surprised that the cert still isn't revoked?
I don't know enough about the .sb ccTLD to be clear how problematic the described scenario is. I would certainly like to know more. Wikipedia tells me that .sb is operated like .uk used to be, with registrant domains appearing only as 3LDs e.g. you used to able to buy example.co.uk but not example.uk, so that having control of example.sb is itself exceptional, let alone www.sb It is important to me - as a relying party - to know if there is a problem in Comodo's domain validation which allows people to obtain certificates for names which they do not (or perhaps, depending how .sb is run, even cannot) control. It is not terribly important to me in principle which names are affected, but in practice the extent of the risk might influence Mozilla's decision as to what if anything should be done, by them or by Comodo. However right now it's the weekend, people who do this stuff as their day job, rather than an outside interest, may not have responded because they're busy watching televised sports or baking cakes. I will grow more concerned if there's no follow-up from anybody next week. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
