Hi, There seem to be more certificates of that kind that weren't mentioned in the incident report. Here's a .re / www.re certificate (expired 2015): https://crt.sh/?id=4467456
Has comodo checked its systems for other certificates of that kind? Can you provide a full list of all such certificates? Also my understanding is that the error here was that control over the www.[domain] subdomain would indicate control over [domain]. Does that mean that this bug could've been used to also get wildcard certificates in the form of *.[tld]? -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
pgpq26I03NxxI.pgp
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
