On 17/07/2017 21:27, Nick Lamb wrote:
On Monday, 17 July 2017 16:22:22 UTC+1, Ben Wilson wrote:
Thank you for bringing this to our attention. We have contacted Intesa
Sanpaolo regarding this error and have asked them to correct it as soon as
possible.
"Correcting" the error is surely the smaller of the two tasks ahead.
Depends if the only error is allowing double dots (while correctly
validating the domain as if spelled without the extra dot). Things are
much worse if double dots bypass domain validation completely.
Since at least two CA systems have now been found to accept double dots,
where only single dots should be allowed, it is reasonable to assume
that some relying parties also allow double dots. This makes it
essential that any certificates with this syntax error have been
completely validated for the equivalent single-dotted name.
I also notice that this is apparently an unconstrained
intermediate/SubCA.
Since this appears to be a certificate for the cert holders own domains,
it is also possible domain validation was done manually, as in "we know
first hand that we control these domains", making this an OV cert, not a
DV cert.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
