On 4 November 2017 at 19:54, Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 11/4/17 5:36 AM, Daniel Cater wrote: > >> I notice that on https://crt.sh/mozilla-onecrl there are lots of >> certificates that have recently been added to OneCRL from the .tg TLD >> (Togo), including ones for high-profile domains such as google.tg. The >> issuances occurred 3 days ago, on 1st November. >> >> I don't see a thread already for this here, or on >> https://letsencrypt.org/blog/ so I thought I would start one. >> >> From the check-in comment "registry problems", I assume that this is a >>> problem with the TLD rather than with Let's Encrypt. >>> >> >> As OneCRL and CRLSets are public this information is being noticed. There >> is likely a large overlap between the people that read this group and the >> people that monitor those lists. That said, be mindful of posting any >> specific technical vulnerabilities or exploits which may not yet be patched. >> >> > > As you have noticed based on OneCRL and crt.sh, there was a problem with > the *.tg registry, and SSL certificates were issued to domains in *.tg that > probably should not have been issued. As you can see, the Let's Encrypt CA > was made aware of the problem and has already responded by revoking the > impacted certs, and we have added entries for those certs to OneCRL. > Unfortunately, the CT data shows that other CAs also recently issued certs > containing *.tg domains. > > I have not personally spoken with the people at the *.tg registry yet, but > my understanding is that the problem has been fixed on their end. > > This is a new scenario to me -- having a problem at a registry that > results in SSL certs being issued that otherwise would not have been > issued. So I am trying to figure out how to respond to it. For example, > should I send email to only the CAs who are showing up in CT and crt.sh as > having issued SSL certs for the *.tg TLD within the past few days? Or > should I send an email blast out to all CAs in Mozilla's program? > > I think those CAs need to re-validate their recently issued SSL certs that > contain any *.tg domains, and possibly revoke such certs and send us the > info so corresponding entries can be added to OneCRL. But, as this is new > to me, I will appreciate thoughtful and constructive input in this. Since CT is not (yet) compulsory, it seems you probably have to contact all CAs, doesn't it? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy