On 11/6/17 3:40 AM, Ben Laurie wrote:
Since CT is not (yet) compulsory, it seems you probably have to contact all
CAs, doesn't it?
To close the loop on this...
I have added the following to the draft of the November 2017 CA
Communication.
~~
ACTION 8: Check for issuance of TLS/SSL certificates to .tg domains from
October 25 to November 2, 2017.
We believe that the .tg Registry was compromised from October 25 to
November 1, 2017, such that a perpetrator set the Name Server (NS)
Records for some domains to name servers controlled by them, and then
successfully obtained SSL certificates for those domains.
Please check the SSL certificates that were issued to .tg domains and
that chain up to your root certificates included in Mozilla's program to
ensure that the certificate subscriber actually owns the domains
included in their certificate.
Response Options:
- There are no TLS/SSL certificates issued to .tg domains that chain up
to our root certificates included in Mozilla's program.
- There are TLS/SSL certificates issued to .tg domains that chain up to
our root certificates included in Mozilla's program, but there were no
new validations on .tg domains from October 25 to November 2, 2017.
- There are TLS/SSL certificates issued to .tg domains that chain up to
our root certificates included in Mozilla's program, and we have
re-verified the certificates that were issued to .tg domains from
October 25 to November 2, 2017, and no problems were found.
- We have revoked certificates to .tg domains between October 25 and
November 2, 2017, and have sent information about these revoked
certificates to Mozilla.
- Not Applicable, because our root certificates do not have the Websites
trust bit enabled.
- Other - explain
~~
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy