On 11/13/17 7:22 PM, Jakob Bohm wrote:
Wouldn't the .tg incident be equally relevant for the e-mail trust bit?
(In which case the first 3 options should say TLS/SSL/e-mail)
Good point. To make it easier, I removed "TLS/SSL", and changed text to
"certificates containing .tg domains".
Updated as follows:
~~
ACTION 8: Check for issuance of certificates containing .tg domains from
October 25 to November 2, 2017.
We believe that the .tg Registry was compromised from October 25 to
November 1, 2017, such that a perpetrator set the Name Server (NS)
Records for some domains to name servers controlled by them, and then
successfully obtained certificates for those domains.
Please check the certificates containing .tg domains that chain up to
your root certificates included in Mozilla's program to ensure that the
certificate subscriber actually owns the domains included in their
certificate.
Response Options:
- There are no certificates containing .tg domains that chain up to our
root certificates included in Mozilla's program.
- There are certificates containing .tg domains that chain up to our
root certificates included in Mozilla's program, but there were no new
validations on .tg domains from October 25 to November 2, 2017.
- There are certificates containing .tg domains that chain up to our
root certificates included in Mozilla's program, and we have re-verified
the certificates that were issued for .tg domains from October 25 to
November 2, 2017, and no problems were found.
- We have revoked certificates containing .tg domains that were issued
between October 25 and November 2, 2017, and have sent information about
these revoked certificates to Mozilla.
- Other - explain
~~
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy