On Tuesday, November 14, 2017 at 8:31:34 AM UTC-8, Kathleen Wilson wrote: > On 11/14/17 4:34 AM, douglas...@gmail.com wrote: > > > > Do we believe that this issue has been resolved by the Registry and > > issuance an resume as normal, or are there ongoing concerns which CAs > > should be aware of when issuing certificates to .tg domains? > > Based on information from folks that are monitoring their NS Records, we > believe that the .tg Registry problems were fixed on November 1, and > have remained fixed since then.
Let's Encrypt disabled issuance to .tg on November 1 as a protective measure. The block remains in place. We'd like to lift the block but we have seen no evidence that the problem was ever acknowledged or fixed by anyone involved in running the .tg registry. Most of the issuance to .tg during the problematic period was from Let's Encrypt (note that validation was successfully completed, Let's Encrypt did not mis-issue). Since we disabled issuance to .tg on Nov 1 a lack of new suspicious issuance may only reflect our block, not resolution of problems. The fact that some large companies got control of their domains back may only reflect customer service actions. We are stuck in a difficult situation where we'd like to re-enable issuance to .tg but we just don't have confidence that the registry is secure. If anyone has any direct evidence we'd greatly appreciate seeing it. Without more evidence we will simply have to re-enable .tg issuance and monitor it for a period of time. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
