On 24/11/17 11:22, Quirin Scheitle via dev-security-policy wrote:
On 24. Nov 2017, at 05:33, Han Yuwei via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
Comodo will check CAA before issurance even domain in Cloudflare. I asked it
before
(https://groups.google.com/d/msg/mozilla.dev.security.policy/rFyPQ0o7RMM/bBhqXEV8BQAJ).
So I think Comodo should give a comment about this.
HI Han,
thank you for this pointer, I was not aware of this.
I would conclude that these certificates do not constitute a special case then, and
are just a case of "Comodo not checking CAA records until Sep 12”.
Hi Quirin. That conclusion is correct.
The 2 certs issued to Cloudflare customers that are listed at
https://misissued.com/batch/30/ were issued on September 8th and 11th
2017, which was during the period of time that our CAA implementation
was completely broken. See our earlier incident report [1] for the details.
[1]
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg08054.html
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy