On 24/11/17 11:22, Quirin Scheitle via dev-security-policy wrote:

On 24. Nov 2017, at 05:33, Han Yuwei via dev-security-policy 
<dev-security-policy@lists.mozilla.org> wrote:

Comodo will check CAA before issurance even domain in Cloudflare. I asked it 
before 
(https://groups.google.com/d/msg/mozilla.dev.security.policy/rFyPQ0o7RMM/bBhqXEV8BQAJ).
 So I think Comodo should give a comment about this.

HI Han,

thank you for this pointer, I  was not aware of this.
I would conclude that these certificates do not constitute a special case then, and 
are just a case of "Comodo not checking CAA records until Sep 12”.

Hi Quirin.  That conclusion is correct.

The 2 certs issued to Cloudflare customers that are listed at https://misissued.com/batch/30/ were issued on September 8th and 11th 2017, which was during the period of time that our CAA implementation was completely broken. See our earlier incident report [1] for the details.


[1] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg08054.html

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to