Hi Douglas, thank you for your reply! I have posted a detailed reply at https://bugzilla.mozilla.org/show_bug.cgi?id=1420766
Short version: We measure every 8 hours, and I believe the records you have seen existed for a short time around your issuance lookup. So this would be a false positive, based on the fact that an evaluator/auditor can only query so often and records may be changed multiple times between two measurements. Kind regards Quirin > On 29. Nov 2017, at 12:26, douglas.beattie--- via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > Hi Quirin, > > I'm curious about how you recorded the historical information from DNS, can > you explain how this was requested and logged? > > We logged the data used for issuance of the GlobalSign certificate at the > time of issuance and it's different from what you recorded. > > We logged that there was no “issuewild” entry and that "digicert.com", > "globalsign.com", "letsencrypt.org" and "rapidssl.com" are all defined as > “issue” at time of issuance. > > Doug > > On Friday, November 24, 2017 at 7:23:25 AM UTC-5, Gervase Markham wrote: >> Hi Quirin, >> >> Thank you for your work on this topic. I would be grateful if you could >> file Bugzilla bugs in the Misissuance component as follows, giving your >> evidence of misissuance: >> >> On 22/11/17 23:50, Quirin Scheitle wrote: >>> 1) Mix of wildcard and non-wildcard DNS names in SAN >>> Batch: https://misissued.com/batch/32/ >>> Description: best confer >>> https://groups.google.com/d/msg/mozilla.dev.security.policy/O9HZPMvHMY8/HtXR8S-1AAAJ >> >> One bug per CA, please. >> >>> 4) Apparent non-evaluation of CAA records >>> Batch: https://misissued.com/batch/33/ >>> Description: These cases appear as pretty straight-forward that they >>> should not have been issued, but >>> there might be good explanations >> >> One bug for the two Comodo certs, one for the Camerfirma cert. >> >> Thank you, >> >> Gerv > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
