Since this is a separate, serious issue, I filed a new bug and requested an incident report: https://bugzilla.mozilla.org/show_bug.cgi?id=1547072
I added this to the issues list as Issue G: https://wiki.mozilla.org/CA/Certinomis_Issues I also added a summary of the response received yesterday from Certinomis to issue F.3: Inadequate Controls on Production Testing On Thu, Apr 25, 2019 at 9:30 AM Ryan Sleevi <r...@sleevi.com> wrote: > > On Wed, Apr 17, 2019 at 5:22 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Yesterday, Andrew Ayer filed a bug [1] identifying 14 pre-certificates >> issued by Certinomis in February 2019 containing an unregistered domain >> name. Since the cause described in the incident report is similar, I added >> this under issue F.1. >> > > In the course of investigating this bug [1], it further appears that > Certinomis has continued to use method 3.2.2.4.5 to validate domains, > despite it being formally prohibited in the Baseline Requirements 8 months > ago, in August 2018. > > [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1544933#c8 > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
