El viernes, 22 de enero de 2021 a las 2:31:00 UTC+1, Filippo Valsorda escribió: > 2021-01-19 18:01 GMT+01:00 Andrew Ayer via dev-security-policy > <dev-secur...@lists.mozilla.org>: > > It's troubling that even at this stage, Camerfirma still doesn't seem > > to grasp the seriousness of their compliance problems. Today, > > they are arguing that there was no security threat from a certificate > > issued for a domain without authorization because the subdomain > > in the certificate "does not exist": > > https://bugzilla.mozilla.org/show_bug.cgi?id=1672409#c8 > In my personal capacity, I want to stress how worrying this response by > Camerafirma is. Arguing that a certificate doesn't present any risk if it's > issued for a name that doesn't exist in DNS betrays a deep misunderstanding > of the web platform, which the WebPKI serves. (For example, an attacker in a > privileged network position can fake a DNS response for that domain, and use > it to set Secure cookies on the whole site.)
Hi Filippo, thanks for your contribution. I think there has been a misunderstanding about Camerfirma answer since we do not argue that issuing a certificate for a name that doesn't exist in DNS doesn't present any risk. We meant that in this specific incident there haven’t been any security issues because this specific certificate – and the corresponding private key – was used inside a closed and protected environment. In fact, it was managed internally by the SubCA itself because it was one the three technical certificates (a valid one, an expired one and a revoked one) that every CA shall create and install according to clause 2.2 of CAB Forum BR: it was never sent outside this environment and released into the wild, where – indeed – it could have created some risks. Nevertheless, the bug is still open, and we are giving additional information to evaluate it. https://bugzilla.mozilla.org/show_bug.cgi?id=1672409#c8. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
