Eddy,
You said:
> 2.) The Comodo Certification Practice Statement, Version 3.0 and other
> CPS amendments state that wild card certificates are domain name
> validated only (depending on product or trade mark). How does Comodo
> prevent or control misuse of wild card certificates, specially in
> relation to phishing attempts and other fraud, taking into consideration
> that these certificates are domain validated only? Does Comodo believe
> that such wild card certificates are issued according to verification
> requirements for this special type of certificates?
I have seen some other discussion of this issue in these threads, but I will
try and clarify our position.
Any validation we do is to the highest level ownable domain name. I appreciate
that’s not a very exact term, but I mean that for a .com domain name we
validate foo.com, for a .co.uk domain name we validate foo.co.uk.
We restrict the wildcard character in the domain name to be the leading
sub-domain. – e.g. *.foo.com, *.foo.co.uk.
We do not apply any post-issuance checks on domain names for which the
certificate.
E.g. If we find a certificate is being used at ebay.foo.com we would not
*automatically* take action on that certificate – unless we become aware
(either through our own inspection or by notification from a third party) that
fraud is likely.
If any fraudulent use of any of our certificates (wildcard or not, EV or not)
is discovered we will revoke that certificate. We are permitted to do that by
the subscriber agreement to which our subscribers indicate their agreement when
they purchase certificates from us.
We agree that wildcard certificates pose more problems than non-wildcard
certificates – but Wildcard certificate products exist today and we are not
minded to unilaterally withdraw them.
We helped to found the CAB forum and continue to support it to improve the
overall security of SSL certificates. We hope that one day all certificates
will be EV, but until that day we feel we must be allowed to compete with order
CAs issuing wildcard products.
Regards
Robin Alden
Comodo
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
