I believe that this is a symptom of faulty internal control, and that this is direct evidence of not living up to the Mozilla CA policy.
I advocate at least temporarily removing the trust bits from Comodo until a new external audit can be completed, with an eye toward ensuring that Comodo, not the reseller, perform the domain validations. -Kyle H On Mon, Dec 22, 2008 at 5:47 PM, Eddy Nigg <eddy_n...@startcom.org> wrote: > On 12/23/2008 03:38 AM, Robin Alden: >> >> Eddy, >> >> As I noted in my prior correspondence, Comodo has undertaken an internal >> review of the Certstar reseller account. We have informed CertStar that >> their email violates their contractual obligation to refrain from sending >> unsolicited emails and that their email could be interpreted as misleading >> and confusing to the customer. During our review, we discovered that >> Certstar had apparently issued a certificate to mozilla.com without >> validating control of the domain. We immediately revoked the certificate >> (prior to your posting) and have suspended Certstar's reseller activities >> until our investigation has been completed. > > A.) The certificate was revoked after posting to this list. > B.) Your CA also issued a certificate to startcom.org without validating > anything. > C.) Yes, I think we have a problem of a wider scale here. This is not about > me personally. > > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: start...@startcom.org > Blog: https://blog.startcom.org > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto