Hi,
just wanted to update that Certum has also issued on this domain:
https://crt.sh/?id=209378608
I have opened a support ticket, which has led to revocation but not a qualified
statement as to what happened yet.
Kind regards
Quirin
smime.p7s
Description: S/MIME cryptographic signature
:30
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone
Hi all,
Thank you for the replies. I am glad that there is agreement these
certificates should not have been issued.
I am confident that the test behaved correctly, the last edit
Hi all,
Thank you for the replies. I am glad that there is agreement these certificates
should not have been issued.
I am confident that the test behaved correctly, the last edit on the zone file
was on Aug 31 17:24, and it reads:
crossbear.org. 0 CAA 0 issue ";"
So even
il.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone
Ok, let me investigate this further, maybe I didn´t catch it rightly.
For the record, the certificate was revoked
Best regards
Iñigo Barreira
CEO
StartCom CA Limited
-Original Me
]
On Behalf Of Nick Lamb via dev-security-policy
Sent: martes, 12 de septiembre de 2017 12:26
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone
On Tuesday, 12 September 2017 10:38:56 UTC+1, Inigo Barreira wrote:
> Futherm
On Tuesday, 12 September 2017 10:38:56 UTC+1, Inigo Barreira wrote:
> Futhermore, according to the logs, at the time of checking for a CAA record,
> there was none. The lookup was succesful and hence allowed the issuance.
Given that this contradicts the facts alleged in Quirin's tests and the
...@lists.mozilla.org
Subject: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone
Hi,
inspired by the ballot paragraph [1], I set up a domain that is fully DNSSEC
signed [2], but does not reply to CAA queries (timeout).
I could obtain certificates for this domain from Buypass and Startcom [3].
Other CAs
Of Quirin Scheitle via dev-security-policy
Sent: martes, 12 de septiembre de 2017 0:24
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone
Hi,
inspired by the ballot paragraph [1], I set up a domain that is fully DNSSEC
signed [2], but does
Hi,
inspired by the ballot paragraph [1], I set up a domain that is fully DNSSEC
signed [2], but does not reply to CAA queries (timeout).
I could obtain certificates for this domain from Buypass and Startcom [3].
Other CAs (RapidSSL, GeoTrust, LetsEncrypt) have refused to issue, and GoDaddy
9 matches
Mail list logo
