Re: Comodo issued a certificate for an extension

On 11/11/16 15:43, Nick Lamb wrote: > My review (based on what I saw posted to CA/B mailing lists) > suggested > that there isn't active patent uncertainty at all for some Ballot 169 > methods. I would welcome more information if you have some. Well, if previous IPR disclosures are, in fact,

Re: Comodo issued a certificate for an extension

On 10/11/16 19:52, Robin Alden wrote: > To avoid suggestions of weasel-words around the CA/B forum's struggle with > their IP policy my understanding is that at least Microsoft, and I hope > other browsers too, will incorporate the Ballot 169 wording into their > policy regardless of whether the

Re: Comodo issued a certificate for an extension

On Thursday, 10 November 2016 19:53:25 UTC, Robin Alden wrote: > I can't speak to your assumptions, but I concede that it is not explicit in > the CPS. > > It is now documented at > https://secure.comodo.com/api/pdf/latest/Domain%20Control%20Validation.pdf > and in the knowledgebase article at:

RE: Comodo issued a certificate for an extension

Nick Lamb, on 02 October 2016 17:50, said.. > The first thing that jumps out at me from their report is that they mistake .sb > for a gTLD when it is actually a ccTLD. That was a mistake in writing the report. The point is that it is a TLD. > The second thing obviously is that they do have

RE: Comodo issued a certificate for an extension

Eric Mill, on 03 October 2016 03:14, said.. > On Sun, Oct 2, 2016 at 9:23 PM, Nick Lamb wrote: > > On Sunday, 2 October 2016 20:53:15 UTC+1, Peter Bowen wrote: > > > There is some good news. The CA/Browser Forum has already addressed > > > this, even prior to the current

Re: Comodo issued a certificate for an extension

On 04/10/16 14:19, Nick Lamb wrote: > That's why I proposed Mozilla might like to write this to CA/B or in > a group CA communication, because I would be astonished if WoSign and > Comodo are the only CAs to have such special "rules" that defeat the > purpose of the validation step, or if this is

Re: Comodo issued a certificate for an extension

On Tuesday, 4 October 2016 12:21:47 UTC+1, Rob Stradling wrote: > When we are required (by CABForum and/or root program requirements) to > do , we will of course undertake to do . > > There are lots of s that we are already required to do. We > haven't tended to issue a separate announcement

Re: Comodo issued a certificate for an extension

On 03/10/16 02:23, Nick Lamb wrote: > Comodo's document never actually says that they're abolishing this "rule" as > a result of Ballot 169. It lets you choose to draw that implication, by > specifying that their current practices pre-date Ballot 169's changes, but it > never says as much.

Re: Comodo issued a certificate for an extension

On 02/10/16 17:49, Nick Lamb wrote: > On Sunday, 2 October 2016 11:11:34 UTC+1, Patrick Figel wrote: >> https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg04274.html > > Thanks, I too could not find this in Google Groups. That is a little > concerning as I had assumed this

RE: Comodo issued a certificate for an extension

-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Man Ho (Certizen) Sent: Monday, October 3, 2016 2:55 AM To: Peter Bowen <pzbo...@gmail.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org <dev-security-policy@lists.mozilla.org> Subject: Re: C

Re: Comodo issued a certificate for an extension

On 10/3/2016 11:50 AM, Peter Bowen wrote: > 3.2.2.4.4, 3.2.2.4.6, 3.2.2.4.9, and 3.2.2.4.10 all use the newly > defined "Authorization Domain Name", which should avoid this in the > future. Thank you for pointing me to those sections, but my confusion may be starting from the definition of

Re: Comodo issued a certificate for an extension

You are correct, I was not clear. 3.2.2.4.4, 3.2.2.4.6, 3.2.2.4.9, and 3.2.2.4.10 all use the newly defined "Authorization Domain Name", which should avoid this in the future. 3.2.2.4.7 is actually the outlier, in that it allows _ (underscore + some label) prefixed to the name being validated.

Re: Comodo issued a certificate for an extension

Peter, I'm confused why only the section 3.2.2.4.7 specifically addresses this concern, and how. If only it does, would it implies that CA must use this method of section 3.2.2.4.7 to validate a Base Domain Name, which happened to be an Authorization Domain Name requested by the applicant ?

Re: Comodo issued a certificate for an extension

On Sun, Oct 2, 2016 at 9:23 PM, Nick Lamb wrote: > On Sunday, 2 October 2016 20:53:15 UTC+1, Peter Bowen wrote: > > There is some good news. The CA/Browser Forum has already addressed > > this, even prior to the current discussions. Ballot 169 > >

Re: Comodo issued a certificate for an extension

On Sun, Oct 2, 2016 at 6:23 PM, Nick Lamb wrote: > On Sunday, 2 October 2016 20:53:15 UTC+1, Peter Bowen wrote: > >> Under the new rules, which should be in >> effect as of 1 March 2017, validating www. will not be a valid >> method of showing control of . The name is true

Re: Comodo issued a certificate for an extension

On Sunday, 2 October 2016 20:53:15 UTC+1, Peter Bowen wrote: > There is some good news. The CA/Browser Forum has already addressed > this, even prior to the current discussions. Ballot 169 > (https://cabforum.org/2016/08/05/ballot-169-revised-validation-requirements/) > revises 3.2.2.4

Re: Comodo issued a certificate for an extension

On Sun, Oct 2, 2016 at 9:49 AM, Nick Lamb wrote: > > The second thing obviously is that they do have exactly the "rule" Richard > Wang described, and they believe this was justified under the BRs old 3.2.2.4 > method 7 (which isn't a method at all, it's basically a

Re: Comodo issued a certificate for an extension

On Sunday, 2 October 2016 11:11:34 UTC+1, Patrick Figel wrote: > https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg04274.html Thanks, I too could not find this in Google Groups. That is a little concerning as I had assumed this was the authoritative source, since it's linked

Re: Comodo issued a certificate for an extension

On 02/10/16 12:01, Jason Milionis wrote: > Still no response from COMODO CA, that's interesting, but why? They published an incident report a couple of days ago. For some reason, it's not visible in the Google Groups archive of m.d.s.p (at least for me). Here's an alternative link:

Re: Comodo issued a certificate for an extension

On Saturday, September 24, 2016 at 7:07:39 AM UTC+8, Showfom wrote: > First, let me introduce myself, I'm a famous investor of ccTLD domains from > China. > > Recently we get an easy-remember domain www.sb, please note the extension is > .sb > > I ordered a Comodo Positive SSL for this domain,

Re: Comodo issued a certificate for an extension

On Sunday, September 25, 2016 at 6:24:11 AM UTC+8, Percy wrote: > Ha! @Showfom perhaps you should try getting a widecard cert from them and > consequently obtain a cert for all *.sb domains. I tried to get cert from StartSSL, they will only issue www.sb or www.www.sb, that's good.

Re: Comodo issued a certificate for an extension

On Sunday, September 25, 2016 at 6:14:06 PM UTC-7, Richard Wang wrote: > This rule is ok for more case, but for this case, it is wrong. This rule is NEVER ok. Please re-read the BRs to understand why. > There is another bug that it means Comodo don't have the gTLD blocking system > that

RE: Comodo issued a certificate for an extension

' <pzbo...@gmail.com>; 'Nick Lamb' <tialara...@gmail.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Comodo issued a certificate for an extension Hi All, We did receive a direct report of the problem yesterday (24th September) from a Mozilla rep., thank

RE: Comodo issued a certificate for an extension

Of Peter Bowen > Sent: 25 September 2016 17:37 > To: Nick Lamb <tialara...@gmail.com> > Cc: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Comodo issued a certificate for an extension > > On Sun, Sep 25, 2016 at 9:19 AM, Nick Lamb <tialara...@gmail.com>

Re: Comodo issued a certificate for an extension

On Sun, Sep 25, 2016 at 9:19 AM, Nick Lamb wrote: > On Sunday, 25 September 2016 15:35:07 UTC+1, mono...@gmail.com wrote: >> am I the only one who a) thinks this is slightly problematic and b) is >> surprised that the cert still isn't revoked? > > I don't know enough about

Re: Comodo issued a certificate for an extension

On Sunday, 25 September 2016 15:35:07 UTC+1, mono...@gmail.com wrote: > am I the only one who a) thinks this is slightly problematic and b) is > surprised that the cert still isn't revoked? I don't know enough about the .sb ccTLD to be clear how problematic the described scenario is. I would

Re: Comodo issued a certificate for an extension

am I the only one who a) thinks this is slightly problematic and b) is surprised that the cert still isn't revoked? Cheers, mono ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Comodo issued a certificate for an extension

Ha! @Showfom perhaps you should try getting a widecard cert from them and consequently obtain a cert for all *.sb domains. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Comodo issued a certificate for an extension

The affected cert has been logged here: https://crt.sh/?id=34242572 Am 24.09.2016 um 02:33 schrieb Richard Wang: > First, I must make declaration that I don't know "Showfom", and I don't know > if he/she is a WoSign customer. > > As I said in my final statement that I wish all Mozilla trusted

RE: Comodo issued a certificate for an extension

First, I must make declaration that I don't know "Showfom", and I don't know if he/she is a WoSign customer. As I said in my final statement that I wish all Mozilla trusted CA can post their issued certificate to CT log server for full transparency, I am sure not WoSign mis-issued certificate

RE: Comodo issued a certificate for an extension

First, I must make declaration that I don't know "Showfom", and I don't know if he/she is a WoSign customer. As I said in my final statement that I wish all Mozilla trusted CA can post their issued certificate to CT log server for full trenchancy, I am sure not WoSign mis-issued certificate,