Re: Comodo issued a certificate for an extension

2016-10-02 Thread Peter Bowen
You are correct, I was not clear. 3.2.2.4.4, 3.2.2.4.6, 3.2.2.4.9, and 3.2.2.4.10 all use the newly defined "Authorization Domain Name", which should avoid this in the future. 3.2.2.4.7 is actually the outlier, in that it allows _ (underscore + some label) prefixed to the name being validated.

Re: Comodo issued a certificate for an extension

2016-10-02 Thread Man Ho (Certizen)
Peter, I'm confused why only the section 3.2.2.4.7 specifically addresses this concern, and how. If only it does, would it implies that CA must use this method of section 3.2.2.4.7 to validate a Base Domain Name, which happened to be an Authorization Domain Name requested by the applicant ?

Re: Comodo issued a certificate for an extension

2016-10-02 Thread Eric Mill
On Sun, Oct 2, 2016 at 9:23 PM, Nick Lamb wrote: > On Sunday, 2 October 2016 20:53:15 UTC+1, Peter Bowen wrote: > > There is some good news. The CA/Browser Forum has already addressed > > this, even prior to the current discussions. Ballot 169 > >

Re: Comodo issued a certificate for an extension

2016-10-02 Thread Peter Bowen
On Sun, Oct 2, 2016 at 6:23 PM, Nick Lamb wrote: > On Sunday, 2 October 2016 20:53:15 UTC+1, Peter Bowen wrote: > >> Under the new rules, which should be in >> effect as of 1 March 2017, validating www. will not be a valid >> method of showing control of . The name is true

Re: Comodo issued a certificate for an extension

2016-10-02 Thread Nick Lamb
On Sunday, 2 October 2016 20:53:15 UTC+1, Peter Bowen wrote: > There is some good news. The CA/Browser Forum has already addressed > this, even prior to the current discussions. Ballot 169 > (https://cabforum.org/2016/08/05/ballot-169-revised-validation-requirements/) > revises 3.2.2.4

Re: Comodo issued a certificate for an extension

2016-10-02 Thread Peter Bowen
On Sun, Oct 2, 2016 at 9:49 AM, Nick Lamb wrote: > > The second thing obviously is that they do have exactly the "rule" Richard > Wang described, and they believe this was justified under the BRs old 3.2.2.4 > method 7 (which isn't a method at all, it's basically a

Re: Comodo issued a certificate for an extension

2016-10-02 Thread Nick Lamb
On Sunday, 2 October 2016 11:11:34 UTC+1, Patrick Figel wrote: > https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg04274.html Thanks, I too could not find this in Google Groups. That is a little concerning as I had assumed this was the authoritative source, since it's linked

Re: Comodo issued a certificate for an extension

2016-10-02 Thread Patrick Figel
On 02/10/16 12:01, Jason Milionis wrote: > Still no response from COMODO CA, that's interesting, but why? They published an incident report a couple of days ago. For some reason, it's not visible in the Google Groups archive of m.d.s.p (at least for me). Here's an alternative link:

Re: WoSign and StartCom

2016-10-02 Thread Percy
On Monday, September 26, 2016 at 7:21:13 AM UTC-7, Gervase Markham wrote: > Today, Mozilla is publishing an additional document containing further > research into the back-dating of SHA-1 certificates, in violation of the > CAB Forum Baseline Requirements, to avoid browser blocks. It also >

Re: Apple's response to the WoSign incidents

2016-10-02 Thread Percy
On Saturday, October 1, 2016 at 9:03:38 PM UTC-7, Kurt Roeckx wrote: > On Sat, Oct 01, 2016 at 11:35:06AM -0700, Percy wrote: > > "Apple products will trust individual existing certificates issued from > > this intermediate CA and published to public Certificate Transparency log > > servers by