I updated our Mozilla ticket this this info and I wanted to also supply it
here because it answers your questions also
Here is an update to this incident:
5/20: After further analysis of the issue, it was determined that the cause
was not the V1 API in general, but that there was a missing check for CN/SAN
validation which was being skipped in a certain scenario. Specifically,
when the "AEG" product code was being used, this check was skipped.
Typically the AEG product code is used for non-public SSL certificates, and
we found that the conditional CN/SAN check for the publicly trust thread was
not being executed.
5/21: We rolled out updated code that now properly checks the CN and SAN
values for the AEG product code. We also rolled back the V1 support to
permit continued use of that API. While it's not being used for certificate
issuance, it was being used for some other functions that impacted customer
operations for the prior few days.
We reviewed all certificates issued via this product code and found that
these were the only 4 that didn't comply.
Others have asked if we had skipped any other checks, like CAA, when
following this AEG product thread. Over the past few days we've reviewed
the code and threads and have determined that no other required checks or
validations were skipped. Organization and Domain validation is done via
our Enterprise model and these certificate requests all were subject to
We're continuing to inspect the AEG thread to double and triple check that
no other required validation steps were missed and will report back if we
find anything new to report, but at this point I believe that we can close