I think I know the reason; this may be helpful for your investigation.
This is a code bug from CA issuing system that the engineer mis-understand the free additional domain added rule. System treat the "www" as a subdomain, most case it is, but in this case, it is top domain.
Subscriber finished the domain validation for domain "
www.sb", then the issuing system using the rule "if the domain is validated, and if the cert request is for
www.domain.com, then add its top domain -
domain.com to the certificate automatically", then the signing system added the domain ".sb" as its top domain to the certificate. This rule is ok for more case, but for this case, it is wrong.
There is another bug that it means Comodo don't have the gTLD blocking system that according to the BR, CA can't issue the gTLD domain to subscriber.
And the excuse of "don’t know this new gTLD" is not a good reason that there are many new gTLDs come out very frequently, system can NOT issue the gTLD name for subscribers, system must block any known or unknown gTLD in the certificate. And this domain - "
www.sb" is passed the domain validation, it means Comodo system know this gTLD.
This is a BR violated misissuance, I don't know if any more certificates are mis-issued since it is a bug in the code that may affect other similar order. I recommend Comodo post all issued SSL certificate to CT log server for full transparency to let worldwide user to check if any more mis-issuance happened.
Best Regards,
Richard
-----Original Message-----
From: dev-security-policy [mailto:
dev-security-policy-bounces+richard=
wosig...@lists.mozilla.org] On Behalf Of Robin Alden
Sent: Monday, September 26, 2016 1:29 AM
To: 'Peter Bowen' <
pzb...@gmail.com>; 'Nick Lamb' <
tiala...@gmail.com>
Cc:
mozilla-dev-s...@lists.mozilla.org
Subject: RE: Comodo issued a certificate for an extension
Hi All,
We did receive a direct report of the problem yesterday (24th September) from a Mozilla rep., thanks, and we undertook an investigation and remediation exercise yesterday.
The software problem which caused or allowed this certificate to be issued has been corrected.
That certificate (
https://crt.sh/?id=34242572) was revoked yesterday morning.
We will issue a report tomorrow (26th September).
Regards
Robin Alden
Comodo
> >> am I the only one who a) thinks this is slightly problematic and b)
> >> is
> surprised that the cert still isn't revoked?
> >