Patricia, I believe it's important to realize a couple of things: 1) An unsolicited commercial email (UCE) message was sent from your company to the party in question suggesting that there already existed a relationship between your company and the party in question. This is obvious from the verb 'renew' in the original message -- a non-party to the original certificate can't renew "on behalf of" the original certificate issuer. If they can, there's a major problem.
1a) The message from your company, and in fact the entire process up to and including paying for the certificate which your company issued, did not expressly claim an affiliation, and the party in question went through the process of "renewal" with the intent of figuring out which CA's services were being advertised via UCE. 2) The party in question (Eddy Nigg) is the founder of another Certifying Authority, with a root which participates in the Mozilla root program and which is also included in the root store. 3) It falls within the concept of "due diligence" for a security-conscious warden of a public trust to recognize the lack of actual domain control verification in a trusted certificate issuance process, and *for the purposes of verification and public notification* obtain a certificate which could be shown absolutely to have been issued in violation of the standards of at least one of the root programs that the issuer (or issuer's trust-delegator) participates in. 3a) If this had not been identified, someone else would have found it eventually -- and the reaction to a gross violation of security standards is to immediately believe that the worst-case scenario has occurred: that it had already been found and exploited by at least one other person. 4) The end-users (referred to as "relying parties") are well-served by this identification of completely bogus credentialing. 5) It's also important to recognize the following (the first comment on https://bugzilla.mozilla.org/show_bug.cgi?id=470897): ------- Comment #1 From Reed Loden [:reed] 2008-12-23 01:35:37 PST ------- The same company that Eddy was able to get the mozilla.com cert from (Certstar) has been endlessly spamming webmas...@mozilla.org since the beginning of December complaining that one of our SSL certs had "expired" and needed to be "renewed" (both of which were false). They have continued to spam us almost daily. :( ------ end comment ------ Yes, the bare facts are that a user exploited the lack of verification in your certificate issuance process. However, the lack of verification in your process violates at least one contractual obligation that your company is required to uphold, and reduces the value of both Comodo's root AND the commercial Certifying Authority structure in general. Because the user founded another commercial CA which is trusted by Mozilla NSS by-default, this user was operating in a manner to verify that the commercial CA structure was in fact secure; the trust afforded this user's CA is demonstrably harmed by your lack of verification. I do not take this situation as lightly as you appear to wish that everyone would. The initial fault is YOUR COMPANY'S (and that fault reverbrates up to Comodo, since it delegated trust to your company), and the fact that you're attempting to shift the blame onto the user shows that you are absolutely untrustworthy to run or be the public face of any commercial certificate-issuance service. Because of this, my recommendation that Comodo's trust bits be removed until a full audit of their practices (and a full audit of all issued certificates) stands, and I am that much more resolute in my belief. It may be that the integrity of Comodo's root has been irreparably damaged by your company's malfeasance; if this is the case, I certainly hope they rake you over the coals. -Kyle H On Tue, Dec 23, 2008 at 12:48 AM, <patri...@certstar.com> wrote: > Hi all, > > A glitch in our validation system has today caused a certificate to be > issued to a person who successfully abused our system. > > We have now strengthened our domain validation system so that such > abuse cannot happen again. Comodo has handled this issue in a > professional way by invoking the certificate immediately after issuing > and contacting Certstar. > > Again, I cannot stress enough how seriously we take this issue and I > would like to apologize to the Mozilla organization for the mis-issue. > > -- > kind regards, > Patricia, Certstar ApS > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
