Comodo's CPS [1] lists the following:
1.10.2 Web Host Reseller Partners
Through a “front-end” referred to as the “Management Area”, the Web Host
*Reseller* Partner has access to the *RA* functionality including but
not limited to the issuance of Secure Server Certificates.... is
obliged to *conduct validation* in accordance with the validation
guidelines and agrees via an online process (checking the “I have
sufficiently validated this application” checkbox when applying for a
Certificate) that sufficient validation has taken place prior to issuing
a certificate.
This seems to be exactly in line with my comment [2] and the published
image [3]. If this is correct, than it is in direct conflict with
section 4.2.7 PositiveSSL and PositiveSSL Wildcard Secure Server
Certificates of this statement [4]:
To validate PositiveSSL and PositiveSSL Wildcard Secure Server
Certificates, *Comodo* checks that the Subscriber has control.....
....and the use of generic e-mails which ordinarily are only
available to person(s) controlling the domain name administration, for
example, webmaster@ . . ., postmaster@ . . ., admin@;
This basically means that Comodo outsources domain validation not only
to RAs but also to resellers. In addition, domain validation is
effectively circumvented and non-existent for such resellers. The mere
checking of the checkbox is the only requirement for the issuance of any
certificate. This is in my opinion insufficient and and undue risk!
Considering the size of Comodo's reseller and RA network (which I'm sure
makes up the biggest junk of their certificates issuance), it is
reasonable to assume that unvalidated certificates exist currently.
Additionally I want to point out that the CPS [4] explicitly states that
Comodo performs the validation, which however is not the case as we've
seen with certstar. Since I was reading this document during the review
period of Comodo this spring, I was fairly convinced that Comodo
performs those validations.
I request to receive further information about how exactly domain
control is validated and which controls Comodo has in place to prevent
fraudulent or mistaken issuance. Incidentally I've found discrepancy in
statements made by Robin as to the status of certstar in particular and
concerning domain validation in general.
[1]
http://www.comodo.com/repository/09_22_2006_Certification_Practice_Statement_v.3.0.pdf
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=470897#c27
[3] https://bugzilla.mozilla.org/attachment.cgi?id=354425
[4]
http://www.comodo.com/repository/PositiveSSL_addendum_to_the_Certification_Practice_Statement.pdf
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
