2

I bought myself a new domain this month, and found out that there is a 3-year SSL certificate valid for my domain through crt.sh, naturally I contacted Comodo SSL Abuse Dept. and got redirected to the reseller - Namecheap, after reaching out to Namecheap they insisted that as long as I issued a new certificate, the valid certificate that the former domain owner had will have no power whatsoever ( which is not true ), even after ticket escalation, they're just re-assuring me that MITM somehow will not exist as long as I set up a new SSL cert and "there is no need to worry about the security of your website and the information transmitted via Internet".

So, according to Namecheap's statement, Wosign accident is just a fraud and people obtained github.com's certificate will do absolutely no harm to Github. Good to know.

1 Answers1

3

Yes, it is (a reason for certificate revocation)

See CAB Forum Baseline Requirements at https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.7-29-Apr-2018.pdf and specifically its section 4.9.1.1. Reasons for Revoking a Subscriber Certificate that has this specific point:

The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs:

...

  1. The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name);

the Domain Name Registrant has failed to renew the Domain Name and hence it may have been registered by someone else, so my reading of this document that each CA must follow means that the initial certificate should be revoked.

Community
  • 1
Patrick Mevzek
  • 10,581
  • 7
  • 35
  • 45