
DigiCert .arpa Mis-Issuance - bitcynth
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/JFwqZx7RLL0
======
agwa
To be clear, the failure here is not that DigiCert issued for .arpa, which is
not forbidden, but that they gave the reporter, Cynthia Revström, the ability
to issue for all of in-addr.arpa even though she had only demonstrated control
over 5.168.110.79.in-addr.arpa. This vulnerability could have applied to
regular non-arpa domains too; e.g. someone with control over example.github.io
might have been able to get a certificate for any github.io domain.

However, since issuing for .arpa is weird (and maybe should be forbidden), the
discussion got sidetracked talking about .arpa issuance.

DigiCert's analysis of the vulnerability can be found here:
[https://groups.google.com/d/msg/mozilla.dev.security.policy/...](https://groups.google.com/d/msg/mozilla.dev.security.policy/JFwqZx7RLL0/ctOjU-v5AAAJ)

~~~
bitcynth
I am very much aware, because I am indeed that reporter, but I just didn't
want to change the title from the email subject

~~~
jcims
Great example of vigilence here. I can’t see anything in your report that
would lead me to think this only happened to you, but you seem to be the first
to notice _and_ follow through on the hunch. Nice work!

~~~
bitcynth
Thank you :) I got a bit suspicious when I just saw in-addr.arpa in the
verification email and asked my friend if I should test it, and they said yes
so :P

