Comodo 發出微軟 live.fi 的 SSL Certificate...

在「Microsoft Blacklists Fake Finnish Certificate」這邊看到出包,引用的報導來自「Microsoft Blacklists Fake Certificate」,微軟的安全性通知則是在「Microsoft Security Advisory 3046310 (Improperly Issued Digital Certificates Could Allow Spoofing)」這邊。

原因是因為 hostmaster 這個使用者名稱沒有擋下來不讓使用者註冊:

In fact, he reports that he was able to register the alias "Hostmaster@live.fi", which he then used to obtain a legitimate HTTPS certificate for Live.fi via Comodo, which is the world's largest digital certificate authority.

這件事情拉出了對於「認證」一直沒有標準可以遵循的問題,大致上只有「RFC 2142 - Mailbox Names for Common Services, Roles and Functions」有列出一些常用的 username,其他的就沒印象了。CA/Browser Forum 不知道有沒有對應的標準...

Leave a Reply

Your email address will not be published. Required fields are marked *