SSL Certificate Vendor Sells Mozilla.com Cert to Some Guy
In the absence of standards for applicant verification for standard SSL certificates, CAs need to promulgate strong policies and publicize their contractual obligations for resellers, and they need to audit those relationships.The SSL infrastructure is based, in a large sense, on trust. We trust that vendors of the software that checks certificates will only trust the roots of certificate authorities that are trustworthy, and that means CAs that check to see that the applicant for a certificate is who he says he is. Unfortunately, there are no real standards for how to verify identity of an applicant for a conventional SSL certificate. This is one of the main motivations behind EV-SSL, for which there is a defined standard for authentication of applicants.
But even for conventional SSL certs, you'd think there would be some verification done, but it's not always the case. Thus, we have the case of a Comodo reseller attempting to scam users into buying certs under false pretenses and then selling a cert for mozilla.com to someone with no affiliation with that organization.
Eddy,Under the circumstances, they seem to be doing what they can, although the circumstances are somewhat of their own making. It all raises a lot of questions:
As I noted in my prior correspondence, Comodo has undertaken an internal review of the Certstar reseller account. We have informed CertStar that their email violates their contractual obligation to refrain from sending unsolicited emails and that their email could be interpreted as misleading and confusing to the customer. During our review, we discovered that Certstar had apparently issued a certificate to mozilla.com without validating control of the domain. We immediately revoked the certificate (prior to your posting) and have suspended Certstar's reseller activities until our investigation has been completed. Please let me know if you have any further problems.
- It appears that Comodo affiliates do the verification, not Comodo itself. This surprises me. Is it typical of SSL affiliate relationships?
- How about EV-SSL? Is it sold through affiliates?
- Will Comodo now review other sales that Certstar has made for such problems?
- Which other CAs have affiliate relationships, and are they reviewing them as well?