Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


20210223 - Sectigo fixes a flaw in its E-mail DCV validations

In the beginning of February, Sectigo was informed about a flow in its validation processes that allowed the issuance of certificates with incomplete DCV validation.

What about the flaw?

Sectigo, and Comodo before them, chose to offer the "with and without www." option for its mono-site certificates.

Example:

The CN of your CSR is: "www.domain.com"
The delivered certificate contains a SAN for "domain.com" as well

And vice versa.

With the arrival of DCV and then the Baseline Requirements, this courtesy could be maintained provided a DCV challenge is validated for each SANs / domains to be enlisted in the certificate.

And it has been the case for HTTP/HTTPS and DNS DCV challenges. But there was an exception with the E-mail DCV challenge.

Issuance without DCV?

Sectigo recently discovered a flaw in the E-mail DCV validation for certificates with a CN including "www.".

In this precise case, and if the customer had selected an e-mail address including the www. (@www.domain.com) for its DCV validation the authority would deliver the certificate including a SAN for the apex domain (domain.com) even though only the "www.domain.com" was validated.

Troubleshooting

Sectigo has reacted promptly and modified its processes to request the apex domain validation as well.

Which consequences for existing certificates?

The impacted customers have been informed and the certificates quickly revoked. No TBS customer were among them.

Useful links