(In reply to comment #22)
> I think there are some open questions here, including:
>
> a) How many resellers were selling certs subordinate to that same PositiveSSL
> CA cert?
To all of my knowledge there are many, most likely in the hundreds, maybe more.
>
> Do we know that the number is more than 1?
Yes
> b) Did all those resellers share a common DV checking service?
No
> Or did each provide its own DV checking independently?
No
> If all the resellers of certs subordinate to that CA cert shared a common
> DV checking service, then again, replacing that CA certs seems to fit the
> scope of the potential problem.
They don't have a common DV checking service. I'm in the process to provide more information in a short time.
However apparently it's the same intermediate CA which issues the certificates. But of course Comodo can change that in short time and issue from a different root or intermediate should Mozilla decide to take some action.
(In reply to comment #22)
> I think there are some open questions here, including:
>
> a) How many resellers were selling certs subordinate to that same PositiveSSL
> CA cert?
To all of my knowledge there are many, most likely in the hundreds, maybe more.
>
> Do we know that the number is more than 1?
Yes
> b) Did all those resellers share a common DV checking service?
No
> Or did each provide its own DV checking independently?
No
> If all the resellers of certs subordinate to that CA cert shared a common
> DV checking service, then again, replacing that CA certs seems to fit the
> scope of the potential problem.
They don't have a common DV checking service. I'm in the process to provide more information in a short time.
However apparently it's the same intermediate CA which issues the certificates. But of course Comodo can change that in short time and issue from a different root or intermediate should Mozilla decide to take some action.