On Friday, April 25, 2014 1:50:35 PM UTC-4, Jan Lühr wrote: > (ii) > I strongly don't agree with that point: > "For private sites that are usually not visited by the public > (administrative panels for example), changing the host name, deleting > the previous DNS entry, obtaining a new certificate and never visit the > original site again might work too. Many of the free Class 1 level > certificates are used for such purpose." > > The point is: After key-leakage mitm attacks are possible. Think of an > insider being in a encrypted Wifi network. Having "valid" cert for an > unused subdomain can do harm ...
Let's not forget that the StartSSL Class1 certs are issued with two Subject Alternative Name: the subdomain's, (imap.example.com) and the *root domain*s (example.com). This plan implies serving nothing at example.com I too would like to see a statement of official position wrt. Startcom's trustworthiness from Mozilla. Eddy: How many Class1 certificates have you issued that are active and not expired? Check your OCSP logs for activity and your CA logs for expiration, but don't quote Netcraft's estimates. That's dishonest. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
