On Tuesday, June 9, 2015 at 3:05:30 AM UTC-7, Hubert Kario wrote: > True, OTOH, if a third party says that there was a misissuance, that means > there was one.
I disagree. Only the domain owner knows for sure what is a misissuance, and what isn't. It seems likely that I might turn over all known certs for my domain to the third party, but they might find another one, and I might say "oh, yeah, I forgot about that one". So a third party can only report to the domain owner, but cannot know if the cert is legitimate. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy