Only reason I'm focusing on Let's Encrypt and ACME is because they are currently under review for inclusion. As far as I'm concerned all CA's with similar interfaces warrant this extra scrutiny.
I am somewhat curious if any of this has come up before in other forums--that these interfaces can be abused and lead to certificate mis-issuance? Original Message From: Matt Palmer Sent: Friday, July 1, 2016 12:16 AM To: dev-security-policy@lists.mozilla.org Subject: Re: StartEncrypt considered harmful today On Thu, Jun 30, 2016 at 11:10:45AM -0500, Peter Kurrasch wrote: > Very interesting. This is exactly the sort of thing I'm concerned about > with respect to Let's Encrypt and ACME. Why? StartCom isn't the first CA to have had quite glaring holes in its automated DCV interface and code, and I'm sure it won't be the last. What is so special about Let's Encrypt and ACME that you feel the need to constantly refer to it as though it's some sort of new and special threat to the PKI ecosystem? - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy