On 07/01/2016 05:54 PM, Patrick Figel wrote:
Can you comment on how your backend checks would have prevented any
misissuance? My understanding of the report is that this was not so much
an issue with the client software, but rather an oversight in the
protocol that allows Domain Validation checks that are not sufficient in
assuring domain ownership, thus the issue was very much a backend issue.
I assume there are reasonable controls in place to prevent misissuance
for high-risk domains, but what about other domains? Would they have
been affected by this?
Hi Patrick,
Depending on the flagging parameters and the attending certificate
officer, the (some) certificate might or might have not been issued -
I'm careful with this statement as suspicion can arise for this or the
other reason, but it's not 100%. High-profile names would have been
flagged and not issued though.
I would also be curious about why the certificate has not been logged to
CT, given StartCom's prior statements with regards to CT adoption.
We are checking it, it might have been logged at the wrong place. I'll
try to provide an answer on this too when possible.
--
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: [email protected] <xmpp:[email protected]>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
