On Wed, Aug 24, 2016 at 12:40 PM, Jeremy Rowley
<jeremy.row...@digicert.com> wrote:
> However, the fact a researcher was able to obtain a cert without proper domain
> validation is pretty serious. I'd like to hear more details about how this was
> accomplished. Ports 8080 and 8443 aren't that uncommon so penalizing someone
> merely for port use seems harsh when there wasn't a policy against it.

There was no restriction on ports at all. Any client-specified port
was accepted, and any HTTP-like response it gave back was accepted.
dev-security-policy mailing list

Reply via email to