在 2016年9月9日星期五 UTC+8上午12:00:15,Stephen Schrauger写道: > Regarding the specific file verification method: > > It proves you control the web server that runs under the domain. Which is > more or less all that you need to prove, since a TLS certificate is designed > for web security. > > If you don't control DNS, but you do control the web server, you essentially > control the domain as far as web browsing goes, and thus you should be able > to acquire a certificate for that domain. Which is probably why it is > included in the Baseline Requirements as an acceptable validation method.
My concern is there could be multiple website deployed on one host. So the host admin could issue a cerificate for a domain. Since the vaildate period is typically 1 year or more, It's a securiry concern if domain owner have changed the record but the certficate didn't revoked. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
