On 11/09/16 23:42, Lee wrote: >> A careful CA validator does DNS only by making authoritative queries, so >> they're not subject to cache poisoning since they don't look at cached >> answers. > > Would a not careful CA be flagged on their yearly audit?
It only might, if doing non-authoritative queries violated some standard. As far as I can recall, even the updated validation section does not require this. That might make a good amendment. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
