On 12/09/2016 09:42, Gervase Markham wrote:
On 11/09/16 23:42, Lee wrote:
A careful CA validator does DNS only by making authoritative queries, so
they're not subject to cache poisoning since they don't look at cached
answers.
Would a not careful CA be flagged on their yearly audit?
It only might, if doing non-authoritative queries violated some
standard. As far as I can recall, even the updated validation section
does not require this. That might make a good amendment.
Wouldn't this fall under the general auditable requirement of being
careful in their practices and procedures. For example, I don't think
there would be specific BRs covering if they remember to lock the door
to the server room.
This would be very similar to how financial auditors does do some
checking if the day to day accounting practices are sound in terms of
avoiding fraud.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
