On Tue, Sep 13, 2016 at 7:53 AM, Ryan Sleevi <[email protected]> wrote: > We also see a variety of domains using certs from either for purposes that > are ostensibly not relevant to browsers - a frequent dead give-away is a cert > for autodiscover.[example.com] - which is an Exchange AutoConfiguration > server not used by browsers - and mail.[example.com]. I would assert we can > be reasonably confident that critical services should generally not be > impacted if such a cert was not included.
I would be careful reading too much into server names. mail.[example.com] might host web based email access. For example, I'm typing this into a site called mail.google.com :) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
