On Sunday, 2 October 2016 11:11:34 UTC+1, Patrick Figel wrote: > https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg04274.html
Thanks, I too could not find this in Google Groups. That is a little concerning as I had assumed this was the authoritative source, since it's linked from Mozilla's own pages. The first thing that jumps out at me from their report is that they mistake .sb for a gTLD when it is actually a ccTLD. The second thing obviously is that they do have exactly the "rule" Richard Wang described, and they believe this was justified under the BRs old 3.2.2.4 method 7 (which isn't a method at all, it's basically a catch-all). I examined the Comodo CPS and wasn't able to find any mention of this rule. Indeed based on the CPS I would have assumed that control over a website www.example.com would under no circumstances be sufficient to get a certificate for the name example.com from Comodo and I would be grateful if anyone can point me to where they have written that it is. I think that's probably something that needs to go to CA/B although of course Mozilla would be well within its rights to just write to all CAs, asking if they have this or any similar "rules" that frustrate the intention of 3.2.2.4 and if so asking them to fix it by some reasonable deadline, such as EOY 2016. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
