On Friday, November 4, 2016 at 12:18:40 PM UTC+2, Gervase Markham wrote: > ... But because WoSign had done the appropriate domain control checks, > we did not consider this a mistake by WoSign.
(to my understanding) They did violate a "SHALL" guideline: "The CA SHALL develop, maintain, and implement documented procedures that identify and require additional verification activity for High Risk Certificate Requests prior to the Certificate’s approval, as reasonably necessary to ensure that such requests are properly verified under these Requirements." I don't recall if they automatically approved or manually approved it by mistake (the operator wasn't familiar with Alibaba). alicdn.com is ranked 760 in Alexa top 1 million, and requests for this domain should be considered "high risk": CMD$ wget http://s3.amazonaws.com/alexa-static/top-1m.csv.zip;gzip -cd top-1m.csv.zip|grep alicdn.com _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
