As Ryan said, thanks for informing m.d.s.policy about this issue. I am interested in the same general area as Ryan but I will ask my question separately, feel free to answer them together.
Has GoDaddy been following ACME https://datatracker.ietf.org/wg/acme/charter/ development, either with a view to eventually implementing ACME, or just to learn the same lessons about automating domain validation ? Perhaps the most surprising thing the ACME WG discovered was that due to a common misconfiguration customers sharing a bulk host can often answer HTTPS requests for other people's sites that haven't for whatever reason enabled SSL yet. GoDaddy's validation method as described would be vulnerable to this problem. Can you say what, if anything, GoDaddy does to avoid being tricked into issuing a certificate on this basis ? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
