On Wed, Jan 11, 2017 at 10:06 AM, Nick Lamb <tialara...@gmail.com> wrote: > Why go to the bother of setting up a web server on say, smtp.example.com, > only to get yourself a certificate, and then turn off the web server and use > the certificate for SMTP? It's not impossible, but it would be very much the > exception.
Because you're not required to setup the webserver for smtp.example.com. It's sufficient to setup the webserver for example.com to authorize the name, by creatively interpreting the Method 7 (prior to Ballot 169) and applying the logic from Method 4 to suggest it's OK to prune the domain (despite Method 6 not allowing this). I'm not saying they'd be right in arguing so, but they wouldn't be the only CA who applied such an interpretation. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy