On 13/01/17 17:10, Fred Emmott wrote: > In January 2010, I reported two issues to GoDaddy, with an example > certificate that should have been rejected: - their website-based > authentication required a request to an URL including a random string > to include the same random string.
Reading through your bug report, it does seem like the problem you encountered was very similar to that recently reported. Perhaps Wayne would care to comment? While there are no audits for the QA process of a CA, domain validation is the /sine qua non/ of certificate issuance and I would hope and expect all CAs to have robust testing processes surrounding any changes to this part of their issuance infrastructure, both testing that certificates are issued for domains they should be, and that they are not issued for domains that they should not be, under an adversarial threat model. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
