I don't understand all steps. You say that [email protected] receives a code (not an activation URL). So when he sends the code to his employee, how does the hacker get the code?
(Besides, most CAs limit the cofe validity to a few minutes, so this scenario is not likely to work many times) About your long term solution: - the idea about the flag is not bad. Maybe someone can write a RFC about it. - but improving the revocation process doesn't solve the actual problem you mentioned (the insecure validation) - since a lot of web servers don't support OCSP stapling, the CAs would make their customers very, very angry, if the purchased certificate doesn't work on their web server. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
