> I don't understand all steps. You say that [email protected] receives > a code (not an activation > URL). So when he sends the code to his employee, how does the hacker > get the code?
[email protected] receive: - (first CA) the code and an URL where he have to paste the code - (second CA) an URL where he have click on a button So it's more likely he does the validation himself than sending the code to the other employee. > - but improving the revocation process doesn't solve the actual problem you mentioned (the insecure validation) When you are the target of an elaborate phishing, you often realize it too late, when the legitimate employee see the emails for example, so improving the revocation is important. > - since a lot of web servers don't support OCSP stapling, the CAs would make their customers very, very angry, if the purchased certificate doesn't work on their web server. Using a CAA is a decision of the customers, and the CA could emphasis that requirement during the validation process _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
