On Monday, January 23, 2017 at 10:34:42 AM UTC+1, Santhan Raj wrote: > If a domain administrator approves a request without checking why/who needs > the cert, there is little a CA can do to mitigate such threats.
I agree. But the CA could help prevent these threats. And, in that specific case, the CA did facilitate that threat by stating a falsehood: The CA stated that a legitimate employee did requested the cert, when, in fact, the CA has no idea who requested it (If I'm not mistaken, in both my tests the CA did not validate the ownership of the email of the "employee" asking the certificate). _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
