On Mon, Apr 10, 2017 at 02:57:41PM +0000, Steve Medin via dev-security-policy wrote: > In April 2015, security consultant Chris Byrne responsibly disclosed two > potential vulnerabilities related to our Quick Invite feature, which > enables a reseller to invite pre-selected customers to enroll for > certificates, via customized emails to the customer that contain deep > links for enrollment, specific to the invitee.
What validation level were these certificates issued at? DV, OV, or EV? Was any of the information provided by the reseller used in the issued certificate? I ask this specifically because you state: > Importantly, we do not believe that there was any danger > of a cert being issued without proper demonstration of ownership or > control of the domain. However there is no mention of whether a certificate could be issued without proper validation of other information that may be present in a certificate. If these were DV certs, that's all fine and dandy, but there's no indication in your statement as to what validation level certificates issued via the Quick Invite program used. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy