Hi Yuhong, Yes, there may not be much harm in a mis-issued certificate for example.com due to its purpose/use.
However, from the perspective of root programs and the CA/B Forum, it is still mis-issuance and considered a serious problem. CAs should not be issuing certificates without documented confirmation that the certificate request was properly verified. As Matthew suggested, the proper thing for a CA to do is operate their own domain for these kinds of tests. -Vincent On Wed, May 31, 2017 at 1:10 PM Yuhong Bao via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The point is that "misissuance" of example.com is harmless as they are > reserved by IANA. > ________________________________________ > From: dev-security-policy <dev-security-policy-bounces+yuhongbao_386= > hotmail....@lists.mozilla.org> on behalf of Matthew Hardeman via > dev-security-policy <dev-security-policy@lists.mozilla.org> > Sent: Wednesday, May 31, 2017 10:08:10 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: StartCom issuing bogus certificates > > On Wednesday, May 31, 2017 at 12:04:51 PM UTC-5, Yuhong Bao wrote: > > It would be better to use example.com and not test.com or anything like > that, as that is defined by IANA as a reserved domain. > > No, it is necessary to respect the baseline requirements in issuing from > "real" trusted or to-be-trusted systems. > > CAs have gotten in trouble / are in trouble for mis-issuances including > example.com quite recently. > > If a dnsName needs to be included in your test certificate, register a > domain owned by the CA for testing purposes. > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- Vincent Lynch _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
