It's absolutely not harmless to use example.com to test certificate issuance. People visit example.com all the time, given its role. An unauthorized certificate for example.com could let someone other than its owner hijack user connections, and maliciously redirect traffic or inject code/content, same as for any other online service people use. It's an actual security problem, not just a compliance violation.
-- Eric On Wed, May 31, 2017 at 3:18 PM, Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Agreed - the license to use the domain granted by IANA is only for > inclusion > in documents (https://www.iana.org/domains/reserved). There isn't a > license > to use the domain for testing or any other purposes. > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.c > om@lists.mozilla > .org] On Behalf Of Kurt Roeckx via dev-security-policy > Sent: Wednesday, May 31, 2017 11:55 AM > To: Yuhong Bao <yuhongbao_...@hotmail.com> > Cc: mozilla-dev-security-pol...@lists.mozilla.org; Matthew Hardeman > <mharde...@gmail.com> > Subject: Re: StartCom issuing bogus certificates > > On Wed, May 31, 2017 at 05:09:57PM +0000, Yuhong Bao via > dev-security-policy > wrote: > > The point is that "misissuance" of example.com is harmless as they are > reserved by IANA. > > But example.com is a real domain that that even has an https website. The > certificate is issued by digicert, and the subject says it's to ICANN. If > the certificate is not requested by IANA or ICANN nobody should issue a > certificate for it. > > > Kurt > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
