I don't think there is anything important on example.com though ________________________________________ From: Eric Mill <e...@konklone.com> Sent: Wednesday, May 31, 2017 4:34:20 PM To: Jeremy Rowley Cc: Kurt Roeckx; Yuhong Bao; mozilla-dev-security-pol...@lists.mozilla.org; Matthew Hardeman Subject: Re: StartCom issuing bogus certificates
It's absolutely not harmless to use example.com<http://example.com> to test certificate issuance. People visit example.com<http://example.com> all the time, given its role. An unauthorized certificate for example.com<http://example.com> could let someone other than its owner hijack user connections, and maliciously redirect traffic or inject code/content, same as for any other online service people use. It's an actual security problem, not just a compliance violation. -- Eric On Wed, May 31, 2017 at 3:18 PM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: Agreed - the license to use the domain granted by IANA is only for inclusion in documents (https://www.iana.org/domains/reserved). There isn't a license to use the domain for testing or any other purposes. -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley<mailto:dev-security-policy-bounces%2Bjeremy.rowley>=digicert.com@lists.mozilla .org] On Behalf Of Kurt Roeckx via dev-security-policy Sent: Wednesday, May 31, 2017 11:55 AM To: Yuhong Bao <yuhongbao_...@hotmail.com<mailto:yuhongbao_...@hotmail.com>> Cc: mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.mozilla.org>; Matthew Hardeman <mharde...@gmail.com<mailto:mharde...@gmail.com>> Subject: Re: StartCom issuing bogus certificates On Wed, May 31, 2017 at 05:09:57PM +0000, Yuhong Bao via dev-security-policy wrote: > The point is that "misissuance" of example.com<http://example.com> is > harmless as they are reserved by IANA. But example.com<http://example.com> is a real domain that that even has an https website. The certificate is issued by digicert, and the subject says it's to ICANN. If the certificate is not requested by IANA or ICANN nobody should issue a certificate for it. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy -- konklone.com<https://konklone.com> | @konklone<https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy