Hey Nick - I plan to include all relevant OIDs in the cert. I figured that way relying parties understand the total risk associated with verification of the certificate, even if they don't know exactly the methods tied to each listed domain. If a method is eventually deemed less desirable (*cough* domain authorization letters *cough*), then the entire cert would need to be replaced anyway to reflect deprecation of that method.
Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Nick Lamb via dev-security-policy Sent: Wednesday, August 2, 2017 4:57 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: DigiCert-Symantec Announcement On the use of OIDs to signify the Blessed Method used for validation I thought it can't hurt to mention the first obstacle for this idea which occurred to me in respect of Let's Encrypt (and more generally any CA importing ACME I think) Suppose an applicant asks for www.example.com, images.example.com and www.example.org. They demonstrate control over www.example.com using files in .well-known/ (sorry I'm writing this on my phone in a hotel room, don't have BR section numbers in front of me) but use DNS to show control over www.example.org... Which OID goes in this certificate? Both of them? There are arbitrarily more complicated examples along these lines, all worth a bit of thought before setting off I think. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy