On 04/11/2017 02:36 μμ, Daniel Cater via dev-security-policy wrote: > I notice that on https://crt.sh/mozilla-onecrl there are lots of certificates > that have recently been added to OneCRL from the .tg TLD (Togo), including > ones for high-profile domains such as google.tg. The issuances occurred 3 > days ago, on 1st November.
According to LE CP section 4.2.1: The CA SHALL develop, maintain, and implement documented procedures that identify and require additional verification activity for High Risk Certificate Requests prior to the Certificate’s approval, as reasonably necessary to ensure that such requests are properly verified under these Requirements. The same language also exists in section 4.2.1 of the CA/B Forum BRs. Has Lets Encrypt implemented the documented procedures? Is a request for google.tg considered a high risk certificate request based on the LetsEncrypt risk-mitigation criteria? Regards, Fotis > > I don't see a thread already for this here, or on > https://letsencrypt.org/blog/ so I thought I would start one. > > From the check-in comment "registry problems", I assume that this is a > problem with the TLD rather than with Let's Encrypt. > > As OneCRL and CRLSets are public this information is being noticed. There is > likely a large overlap between the people that read this group and the people > that monitor those lists. That said, be mindful of posting any specific > technical vulnerabilities or exploits which may not yet be patched. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy