On Tue, 28 Nov 2017 04:26:30 +0100 Jakob Bohm via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Nick Lamb, in the message I replied to, clearly suggested as much, and > provided a contrived scenario to "prove" that point. That's true, and I apologise if the effect was to de-rail the thread, but I certainly don't concede that just because the scenario was contrived it won't happen. I think like spear phishing we can expect to see sophisticated criminals targeting organisations through this sort of vulnerability, so-to-say "casing the joint" before their attack, figuring out exactly which services exist, what infrastructure is shared or public, looking for weaknesses. A CA needn't make that job easier. > I am referring to the cost to the certificate subscriber, specifically > the cost of paying for two properly validated certificates rather than > two. Nick Lamb's scenario involved someone deliberately ordering both > *.example.com and www.example.com as separate certificates, along with > other circumstances. The price paid by the subscriber to a traditional commercial CA has essentially nothing to do with the marginal cost of issuing more certificates. If it did Let's Encrypt would have bankrupted its sponsor companies months ago. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy