This is an extremely good point. I wonder:

1. If Mozilla should ask/require CAs to perform this check.
2. If Mozilla should ask/require CAs to invest in the capability to
make this check for future requests in the future (where we would
require responses within a certain time period.)


On 14 December 2017 at 22:16, Matthew Hardeman via dev-security-policy
<> wrote:
> Has anyone started looking into CA issuances -- or even more importantly -- 
> CA domain validations performed successfully and yet without issuing a 
> certificate (say, wanting to cache the validation) for the brief periods in 
> which much of the internet saw alternative target destinations for a great 
> deal of high value organization IP space?
> For those CAs with workflows which allow for expressly requesting a domain 
> validation but not necessarily requiring that it be immediately utilized 
> (say, for example LetsEncrypt or another CA running ACME protocol or similar) 
> it might be of interest to review the validations performed successfully 
> during those time windows.
> Additionally, it may be of value for various CAs to check their issuances 
> upon domain validation for those periods.
> You can find the time periods and details about some of the IP space hijacked 
> at
> _______________________________________________
> dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to