On Wed, Jan 10, 2018 at 10:35 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > Hosting providers can simply refuse to accept uploads of any certificate > which contains names ending in "acme.invalid". > > AIUI, this is Let's Encrypt's recommended mitigation method. > > Gerv > > That seems remarkably deficient. No other validation mechanism which is accepted by the community relies upon specific preventative behavior by any number of random hosting companies on the internet. Why would that suffice? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy