On Mon, 15 Jan 2018 18:18:10 +0000 Doug Beattie via dev-security-policy <[email protected]> wrote:
> - Total number of active OneClick customers: < 10 What constitutes a OneClick customer in this sense? The focus of concern for tls-sni-01 was service providers who present an HTTPS endpoint for many independent entities, most commonly a bulk web host or a CDN. These function as essentially a "Confused Deputy" in the discovered attack on tls-sni-01. For those providers there would undoubtedly be a temptation to pretend all is well (to keep things working) even if in fact they aren't able to defeat this attack or some trivial mutation of it, and that's coloured Let's Encrypt's response, because there's just no way to realistically police whitelisting of thousands or tens of thousands of such service providers. >From the volumes versus numbers of customers, it seems as though OneClick must be targeting the same type of service providers, is that right? The small number of such customers suggests that, unlike Let's Encrypt, it could be possible for GlobalSign to diligently affirm that each of the customers has technical countermeasures in place to protect their clients from each other. In my opinion such an approach ought to be adequate to continue using OneClick in the short term, say for 12-18 months with the understanding that this validation method will either be replaced by something less problematic or the OneClick service will go away in that time. But of course I do not speak for Google, Mozilla or any major trust store. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
