One opinion I'd like to add to the discussion... In as far as that at this point, it looks like it's time for guidance from the root programs officially on whether or not and under what circumstances TLS-SNI-01 and/or any other mechanism based on method #10 are allowable moving forward....
I'd like to point out that both Let's Encrypt recognized an issue and voluntarily disclosed and took measures in the direction of securing the WebPKI above and beyond any demands made of them. Additionally, GlobalSign was obviously diligent in their responsibility to monitor this mailing list and others and actively discern whether any ongoing discussion may pertain to their operations. As evidenced by their preemptive disclosure and shut down of their method #10 validation mechanism, they've shown strong adherence to the best practices espoused by this community -- actively monitoring the broad discussions and concerns and actively considering the impact of the issues surfaced in terms of their own CA operations. Ultimately, if it should arise that other CAs who rely on mechanisms implementing or claiming to implement method #10 have similar risk and vulnerabilities, those CAs should be called to task for not having timely disclosed and remediated. Further, perhaps those CAs should suffer the burden of mandatory revalidation under a different mechanism, as the vulnerability category has now been acknowledged in the community for some time and the recent press has been significant. In contrast, I think any remediation plan should reward Let's Encrypt and GlobalSign for their diligence and compliance to best practice. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
