On 01/06/2018 22:39, Joanna Fox wrote:
In light of the limited visibility of WHOIS, Wayne's suggestion of "... allow anyone to revoke by proving that they control the domain name using one of the BR 3.2.2.4 methods" is preferable as it is a bit more encompassing rather than restricting to to same validation process. This also supports the idea of transparency around revocation processes.
That would make it trivially easy for someone hijacking any other aspect of a domain to extend their attack to revocation of the real domain owners certificate. This includes situations such as BGP attacks, DNS attacks, rogue hosting providers, all of which are common problems. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy