On Thu, Jul 26, 2018 at 2:23 PM, Tom Delmas via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > > The party actually running the authoritative DNS servers is in control > of the domain. > > I'm not sure I agree. They can control the domain, but they are supposed > to be subordinate of the domain owner. If they did something without the > owner consent/approval, it really looks like a domain hijacking. But the agreement under which they're supposed to be subordinate to the domain owner is a private matter between the domain owner and the party managing the authoritative DNS. Even if this were domain hijacking, a certificate issued that relied upon a proper domain validation method is still proper issuance, technically. Once this comes to light, there may be grounds for the proper owner to get the certificate revoked, but the initial issuance was proper as long as the validation was properly performed. > > > > I'm not suggesting that the CA did anything untoward in issuing this > > certificate. I am not suggesting that at all. > > My opinion is that if the CA was aware that the owner didn't ask/consent > to that issuance, If it's not a misissuance according to the BRs, it should > be. Others can weigh in, but I'm fairly certain that it is not misissuance according to the BRs. Furthermore, with respect to issuance via domain validation, there's an intentional focus on demonstrated control rather than ownership, as ownership is a concept which can't really be securely validated in an automated fashion. As such, I suspect it's unlikely that the industry or browsers would accept such a change. > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy