On 02/03/2019 08:45, Cynthia Revström wrote:
On 2019-03-02 01:49, George Macon via dev-security-policy wrote:
One specific question on this point: Why did the software permit setting
the approval scope to a public suffix (as defined by inclusion on the
public suffix list)? Could validation agent action set the approval
scope to some other two-label public suffix like co.uk?
I think this is highly unlikely seeing as this was a human error and
unlike in-addr.arpa, people might know about .co.uk.
But the PSL is very large (by human, not machine, standards) and most
humans will not be familiar with most/all of the entries on the list.
Note for instance that (most/all of?) AWS is represented in one way or
another, as are other hosting services that are much less well-known. It
seems worth checking the PSL automatically, and it's curious that such
checks were not present or did not prevent/discourage the agent from
acting as they did.
(Note that I'm not overly familiar with the BR and various other
guidelines, and under what circumstances issuance to entries in the PSL
is/isn't permitted, but intuitively it seems like a red flag once we're
talking about manual (rather than automatically verified) issuance.)
~ Gijs
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
