Hello, I know that this has been discussed several years ago, but I didn't see any definitive final conclusion. In regards to the recent incident https://medium.com/s2wblog/post-mortem-of-klayswap-incident-through-bgp-hijacking-en-3ed7e33de600 that involved the malicious actor reacquiring a valid TLS certificate, I think that it might be worth to restart the discussion.
I know that the recommended solution is RPKI, but should there be other solutions that would mitigate this issue when RPKI is not deployed? Some possible solutions: 1. Allow restricting validation methods in CAA records 2. Require CAs to have multiple vantage points 3. Not issue certificates shortly after suspicious BGP events -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/35809c0e-a429-4dd1-ad7b-5377a804ffddn%40mozilla.org.
